Reinsurance
Reinsurance
Product Family
Product Family
Claims
Claims
Risk Consulting
Risk Consulting
Resources & Tools
Resources & Tools
Resources and Tools
Resources and Tools
About AXA XL
About AXA XL
About AXA XL
About AXA XL
Media Center
Media Center
Get In Touch
Get In Touch

In 2017, online digital publications announced the latest threat to consumer safety: hackers using vulnerabilities inside WhatsApp to spread malicious code via files sent using the app. In March 2019, a security researcher announced that a bug in Facebook Messenger gave hackers an open door through the user’s web browser. The bug has since been patched, but the vulnerabilities continue.

These days, the targets are much larger. Hackers are now using applications like WhatsApp and Messenger to launch phishing campaigns to target corporations across the globe.

With more businesses using messaging and file-sharing apps to conduct international conference calls, such a move by hackers is a natural next step in cyber warfare. In spite of this, many companies have yet to realize this growing threat to their IT security. This is not surprising given that many businesses are accustomed to thinking of their vulnerabilities through more known methods: typically attacks on servers, phishing emails, and human engineering.

What methods are attackers using?

Hackers have taken their methods and applied them in new territory. A recent report reveals that 71 percent of all fraudulent transactions in the second quarter of 2018 came from mobile banking apps or more broadly used apps and platforms like Facebook Messenger and WhatsApp. By exploiting vulnerabilities in phone and message apps, hackers are expanding their reach.

Such attacks are not new. In 2017, Kaspersky Lab reported that hackers have been attacking banks and government institutions in over 40 countries using “legitimate and reputable applications.”

Even with tighter security controls around company servers and networks, hackers have figured out ways to step up their use of apps as a means to gain entry. In one recent case, a message was sent via a company’s WhatsApp account, purportedly from the company CEO. The message:

"I need to inform you of a confidential acquisition regarding a payment that I need you to secure on my behalf. I am on the line with my lawyer now, can I give you a call shortly?"

 However, the CEO was not making the request. It was the work of hackers, who had used a weakness in WhatsApp technology to send the message. Fortunately, the request was never fulfilled. The staff member who received the message reported the suspicious request to the IT department, who was able to determine the request was fraudulent.

In addition, the company had protocols in place that would have thwarted any money from making it into the hands of hackers. Their procedure for approving financial transactions involved three steps requiring sign-off from designated people and phone verification.

Companies must be alert to the potential risks associated with using social media apps, including knowing how their own practices are opening the door to exploitation.

Unfortunately, not all companies can avoid falling victim to hackers, even with stringent authorization protocols in place. Bitcoin exchange Binance was victim of a large-scale security breach in May 2019 in which hackers diverted $40 million in bitcoin. Using several methods of attack, hackers obtained user information, including two-factor authentication codes, which allowed them account access.

From there, the thieves were able to withdraw 7,000 bitcoin from the company’s internet-connected wallet.

That the hackers obtained the two-factor authorization codes made this particular theft difficult to avoid. Yet the company’s losses could have been worse, except for the fact that the amount of cryptocurrency in their online account was just 2 percent of their total cryptocurrency holdings. Binance announced a few days after the breach that the company would be making up that 2 percent with company funds. For some companies who cannot recover as quickly, a loss of 2 percent of holdings could be a major setback.

What to look for

Breaches of social media apps tend to follow similar methodology as breaches that occur on company networks and email systems.

Companies and employees should be on the lookout for the following activity or behavior:

– Requests made via any social media app purporting to come from senior leadership. Is the name spelled correctly? Does the user name match the one the senior manager uses? Are the requests going to the appropriate person? Has the request been verified by phone with senior management that the request came from?

– Unfamiliar/unrecognized phone numbers. Much like email requests that use the person’s name, but comes attached to a completely different email account, social media requests coming from an unrecognized phone number should be treated with suspicion.

– Unusual behavior. Most CEOs would not use a social media app to make financial transaction requests. Nor would they use social media to ask for confidential bank account passwords or login credentials. Who can verify your CEO’s whereabouts and request activity? For requests that are not financial in nature, is the language typical of the person reaching out, or is there something not quite right about the request?

Prevention strategies

Here are a few things to keep in mind when using social media as part of your business:

– Never make financial requests over social media – and make it company policy to not honor such requests.

– Educate all staff. From senior leadership to administrative personnel, all employees should understand that social media requests for money or sensitive account information will not be used, nor will they be honored.

– Have a process for vetting all online requests. Have all monetary requests vetted through C-level management as well as examined by IT.

– Regularly update passwords. Reset all passwords on social media apps and alert IT to any suspicious activity – even that which isn’t a monetary request.

