Memory like a goldphish? The problem with short-term approaches to cyber attacks

When we look back on 2018, it’s entirely possible that the year will be best remembered for the Facebook/Cambridge Analytica scandal, the first mass public awakening to the problem of data privacy.

In contrast, major data breaches suffered by Marriott International and Amazon many other major multinational businesses felt like a side-show. They may have generated headlines aplenty when the news first broke, but unlike the Facebook furor, they were never destined to endure in the public consciousness.

In fact, precious few breaches ever linger around the zeitgeist long enough to receive the public inquest they surely warrant. The businesses affected may lose a handful of disgruntled customers as they undertake their minimal obligations to notify and inform those whose details have been compromised, but the long-term damage is rarely significant.

This is ironic given that the wiliest cyber-criminals will be the ones who hold back from the temptation to immediately exploit the customer details they’ve pilfered. Think about it: in the immediate aftermath of a breach going public, companies, and customers, credit card firms and cybercrime agencies are all on red alert. The data is ‘hot’ – it’s the virtual equivalent of monitoring the airports and railway stations straight after a terrorist incident.

However, once the repercussions of the immediate damage – financial, legal, reputational – have passed, and each of the affected parties starts to let their guard down, we’ll see the shrewdest of hackers strike, not by causing another high-profile stir, but by seeking out the value of the personal or financial data gathered in the original breach.

As a consequence, we predict that 2019 will be the year of Zombie Phishing – the year in which ancient threats start coming back from the dead. Cybercriminals will exploit the vulnerabilities of individuals who have not heeded calls to change passwords or implement two-factor authentication, at least on some of their most important or vulnerable accounts. The value of harvested data doesn’t disappear once a breach has been uncovered; it takes customers proactively updating their information and security protections to mitigate the potential for exploitation further down the line.

Hence, over the next twelve months, we’ll see phishing phantoms re-emerging to target customers of a myriad global companies. Which hacker wouldn’t relish going back to the scene of the crime and exploiting the millions of existing customer profiles that they had stolen the previous year – adding to their haul of current data breaches?

Don’t believe us? Well, you can find out for yourself: head over to HaveIBeenPwnEd and check if your details – email addresses or passwords (because of course, you have dozens of unique passwords – one for every site you visit, right?!) – are already out in the wild. The sad truth is that practically everyone has had their details compromised at some stage in the past decade.

This is not an attempt to scaremonger. Indeed, zombie phishers are nothing to be afraid of, providing that you undertake the requisite due diligence to ensure that any details currently sat in hackers’ hands are consigned to the past tense. It may seem daunting, but start with our top tips and you’ll be well on your way to protecting your data:

  1. Check to see if your personal information is listed using a tool, such as HaveIBeenPwnEd. If your passwords show up as leaked, stop using them and change services that currently use that password. You won’t be able to tell if both your password and your identity have been leaked together, but it’s clearly not worth the risk.
  2. Keep passwords separate, strong and regularly updated.
  3. Implement two-factor authentication where possible, and always double check the source of any correspondence you’re not expecting. Avoid SMS two-factor, use an app based solution.
  4. Use built-in protections already available to you; from anti-phishing capabilities to the spam filter provided by services such as Gmail.

The onus is on you to stay one step ahead of the hackers, as sadly the evidence suggests that many organisations we entrust with our data are incapable of doing the same.

PUBLISHED BY

Rahul Powar

30 Jan. 2019

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more
DMARC

400,000 DMARC boost after Microsoft’s high-volume sender update

Jack Lilley

Microsoft’s decision to join Google and Yahoo in enforcing stricter rules for high-volume senders has triggered an immediate response across the internet. In the last 30 days alone, 406,042 new domains have deployed Domain‑based Message Authentication, Reporting & Conformance (DMARC), pushing the global total to 10.9 million. While not all domains will be exclusive Outlook users,…

Read more
DMARC

Red Sift partners with Gradian to strengthen email security through OnDMARC

Jack Lilley

Today Red Sift launches a new partnership with Gradian, a leading data protection provider, to offer its award-winning applications, including Red Sift OnDMARC, to new and existing customers. Established through Red Sift’s relationship with UK distributor E92plus, the two companies look to strengthen defences against phishing and Business Email Compromise (BEC) attacks. Allowing organisations…

Read more
Cybersecurity

DMARCbis: What are the changes and how to be ready

Jack Lilley

Executive Summary: DMARCbis, also known as DMARC 2.0, is the forthcoming update to the DMARC email authentication protocol, designed to address limitations and ambiguities in the original standard, with an expectation to be finalized and published in 2025. The update introduces clearer guidelines, a new method for determining organizational domains, and streamlined record management.…

Read more