Weekly Threat Report 10th November 2017

Created:  10 Nov 2017
Updated:  10 Nov 2017
NCSC Threat Report
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries using our 'Contact Us' page.
This report is drawn from recent open source reporting

Dating apps may put users’ personal data at risk

Researchers at Kaspersky Labs report that several popular online dating apps suffer from vulnerabilities in securing personal data. Users may be at risk of being deanonymized with their locations trackable and personally identifiable information (PII) in danger of being intercepted. Attackers could use the data for a variety of malicious purposes.

Poor security during data transmission is a common problem. For example, some apps upload photos in plain HTTP without encryption. Other apps use HTTP for all transmissions back to the server, risking attackers intercepting data while in transit.

Some apps also use a token-based authorisation process but do not store the tokens securely. Attackers could easily obtain authorisation tokens for Facebook, enabling full access to the associated account. Vulnerabilities also exist in several apps’ message history, particularly for Android users running outdated software.

Users wishing to use online dating apps should choose them with care and limit the amount of personal information they share.

Was Bad Rabbit a smokescreen for a directed phishing attack on Ukraine?

Ukraine’s state cyber police say that malicious actors launched stealthy phishing attacks in conjunction with the Bad Rabbit ransomware attack in an apparent effort to obtain confidential data from victims. While the attack was ongoing, users of Russian-designed software that is widely used in Ukraine were targeted with a stream of phishing emails that attempted to obtain financial and other confidential information.

The Ukrainian state cyber police believe the same actors were behind both attacks and that Bad Rabbit provided camouflage for a highly-targeted, well-thought-out attack.

It is not uncommon for malicious cyber actors to exploit large-scale attacks as a smokescreen to conceal their own activities. However, the potential combination of the Bad Rabbit and Ukrainian phishing cases may indicate a more deliberate hybrid attack methodology. This is consistent with a general trend of malicious cyber campaigns that are increasingly complex, sophisticated and harder to detect as a result.

No UK victims have been reported in either of these attacks. Nevertheless, during large-scale attacks such as WannaCry or Petya/NotPetya, there will be an increased threat to UK organisations and individuals from opportunistic cyber attacks.

Scammers compromising email accounts to carry out fraud

Business Email Compromise (BEC) scams are becoming an increasingly common and attractive proposition for cyber criminals due to the high potential rewards. The security technologist, Bruce Schneier, has written recently on examples in the US real estate sector and fine art organisations in the UK and US, where compromised email accounts have enabled attackers to defraud individuals of significant sums of money. The FBI has assessed the cost to victims as at least $5 billion over a three-year period.

A would-be attacker can gain significant advantages and improved chances of success if they are able to read a company’s email. A recent blog by the NCSC's Technical Director, Ian Levy, highlights the considerable challenge of identifying malicious emails, but also notes that spoofed domains, inconsistent display names and inauthentic language can act as clues that potential victims may be able to spot.

Many of these pitfalls can be avoided by attackers who acquire access to a company’s email account. A capable attacker may spend weeks or months studying the language and formatting of legitimate emails and send requests from legitimate domains, making it less likely that recipients will be suspicious. The NCSC website has previously provided guidance on Whaling and avoiding Phishing attacks.

Poor account management practices put privileged accounts at risk

Many businesses are reportedly using a mix of internally developed tools, scripts, spreadsheets and paper-based tracking to manage their administrative and other privileged access accounts. As cyber security professionals have warned, however, this presents potential risks.

Privileged account credentials allow administrators to log in and manage key network devices such as servers, firewalls, database servers and management applications. A recently released survey of more than 900 IT professionals in seven countries, including the UK, found that 67 percent of organisations were using two or more tools to manage privileged accounts. This indicates widespread inconsistencies between organisations’ approaches to privileged account management.

Privileged accounts are a primary target for a range of cyber adversaries, including cyber criminals and state actors. Once a system is compromised, adversaries will seek out users with elevated privileges to facilitate further movement across the corporate network. One way they do this is by locating files containing plain text user credentials, which are used to silently move across the network in pursuit of further exploitation or malware deployment. Secondary attacks are likely to result in financial and reputational impacts for the victim organisation.

It is important that organisations implement consistent, best practices for privileged access management without creating roadblocks that hinder work getting done. For NCSC mitigation advice on managing user privileges see '10 Steps: Managing User Privileges'.

Social media users targeted by supermarket voucher scam

Security researchers, Action Fraud and numerous UK supermarkets are warning customers of fake messages claiming that they will get vouchers worth up to £250 if they complete a survey. The messages are sent on WhatsApp, Twitter and Facebook, as well as via text and email. They encourage users to click on a link that looks like a supermarket’s legitimate website address.

The addresses are in fact fakes, with letters replaced by very similar-looking accented characters or homographs – for instance, substituting the letter ‘d’ with ‘ḍ’ or ’đ’ to produce an address such as ‘asḍ’ instead of the legitimate Since most people will be reading these messages on small smartphone screens, it will often be difficult to spot these homographs.

If the victim clicks on the link, a survey will appear asking for their personal financial information. Once completed, the victim is told they will receive a £250 voucher if they send the survey to another 20 contacts. This makes the scam appear more plausible, as people are more likely to respond to a message from a trusted contact rather than a random number.

Supermarkets are advising customers to delete these messages and not to pass them on. If in doubt, look on the supermarket’s legitimate website and search for any vouchers, or manually type in the supposed address of the offer and see if that page exists.

Phishing emails (such as the ones in last week's Threat Report about false speeding fines) and fake offers such as these can be very convincing, and therefore difficult to spot. However tempting it may be to click on the links, take time to think about it. If an offer looks too good to be true, then it probably is!

Further information about phishing can be read here, and the 28th April 2017 Threat Report discusses homographic phishing attacks.


The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No