Cyber Attack SOS

Malware

Malware (short for ‘malicious software’) is often used by cyber attackers to gain access to your computer systems. You might be tricked into installing malware on your device when you download an attachment or click on a link in an email sent to you by a cyber attacker.

Warning Signs

Be on the lookout for the following warning signs that your computer or other devices such as smartphones have become infected with malware:

• Unusual account activity, such as logins at unusual times from unusual locations.
• Losing access to an account because the password has been changed.
• Your device slowing down, the battery running down, or your device overheating.
• New programs or files appearing unexpectedly. You may see an unfamiliar icon in the task bar or system tray on Windows.
• Unable to access files as you normally would.
• Strange error messages appearing.
• Suspicious pop-ups asking you to update software or download a program you don’t recognise.

Actions

If you believe your computer or other devices have become infected with malware, follow the steps below to scan your device and quarantine the malware. If you are unsure of what to do, contact a cybersecurity professional.

If the affected device is a desktop or laptop computer:

1. Check that your antivirus software is up to date and running.
2. Disconnect the computer from all networks and other devices to prevent the malware from spreading. Disconnect network cables and disable wireless networking. Disconnect USB hard drives. Turn off Bluetooth.
3. Run a full scan of the computer using your antivirus software and follow any instructions it gives you to quarantine malware or viruses that it finds.

If your computer still seems to be affected by malware, you may need to wipe it completely and re-install the operating system. You should contact cybersecurity expert to help with this process to ensure that data that is critical for your business is free of malware before it is backed up.

If a device such as a tablet or a smartphone has become infected with malware:

1. Perform a factory reset of the device. This will wipe all data from the device, so it may be necessary to first back up any important business data. You may need to consult with a cybersecurity expert first, to make sure that all backups made are free from malware.
2. Restore backed-up data to the device.
3. Change passwords for any accounts that may have been compromised.

Continue to monitor your devices and systems for any suspicious activity that may have been caused by the malware attack.

Business Email Compromise

Business Email Compromise (BEC) is a type of phishing attack that targets people at a senior level in an organisation, or those with the authorisation to carry out financial transactions.

Unlike other phishing attacks that send the same fraudulent email to thousands or even millions of people, a BEC is carefully targeted at a specific person in an organisation. It may take the form of an email that seems to come from someone that the recipient normally deals with, and may even continue the thread of a previous email exchange.

Warning Signs

The email will often pressure the recipient to transfer a sum of money to an account or disclose sensitive business data. For example, you might receive an email that appears to be from your boss, asking you to transfer a sum of money urgently.

In some cases, the email may actually come from the account of a known contact: attackers may have compromised that person’s business email, allowing them to send fraudulent messages from that person’s account.

In other cases, the attackers may use an email address that is almost identical to the address of someone you know, and include corporate logos that make it look legitimate.

As BEC emails are not sent in large volume like other phishing attacks, they are often not flagged by your email system’s filters. They may also contain virus in attachments that look authentic.

Actions

You may fall victim to either side of a BEC attack – either as the person whose email is compromised or impersonated, or as the person who receives a fraudulent email.

If you believe your email has been compromised or that you have otherwise been impersonated, take the following steps:

• Secure your email account.
• Reset passwords.
• Check account recovery details (in case attackers have changed these to allow them access your account).
• Sign your email out from all other devices and sessions.
• Enable MFA.
• Check your email account settings (e.g. mailbox rules).
• Check your sent and deleted items to assess what actions may have been taken by the attackers.
• If an attacker is using an email service provider to such as Gmail or Hotmail to impersonate you, submit an abuse report to that service provider.
• If someone has been using a spoof domain name to impersonate you, notify An Garda Síochána and contact the registrar of the domain being used to impersonate you to request a takedown.
• Notify any contacts and third parties that may have been contacted by attackers impersonating you.

