DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.

DDoS attacks outside business hours

While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day.

While the number of attacks decreased overall – possibly as a result of DDoS-as-a-service website Webstresser being closed down following an international police operation, both the scale and complexity of the attacks increased. The LSOC registered a 50% increase in hyper-scale attacks (80 Gbps+). The most complex attacks seen used 13 vectors in total.

Link11’s Q2 DDoS Report revealed that threat actors targeted organisations most frequently between 4pm CET and midnight Saturday through to Monday, with businesses in the e-commerce, gaming, IT hosting, finance, and entertainment/media sectors being the most affected.

The report reveals that high volume attacks were ramped up via Memcached reflection, SSDP reflection and CLDAP, with the peak attack bandwidth recorded at 156 Gbps. Other key findings from the Q2 report include:

  • The total duration of attacks during the quarter was 1,221 hours
  • 17% of attacks used two vectors, while 16% used three
  • The most frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%)
  • Memcached was the most used reflection amplification technique, with 773 attacks observed using this technique, highlighting that Memcached is still an issue. The SSDP reflection technique generated the greatest proportion of DDoS packets.

DDoS attacks outside business hours

“Attacks in Q2 2018 continued to grow in scale and complexity. Nearly half of attacks were multi-vector, making them harder to defend against, and with the rapid growth in ‘hyper attacks’ with volumes of over 80 Gbps, we must now consider these large, complex attacksto be the new normal,” said Aatish Pattni, Regional Director UK & Ireland for Link11.

“It’s only a matter of time until a new DDoS-for-hire service emerges to replace Webstresser, so attacks will inevitably increase over the coming months. Given the scale of the threat that organizations are facing, and the fact that the attacks are deliberately aimed at causing maximum disruption, it’s clear that businesses need to deploy advanced techniques to protect themselves against DDoS exploits,” added Pattni.

Source: https://www.helpnetsecurity.com/2018/08/15/ddos-attacks-outside-business-hours/

  • 0

How to Improve Website Resilience for DDoS Attacks – Part II – Caching

In the first post of this series, we talked about the practices that will optimize your site and increase your website’s resilience to DDoS attacks. Today, we are going to focus on caching best practices that can reduce the chances of a DDoS attack bringing down your site.

Website caching is a technique to store content in a ready-to-go state without the need (or with less) code processing. When a CDN is in place, cache stores the content in a server location closer to the visitor. It’s basically a point-in-time photograph of the content.


When a website is accessed, the server usually needs to compile the website code, display the end result to the visitor, and provide the visitor with all the website’s assets. This all takes a toll on your server resources, slowing down the total page load time. To avoid this overhead, it’s necessary to leverage certain types of caching whenever possible.

Caching not only will decrease load time indications, such as time to first byte (TTFB), it also saves your server resources.

Types of Caching

There are all sorts of caching types and strategies, but we won’t cover them all. In this article, we’ll approach three that we see most in practice.

Static Files

The first type is the simplest one, called static files caching.

Images, videos, CSS, JavaScript, and fonts should always be served from a content delivery network(CDN). These network providers operate thousands of servers, spread out across global data centers. This means they can deliver more data much faster than your server ever could on its own.

When using a CDN, the chances of your server suffering from bandwidth exhaustion attacks are minimal.

Your website will also be much faster given the fact that a large portion of website content is composed of static files, and they would be served by the CDN.

Page Caching

This is definitely the most powerful type of cache. The page caching will convert your dynamic website into HTML pages when possible, making the website a lot faster and decreasing the server resource usage.

A while ago, I wrote an article about Testing the Impacts of Website Caching Tools.

In that article, with the help of a simple caching plugin, the web server was able to provide 4 times more requests using ¼ of the server resources when compared to the test without the caching plugin.

However, as you may know not every page is “cacheable”. This leads us to the next type…

In-Memory Caching

By using a software such as Redis or Memcached, your website will be able to retrieve part of your database information straight from the server memory.

Using in-memory caching improves the response time of SQL queries. It also decreases the volume of read and write operations on the web server disk.