– Establish and actively use a three-step process for financial requests. Before releasing any funds, know who is authorized to approve such requests. Also, have in place a process that requires voice verification, including selected passwords that are changed regularly, as well as sign-off from key personnel. With every financial request, make sure to follow the procedure without exception.

As companies adopt more social media tools to conduct business, cyber thieves and social engineering attempts will continue to grow in frequency and severity. Companies must be alert to the potential risks associated with using social media apps, including knowing how their own practices are opening the door to exploitation.

Companies should establish strong verification processes and should have written social media policies in place. Likewise, companies need to educate employees on the policies, and on how to handle requests that seem out of the ordinary. Hackers will continue to find new ways to breach company systems. Staying one step ahead of the risks means examining your business activities from every angle to help reduce exposure and loss.

About the Author: John Coletti is Chief Underwriting Officer, Cyber & Technology – North America. He can be reached at john.coletti@axaxl.com.

  • About The Author
Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha
 
Subscribe

More Articles

Quick Links

  • Related Resources

Fast Fast Forward

Ransomware-as-a-Service: The business of distributing cyber attacks

Ransomware is proving to be a profitable endeavor for cyber criminals. It is also what is fueling a newer trend: the business of offering management of ransomware attacks, or Ransomware-as-a-Service (RaaS).

Fueled in part by the ability to use cryptocurrency to avoid detection, cyber criminals are setting up shop as a managed service provider, helping other cyber criminals conduct business on their platforms for a fee. For that fee, cyber criminal groups get personalize access to platforms, complete with dashboard capabilities, that allow them to easily distribute their ransomware. Also included – technical support. Such full-service offerings mean that nearly anyone with internet access can launch a ransomware attack without any technical knowledge needed.

And why not? The estimated return on investment from ransomware campaigns can easily reach 1400%. The lure of a lucrative return could well attract beginners or anyone with a grudge. For organizations, the threat coming from a well-backed beginner is as damaging as one coming from a career criminal.

Today’s ransomware victim

 While nearly any organization or individual could be the victim of a cyber thief, many cyber criminals have started to conduct more targeted ransomware campaigns. Typical targets for cyber thieves include these organization types:

  • Those that rely heavily on technology to generate revenue. The more a company relies on technology to generate revenue, the more a breach involving downtime will impact the bottom line. While many organizations fit this description, the hardest hit would include retail, financial services, utilities, and manufacturing. 

  • Those that have a significant impact on health and safety. Because of the concern for the safety of the patient population, healthcare organizations are a particularly vulnerable target for cyber criminals. Thieves are exploiting the need to keep patients safe and their information private. Cyber criminals have demanded ransoms after encrypting files containing patient prescription information, medical files, and personal information.

  • Those that are unprepared.  Thanks to the rising cost of cybersecurity, many small to mid-sized businesses find it challenging to properly protect their businesses from ransomware threats. That makes them an ideal target for cyber criminals. In far too many cases, these businesses are faced with a hard decision: pay the ransom or close up shop.

 

The total impact of breach

Yet paying ransom is not so simple. Dealing in cryptocurrency is a complex and risky process, and one many organizations are not familiar with.

 

– Ransom payments. For example, most Bitcoin exchanges impose maximum purchase limits of $20,000 or less per day. For a ransom of $1 million, a company unfamiliar with the process, would have its operations on hold for 50 days. Fortunately for companies that have cyber insurance, ransomware payments are usually handled on the insured’s behalf by a trusted third party, and the entire ransom can be paid quickly. Also, cryptocurrency payments are irreversible. Because payments are made to an address comprised of a string of numbers and letters, one errant character could mean the payment never reaches the hackers, and the money paid is irretrievable. 

– Forensics. Forensics investigations are as good as the information investigators have to go on. Many organizations realize too late that their audit logs are not gathering the right information. Plus, many breaches are discovered months or even years after they occur, which means data for the event may not have been stored for that length of time.

– Legal. There are also legal requirements when a system is breached. Because each state has its own breach notification laws, some organizations could have difficulty complying, particularly if there are locations in other states. And in most cases, forensics investigations must first determine if any legal requirements have been triggered.

– Public relations/Crisis communications. Also, few organizations are equipped to handle inquiries and damage control once a breach becomes public knowledge. Hiring outside help to manage the situation is essential. If the breach is large enough, a company may need to set up a call center.

– Business interruption/Reputation damage. Then there are the costs associated with the interruption of normal operations. Such interruptions damage a company’s reputation far beyond the cost of the ransom demand. It is this vulnerability that makes a company a much more appealing target for cyber criminals.

– Data restoration. Once ransom is paid, organizations must rebuild or restore their systems. Full restoration can take days or weeks, depending on the number of systems involved.

–  Equipment damage/Bricking. Some ransomware renders the infected equipment permanently unusable. The cost of repair can exceed the cost of replacing the damaged devices.