If you believe you have received a fraudulent email as part of a BEC attack:

• If you have transferred money from your bank account or disclosed credit card details, contact your financial institution immediately. Be sure to use their official website or phone number.
• Notify your IT department
• Report the crime to your local Garda station
• Notify any third parties that might be affected

Account Compromise

An account becomes compromised when a cyber attacker steals your username and password. Unless you have MFA enabled for that account, the attacker will now be able to log in and access any data associated with it.

Account compromise is often the first step in a larger cyber-attack. If your email account becomes compromised (also known as Business Email Compromise) the attacker may impersonate you and attempt to defraud one of your contacts. An attacker might also use a compromised email account to access other important accounts such as your online banking.

If your laptop account becomes compromised, the attacker might use this access to steal important business data or install malware such as ransomware.

Warning Signs

Watch out for these signs of a compromised account:

• You are unable to log in, even though you’re sure you are using the correct username and password.
• Unexpectedly receiving notification that your password has been reset.
• Notifications about login attempts on devices and locations you don’t recognise, or at strange times.

Actions

If you believe that any of your accounts have been compromised, take the following steps:

1. Change your password, making sure to pick something that is long enough and strong enough.
2. Enable MFA.
3. Many online services allow you to manage your logins. If available, use this facility to log out of all connected devices.
4. If your email account has been compromised, it may also be necessary to secure any accounts that use that email as a recovery option, or that use Single Sign-On (SSO) provided by your email service provider.
5. Report the incident to your local Garda station, and notify any of your contacts that may be affected.

Ransomware

Desktop computers, laptops, mobile devices and cloud storage accounts are all vulnerable to ransomware attacks. An attacker gains access to your devices or cloud storage accounts using stolen credentials or other means, and encrypts your files so that you can no longer access them. The ransomware is often designed to spread virally across all devices connected to your network. A message is then displayed on screen, demanding a ransom to de-crypt your data.

The best defense against this type of attack is to perform frequent backups of your critical business data. Use air gapped or immutable storage to ensure that your backups cannot be infected by the ransomware.

Actions

1. Don’t engage or pay the attackers. Responding to on screen messages by attackers may only draw attention to your network. Ransomware infections are spread automatically, so the cyber attackers may not yet know that your network has been compromised.
2. Isolate any devices that appear to be infected but do not switch them off. Affected devices should be completely disconnected from the network, so plug out network cables and disable Wifi and Bluetooth connections. Disable Wifi on your router if necessary. Leave devices plugged in, as switching them off may corrupt your data.
3. Notify the person responsible for your company’s cybersecurity.
4. Perform virus and malware scans on all other computers and devices used by your company. If any threats are detected, isolate these devices from the network.

Man-in-the-Middle Attack

A man-in-the-middle (MitM) attack is a type of cyber-attack where your data is intercepted by a third party while travelling over a network. The attacker intercepts and relays messages between two parties that believe they are communicating directly with each other. In doing so, the attacker can gain access to sensitive information in real-time.

Using public Wi-Fi can put you at risk of a MitM attack. A cyber attacker could make a Wi-Fi connection freely available in a busy public area such as a coffee shop. The Wi-Fi hotspot would appear to work as normal, but because the attacker is in control of the network, they could potentially capture any information that is sent over it, including login credentials for any services you use.

Warning Signs

The following could be signs that you have fallen victim to a MitM attack:

• Your network connection seems slower than usual. Because your network traffic is passing through extra software or devices under the attacker’s control, web pages may be taking longer to load than usual.
• Look out for any warnings from your browser about untrusted certificates. Most legitimate websites now use https certificates signed by a trusted authority to help you make sure that you are not falling victim to a cyber-attack.

If you believe you are victim to a MitM attack, take the following steps:

1. Disconnect from any untrusted networks.
2. Make sure your antivirus software is fully up to date and run a virus scan on any devices that may have been exposed.
3. Reset passwords for any accounts that may have been compromised and turn on Multi-factor Authentication (MFA) wherever possible.
4. Use a Virtual Private Network (VPN) whenever outside the office to prevent being exposed to a MitM again.