All kinds of websites should be able to leverage in-memory caching, but not every hosting provider supports it. Make sure your hosting does before trying to use such technology.


We highly recommend you to use caching wisely in order to spare your server bandwidth and to make your website work faster and better.

Or Website Application Firewall (WAF) provides a variety of caching options that can suit your website needs. It also works as a CDN, improving your website performance. Not only do we protect your website from DDoS attacks, but we also make it up to 90% faster with our WAF.

We are still planning to cover other best practices about how to improve website resilience for DDoS attacks in other posts. Subscribe to our email feed and don’t miss our educational content based on research from our website security team.

Source: https://securityboulevard.com/2018/08/how-to-improve-website-resilience-for-ddos-attacks-part-ii-caching/

  • 0

Researchers Uncover Massive Malvertising Operation

While analyzing recent drive-by download attacks, security researchers have uncovered a large malvertising operation that infiltrated the legitimate online ad ecosystem and abuses more than 10,000 compromised websites.

Malicious advertising, or malvertising, is the practice of displaying rogue ads on legitimate websites without their owners’ consent or knowledge. This has been a very popular attack vector for many years and even led to an investigation by the U.S. Senate in 2014.

In response, ad networks, which are responsible for delivering ads to content publishers, have strengthened their defenses against fraud and abuse, but as researchers from Check Point recently found, cybercriminals still find ways to bypass those checks on a large scale.

In addition to scam and scareware, malicious ads are frequently used to direct unsuspecting users to exploit kits, web-based attack tools that attempt to exploit vulnerabilities in browsers or their plug-ins. Flash Player, Java and Silverlight have been common targets over the years.

Exploit kits are not as popular with cybercriminals as they used to be, because the targeted applications have incorporated sandboxing and other mechanisms that make exploitation more difficult. However, they’re still around and new ones are being created.

“Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple Exploit Kits,” researchers from the security company said in a new report.

The researchers uncovered that a single threat actor, whom they dubbed Master134, is in control of more than 10,000 compromised websites. The sites all run an older version of WordPress that is vulnerable to remote code execution.

The threat actor appears to be posing as a publisher and sells ad space on these compromised websites through a large advertising network called AdsTerra. In turn, that ad space is bid on and bought through AdsTerra by several other reseller companies, which then sell it to advertisers who turn out to be almost exclusively cybercriminal groups that operate exploit kits.

This seems to be a full abuse of the advertising supply chain and it’s not clear if the advertising companies involved are having their security checks bypassed or are intentionally turning a blind eye to the malicious activity.

“Indeed, threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so,” the researchers said. “However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”

Unfortunately, malvertising is likely to remain a common attack vector for years to come, if not to direct users to exploit kits, then to trick them into downloading potentially unwanted applications. Malicious and annoying advertisements are frequently cited as the primary reasons for users installing ad blockers in their browsers, which hurts the entire online ecosystem and content creators in particular.

Source: https://securityboulevard.com/2018/07/researchers-uncover-massive-malvertising-operation/

  • 0

This new cryptomining malware targets business PCs and servers

Researchers have uncovered a cryptojacking campaign that looks to spread across infected networks to ensure as much mining profit as possible.

A new form of cryptocurrency-mining malware is targeting corporate networks across the world, employing a combination of PowerShell and EternalBlue to stealthily spread.

Dubbed PowerGhost, the fileless malware can secretly embed itself on a single system on a network then spread to other PCs and servers across organisations.

The cryptojacker has been uncovered by researchers at security company Kaspersky Lab, who detected it on corporate networks across the globe, with the largest concentration of infections in India, Brazil, Columbia, and Turkey. PowerGhost has also been detected across Europe and North America.

Cryptocurrency mining malware secretly uses the power of infected systems to mine for cryptocurrency, which is sent to the attackers’ wallet. The more machines that are infected, the more illicit profits the attackers can make.

Infections begin with the use of exploits or remote administration tools such as Windows Management Instrumentation. PowerGhost also uses fileless techniques to discreetly go about its business and ensure it isn’t detected on the network.