Read More
Fast Fast Forward

Cyber Prevention: Staying ahead of the phishers, vishers and smishers

It starts with a phone call, a click of a link, a request from the CFO, a customer locked out of an account or a vendor complaining about a missing payment.

These attempts are just a few of the many ways in which ransomware, phishing, and other cyber attacks are launched. Seemingly everyday activities are altered to allow thieves entry into a company’s network or access to data and are becoming more prevalent.

Until recently, cyber criminals would lure users to click on a link that would release the ransomware on the system. Today, however, 95% of ransomware is deployed manually by a network intruder, via exploit kit, or via phishing attachments. When installed, it captures the computer system, demanding a ransom in exchange for releasing the computer system back in to the owners control. According to AXA XL cyber breach partner Kivu Consulting, there has a been a sharp increase in particularly bad ransomware strains, ones that fatally corrupt substantial portions of the victim’s data; ones that fail to decrypt properly after payment of a ransom, or is favored by volatile, unskilled attackers who are unable to troubleshoot decryption issues. New strains are always emerging including most recently -- Cr1ptT0r and Ryuk.

Ransomware strains are constantly changing and evolving. That trend is expected to continue. Symantec reports that the number of ransomware variants has increased by 46 percent. One report shows ransomware incidents in the first three quarters of 2018 spiked from under 20 percent to nearly 46 percent.

Creative crooks

Cyber criminals are growing more creative with their attacks. Phishing and ransomware attacks are essentially digital blackmail. When combined, phishing ransomware attacks create some vicious cyber threats.

In the new 2019 State of the Phish report, a report by proofpoint, there was a 65% increase in enterprises compromised by phishing attacks in 2018 compared to 2017, as criminals are always looking for new points of entry. While the report reflected a global average of 66% of end users who know what phishing is, more than half of the respondents (55%) reported that they do not know what ‘smishing’ is and 63% were unfamiliar with ‘vishing.’ Smishing, or SMS phishing, sends a text message to an individual's mobile phone in an attempt to get them to divulge personal information. Conducted by voice email, VoIP (voice over IP), or landline or cellular telephone, vishing attacks trick individuals into revealing critical financial or personal information to unauthorized entities.

Putting a multi-step verification process in place for all requests helps reduce the risk of a breach significantly, as can limiting access of critical data to only key employees.

The price tag of a ransomware attack is on the rise too. New research by Coveware reported that in the fourth quarter of 2018, the average ransom increased by 13% from the previous quarter ($5,973), reaching $6,733. As a cyber insurer, we see numerous ransomware claims with some, more recently, demanding ransoms as high as $1 million. The report also indicated that ransomware incidents last an average of 6.2 days and the average cost related to downtime is around $55,000. That’s a 47% increase in average downtime over Q3 2018, which Coveware indicates is a direct consequence of attacks where backup systems were wiped or encrypted. According to Coveware, 75% of organizations that paid a ransom had their backups compromised.

A wide target

While controlling the ransom demand is impossible, controlling the cybersecurity environment in a company is entirely possible. It starts with knowing where vulnerabilities lie and how to reduce the likelihood of compromise.

While cyber risks are varied and numerous, some of the main areas of vulnerability include:

  • Email. Email is still one of the primary methods hackers use to breach systems – 92 percent of malware is delivered via email. Fake invoices, spoofed email addresses, or links asking for recipients for an electronic signature are all successful methods used by hackers.
  • Software/apps. Hackers are exploiting vulnerabilities in existing software that is on your company’s computers. These “fileless” attacks implement executable code into plugins, programs, even older, unsupported programs. According to the Ponemon 2019 Endpoint Security Survey, respondents predict 62 percent of attacks targeting respondents’ companies in 2019 will be file-based and 38 percent will be fileless attacks. Zero-day attacks are also becoming more prevalent. Zero-day attacks either involve the exploitation of undisclosed vulnerabilities or the use of new malware that security products do not recognize. These attacks exploit a vulnerability before it has been publicly disclosed and a patch has been developed. In 2018, according to Ponemon’s report, the frequency of existing or known attacks is 63 percent. The frequency of new or unknown zero-day attacks however has increased to 37 percent of all attacks
  • Phone requests. A call from the bank about an account issue could be a hacker trying to get account or password information.
  • Accidental disclosure. Another prevalent incident cause for breaches in 2018, was accidental disclosure – the lost laptop or information shared accidentally -- was blamed for 114 breaches of the 1,244 U.S. breaches, according to a new report sponsored by CyberScout in conjunction with the Identity Theft Resource Center. These breaches exposed 22 million records.

 

Read More
Fast Fast Forward

Cyber insurance market: The year in review

Cyber liability is fast becoming the last frontier of the insurance world.  