By adopting this tactic, the PowerGhost miner isn’t stored directly on the hard drive of the infected machine, making it harder to detect.

PowerGhost itself is an obfuscated PowerShell script which contains add-on modules for the miner’s operation such as mimikatz, which helps it obtain account credentials of infected machines, as well as a shellcode for deploying the notorious EternalBlue exploit to spread around the network.

EternalBlue is the leaked NSA hacking tool which went on to power the WannaCry and NotPetya attacks, and it’s still being used by crooks over a year later.

After one machine is infected with PowerGhost, EternalBlue can spread it around the rest of the network, then with the aid of mimikatz it can steal credentials, aiding its spread and allowing the escalation of privileges using CVE-2018-8120.

Once PowerGhost is embedded onto machines, it can perform its task of mining for cryptocurrency — and detection rates for the malware suggest that those behind it are particularly keen to compromise corporate networks in order to make as much money as quickly as possible.

“PowerGhost raises new concerns about crypto-mining software. The miner we examined indicates that targeting consumers is not enough for cybercriminals anymore – threat actors are now turning their attention to enterprises too. Crypto-currency mining is set to become a huge threat to the business community,” said David Emm, principal security researcher at Kaspersky Lab.

Researchers note that one version of PowerGhost can also be used for conducting DDoS attacks, something which those behind the malware are likely to be using as an additional means of income.

Cryptocurrency mining malware has risen to become one of the most popular means of cybercriminals making money, even surpassing ransomware when it comes to turning a profit.

To avoid corporate networks falling victim to mining malware, researchers recommend software is kept patched and up to date in order to prevent miners exploiting known vulnerabilities like EternalBlue.

Organisations are also urged to not overlook less obvious targets for attacks such as queue management systems, POS terminals, and vending machines, because cryptojackers don’t need much power to operate, so can easily take advantage of these often-forgotten about, low-powered systems.

Source: https://www.zdnet.com/article/this-new-cryptomining-malware-targets-business-pcs-and-servers/

  • 0

Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero’s Freedom of Information requests, 70% of critical infrastructure institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – confirmed they’d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it’s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.  Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients’ medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people’s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU’s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to £17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK’s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero’s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government’s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.  The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted. Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.

Source: https://www.itproportal.com/features/critical-infrastructure-remains-insecure/

  • 0

Botnets Evolving to Mobile Devices

Millions of mobile devices are now making requests in what’s described as “an attack on the economy.”

Botnets have tended to hide in the nooks and crevices of servers and endpoint devices. Now a growing number are hiding in the palms of users’ hands. That’s one of the conclusions of a new report detailing the evolving state of malicious bots.

“Mobile Bots: The Next Evolution of Bad Bots” examined requests from 100 million mobile devices on the Distil network from six major cellular carriers during a 45-day period. The company found that 5.8% of those devices hosted bots used to attack websites and apps – which works out to 5.8 million devices humming away with activity that their owners know nothing about.

“The volume was a surprise,” says Edward Roberts, senior director of product marketing at Distil Networks. The research team even took another sampling run to verify the number, he says. In all, “one in 17 network requests was a bad bot request,” Roberts says,

Another significant step in the evolution of these bots is their use. The “traditional” use of botnets is as an engine for distributed denial-of-service (DDoS) attacks or spam campaigns. These mobile bots, though, seem to be focused on a different sort of attack.

“It’s an attack on the economy,” Roberts says, describing the activity in which bots repeatedly scrape prices from a retail site so that a competitor can constantly match or undercut the price.

Another activity for these mobile bots is hunting through brand loyalty sites looking for login information so that premium products or “points” can be harvested for the botnet owner. A side effect of this type of activity is much lower traffic volume than that often seen in bot-infected devices.

“We only see an average of 50 requests a day from these devices,” Roberts says. “The activity is low and slow and highly targeted.” In this targeted activity, the nature of a cellular-connected device comes into play, as the IP address will change every time the device moves from one cell to another.