Hackers and cyber thieves are growing in number and in the sophistication of their attacks. Attacks that do not require hackers to directly breach systems – fileless attacks – are ten times more likely to succeed than file-based attacks.  These fileless attacks, also known as zero-footprint, macro, or non-malware attacks use legitimate applications or even the operating system. These types of attacks don't install new software on a user's computer, so antivirus tools are more likely to miss them. 

Cyber thieves are setting their sights higher, as well, shutting down systems and demanding expensive ransoms.

In 2017, the insurance world saw the significant threat of ransomware in the forms of Petya, NotPetya, and WannaCry malware attacks that infected computer systems in over 150 countries and ground operations to a halt across numerous industries, including universities, hospitals, shipping companies, and governments.

While the exact losses associated with these events may never be known, estimates for the NotPetya attack stand at $10 billion; the total from the WannaCry attack, $4 billion. Some estimates have the Petya attack costing 10 times that of WannaCry.

Even with such high-profile cyberattacks, the market for cyber insurance is still flush with availability. With more demand for cyber coverage coming from buyers and relatively few major cyber loss events, the number of carriers offering cyber coverage has grown significantly; there are 170 carriers writing cyber liability, with 30 new market entrants this year and 26 new entrants in 2016. As a result, pricing has remained low and capacity is plentiful.

2018: Risks up close

The abundance of coverage does not indicate a lack of risks, instead, quite the opposite.   2018 brought these changes to the cyber market:

  • Increased Ransomware Attacks While last year’s major ransomware attacks did not impact the US market significantly in terms of their severity, the increase in the frequency of these attacks is cause for concern. Today, most cyber breaches are ransomware attacks. The reason: the ransoms have gone up exponentially. When ransomware attacks first appeared, most ransom demands were low enough to avoid a police investigation: typically, $300. However, in 2018 the industry saw ransom demands increase to an average of $30,000 to $50,000. In one case, cyber thieves demanded a $500,000 ransom. 
  • More Sophisticated Thieves Social engineering hit its stride in 2018. Hackers turned their attentions away from hacking into systems to using reconnaissance on individuals within a company to breach security measures for financial gain. By convincing employees or IT departments that a system access request is coming from the CEO who is traveling in another country, hackers were able to gain easy entry and carry out their plans.
  • A New Regulatory Environment As ransomware attacks increase, so will the risks of exposing customer and company data. The General Data Protection Regulation (GDPR) took effect in May 2018, putting pressure on companies across the globe to protect the data of EU citizens. As domestic companies looked to cover their exposure, the states began to enact their own privacy regulations. The California Consumer Privacy Act of 2018 (CCPA) gives consumers comprehensive control over their personal data and puts additional pressure on companies to ensure that personal information is protected.

The Evolving Buyer Influence

Along with the risks, other changes within the cyber market are impacting capacity and coverage options.

  • Buyers in charge With so much coverage availability, buyers are in the driver’s seat, a fact that is evidenced by the demands buyers are placing on cyber insurers. Buyers are turning to carriers for comprehensive pre-breach and post-breach cyber risk management services, and carriers are responding, either directly or by offering these services through third parties.  Some of these services include network vulnerability scanning, penetration testing both internally and externally of the network, assistance with business continuity planning, GDPR readiness and more. 
  • Expanded coverage Another change among buyers: more inclusive coverage. From endorsements to expanded coverage language, carriers are amending policies to meet many more pain points for their buyers. Several endorsements have begun to appear, covering things like: system failures, social engineering losses, consequential reputational loss, and hardware loss. Likewise, some endorsements give buyers the choice of electing which policy will handle their claim in the case of a business interruption loss where there may be overlapping coverage with their property policy and/or a social engineering loss in which their crime policy may respond.
  • More claims pressure More demanding buyers are also beginning to test policy parameters at claim time. Even indirectly related cyber events are being filed as cyber damages. Carriers are looking to bring clarity to coverage terms.  As coverage is becoming even broader, how claims under these new insuring agreements will be treated is unprecedented.
  • More InsurTech 2018 may be remembered as the year InsurTech took root. For cyber insurance, InsurTech has delivered a better customer experience from purchasing to servicing due to efficiency in the underwriting process and policy delivery.  It has also enabled carriers to get new products and enhancements to market faster.   As the number of insurtech delivered cyber policies increase, Carriers will be looking for more data analytics to better improve and understand this process.
Read More

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.

THIS AXA WEBSITE USES COOKIES

AXA XL, as a controller, uses cookies to provide its service, improve user experience, measure audience engagement, and interact with users’ social network accounts. We won't set optional cookies unless you enable them. You can disable them at any time.

For more detailed information on the cookies used for this website, you can read our Cookie Policy.

Find Out More About the Cookie Policy Privacy Notice