The one thing that hasn’t evolved is the way in which the devices become infected, the report points out. Tried-and-true infection mechanisms, including malicious file attachments in email, infected files behind website links, and drive-by infections that use redirected links, are all commonly found. As with desktop and laptop computers, the researchers recommend anti-malware software and user education as primary defenses against infection and botnet recruitment.


  • 0

Small businesses aren’t properly prepared for cyberattacks

Even though businesses all over the world are increasingly taking online protection seriously – they still aren’t 100 per cent confident they could tackle serious cybersecurity threats.

Polling 600 businesses in the US, UK and Australia, a study by Webroot found that new types of attacks are dominating in 2018 (compared to the year before) but that the cost of a breach is decreasing, as well.

Phishing has taken the number one spot as the most dangerous type of attack, from malware. Ransomware is also up, from fifth to third, mostly thanks to the large success of WannaCry.

With 25 per cent on a global scale, insider threats seem to be least dangerous of the bunch.

When it comes to the UK in particular, ransomware is the biggest threat. SMBs are far less concerned about DDoS attacks in the UK, compared to their US counterparts, too.

The report has also taken a closer look at training and uncovered that even though almost all businesses do conduct training to teach their staff about cybersecurity, this training isn’t continuous. This leads to the next stat, 79 per cent can’t say they are “completely ready to manage IT security and protect against threats.”

“As our study shows, the rise of new attacks is leaving SMBs feeling unprepared,” commented Charlie Tomeo, vice president of worldwide business sales, Webroot.

“One of the most effective strategies to keep your company safe is with a layered cybersecurity strategy that can secure users and their devices at every stage of an attack, across every possible attack vector.”

Source: https://www.itproportal.com/news/small-businesses-arent-prepared-for-cyberattacks/

  • 0

Misguided “Bitcoin Baron” Hacker Gets 20 Months

An inept cyber-criminal has been given a 20-month sentence behind bars after DDoS-ing the networks of a Wisconsin city, temporarily taking out its 911 center.

Randall Charles Tucker, 23, of Apache Junction, Arizona carried out the attacks on the City of Madison in 2015 as part of a wider DDoS campaign against various cities, according to the Department of Justice.

“In addition to disabling the City of Madison’s website, the attack crippled the city’s internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit to a medical, fire, or other emergency,” the noticed read.

It’s unclear what his motivation was in launching the attack, although it came just days after a fatal shooting by a Madison police officer.

Tucker’s other exploits saw him DDoS the municipal computer systems in Phoenix suburbs Chandler and Mesa and user-generated video portal News2Share, the latter in a bid to persuade it to feature one of his videos.

These charges were reportedly dropped as part of the plea deal.

Tucker boasted of his crimes on social media, dubbing himself the “Bitcoin Baron,” and has also reportedly taken part in hacktivist campaigns like Anonymous #OpSeaWorld.

However, his attempts to portray himself as a moral crusader failed miserably. In one incident in 2015 he apparently DDoS-ed the city and police websites of San Marcos in Texas — demanding a local policeman who had assaulted a female college student be jailed and fired. That cop had already been sent to prison two years previously.

Tucker also launched an attack on a children’s hospital, reportedly defacing it with child pornography, which if true somewhat undermined his hacktivist credentials.

Alongside the jail sentence, Tucker was ordered by the court to pay restitution of over $69,000 to the victims of his attacks.

Source: https://www.infosecurity-magazine.com/news/misguided-bitcoin-baron-hacker/

  • 0

A Mexican presidential campaign blamed Russia and China for a cyberattack, but a bigger online threat is closer to home

  • A Mexican presidential candidate’s website was overwhelmed by traffic moments after he announced it at a debate earlier this month.
  • The candidate and his party attributed the shutdown to a cyberattack, but specialists doubt that.
  • The incident has brought renewed attention to online efforts to influence Mexico’s election.

Shortly after Mexican presidential candidate Ricardo Anaya held up a placard announcing his campaign’s newest website, Debate2018.mx, during a debate on June 12, the site was overwhelmed by an influx of traffic.

Anaya’s campaign said the site — which was to offer evidence of wrongdoing by campaign frontrunner Andres Manuel Lopez Obrador — likely experienced a distributed denial of service attack and that most of the traffic had come from Russia and China.

But experts have cast doubt on that version of events and said homegrown cyber activity will likely play a bigger role in Mexico’s election.

Last year, then national security adviser Gen. H.R. McMaster said there were “initial signs” of Russian effort at “subversion and disinformation and propaganda” targeting Mexico’s election using cyber tools.

There have been no clear signs of foreign meddling in Mexico ahead of the July 1 election that will pick some 3,400 office holders at all levels of government. Mexico has said it has not received evidence from the US of such interference, and Russian authorities denied engaging in it. But accusations have continued.

The coalition backing Anaya’s candidacy said after the debate that the traffic responsible for bringing the site down came from Russia and China. But digital-security specialists told Verficado 2018, a site set up to check claims made during the campaign, that the evidence presented did not prove there had been “a Russian attack,” saying that the traffic that did originate in Russia would not have had more of an impact than traffic that came from Mexico.

The specialists said the main reason for the crash was the site’s administrators failing to prepare for a sudden influx of traffic.

“If this was a DDOS attack, the most likely explanation is that hackers inside of Mexico purchased the capabilities to conduct that attack from a group that hosts its bots in Russia,” said James Bosworth, a Latin America expert and founder of the risk-analysis firm Hxagon. “It’s also likely true that the Anaya campaign’s tech team was unprepared for the surge in legitimate traffic, much less a DDOS attack.”

‘Locations are easy to fake’

Accusations of social-media manipulation targeting Mexico’s elections are not new.

The Institutional Revolutionary Party has been accused of using networks of bots to influence trending topics during the 2012 presidential campaign, in which the party’s candidate, Enrique Peña Nieto, defeated Lopez Obrador. (The PRI ran Mexico as a de facto one-party state for much of the 20th century, retaining power in part through electoral manipulation.)

In 2016, a hacker named Andres Sepulveda told Bloomberg he was given a $600,000 budget to back Peña Nieto’s 2012 campaign by hacking the opposition and through a network of 30,000 Twitter bots used to create false waves of enthusiasm and criticism.

Activists, journalists, and other public figures in Mexico have also faced online attacks, often from networks of trolls and accounts run anonymously.

Such social-media activity has come to the fore again during this campaign, though many have pointed to foreign interferance — particularly from Russia — on behalf of Lopez Obrador, a popular leftist politician who has inveighed against corruption, inequality, and entrenched power in Mexico.

Analysis by the Atlantic Council’s Digital Forensics Research Lab found that the source of that traffic is not so clear.

“We were unable to verify claims that Russian bots were targetting the Mexican elections,” said Donara Barojan, a research associate at the DFRL.

“We did, however, find one ‘Russian-speaking’ botnet, which was actively promoting the Green Party of Mexico” but classified it as a commercial, rather than political, botnet, as it was boosting posts on a variety of topics from all over the world, Barojan added.

The bots found by the lab appeared to be run by people supporting Mexican political parties or by commercial users who rented them out, said Ben Nimmo, a nonresident senior fellow at the DFRL who, with Barojan, analyzed reports of Russian bots targeting Mexico’s election.

“Some of the paid bots we identified appeared to originate from Russia, but they amplified content from users all over the world, without a particular political slant, so they don’t look like an influence operation,” Nimmo said.

“There’s no evidence to suggest that the political bots we found were based outside of Mexico,” he added. “Absence of proof does not equal proof of absence, but so far, there’s no reason to suggest state-run efforts.”

Nimmo stressed that the origin point of certain online activity could easily be faked but said between 75% and 90% of the activity the lab had analyzed appeared to come from Mexico, while a smaller portion, between 5% and 15%, appeared to come from Venezuela or the US.

“But locations are easy to fake,” he noted, “so this is suggestive, rather than conclusive.”

‘Bot activity is everywhere’

Use of bots, or automated accounts, and trolls, which are people using fake accounts, cuts across political parties in Mexico, where social media is especially popular and where 14 million new voters are set to cast ballots this year.

Consulting firm Metrics México said in March that more than 18% of Twitter content in the country over the previous weeks was created by bots and paid influencers. “The influencers put out the topic, the bots fatten it up, and public opinion buys it,” the firm’s CEO told El Pais.

Two people previously employed as trolls told El Pais that they were paid about $580 a month to operate dozens of fake Twitter or Facebook accounts using either fabricated or stolen identities. “They think you’re a real human being,” one of them said.

A woman known as Sophie said on a December episode of the Reply All podcast that she answered a help-wanted ad during the 2012 campaign and found herself using Twitter to promote Peña Nieto.

“They gave us a lot of accounts. In my case I had three or four,” she said. “There were people that had more, like five or six, there were people that only had one, but they were fake accounts. You could not use your Twitter account for anything, anything, anything, because it was like secret.”

“Bot activity is everywhere,” said Nimmo, adding that despite more awareness, human users often struggle to tell bots from other human users.

But in Mexico, where this year’s election is characterized by a strong rejection of Peña Nieto and the governing PRI, it’s not clear that online campaigns will successfully shape public sentiment.

“An algorithm-run account is highly unlikely to change anyone’s perception towards a particular issue or an individual,” said Barojan, “but they can make that issue or individual seem more important or popular than they really are.”

The PRI and Lopez Obrador’s party, the National Regeneration Movement, or Morena, were both likely to wield vast networks of social-media bots during the campaign, Bosworth said in an interview earlier this year.

Other analysis by Barojan found that PRI senate candidates were using automated social-media accounts to promote their own campaigns.

“The PRI have certainly been using their bots to promote their candidates and smear their opponents both at the national level and local level,” Bosworth said in an email on Monday. “While they have been able to manipulate trending topics on Twitter, it doesn’t appear to be impacting public opinion much. Mexican voters are definitely anti-PRI this election.”

But bots promoting Lopez Obrador and his party have not been used “to their full potential,” Bosworth said. His “lead is so comfortable that he has little need to engage in a controversial bot campaign that could lead to negative coverage.”

Source: http://uk.businessinsider.com/russian-bots-are-accused-of-meddling-in-mexicos-election-2018-6

  • 0

World Cup could lead to surge in cyber threats

With the Group Stage of the 2018 FIFA World Cup now well underway, security companies are warning that cybercriminals are likely to use the interest stirred up by the event to launch cyber attacks.

Network and endpoint security company Sophos noted that cyber attacks often go hand in hand with major sporting events, including the World Cup, as criminals exploit the fevered interest stirred up in incautious sporting fans.

There has already been a long history of World Cup cyber threats, including a virus with a backdoor sent under the pretence of free tickets during Germany 2006, a blackmail of online betting sites with threats of DDoS attacks during South Africa 2010.

A virus deployed during France 1998 also had users gamble on the winner of the Cup, with the wrong choice leading to all data being wiped from a victim’s drive, while in South Korea 2002, a virus posing as a web utility giving up-to-the-minute updates was distributed via email and IM.

Sophos noted that awareness is generally greater this year, with teams including the English Football Association warning players not to use public Wi-Fi in Russia due to fears of hacking.

But the company noted that it is important that organisations and people remain vigilant at all times about the increased threat.

Meanwhile, Akamai Technologies Director of Security Technology Patrick Sullivan noted that the company has historically noticed declines in cyber attacks while games are actually underway — until there’s a clear winner.

“Once games are well in hand, attacks from the losing team’s nation spike well above normal. This often takes the form of attacks designed to take down news stories in the victor’s country that tout a home-team win,” he said.

“Activists also frequently use various forms of cyber attacks during major sporting events to protest the host nation — often targeting sponsors to get their point across. For example, protesters at the recent Brazilian World Cup that were upset with the amount of money spent.”

Source: https://www.technologydecisions.com.au/content/security/news/world-cup-could-lead-to-surge-in-cyber-threats-456219990

  • 0