SE Labs

Posts filed under 'Threat Intelligence'

Ransomware evolved – Persistent Ransomware Attack

A set of backups may no longer be enough

Ransomware infecting backup tape

A journalist asked us if we felt that ransomware attackers had evolved. But the truth of the matter is, there’s no need for them to do so judging by the large number of publicised cases in which they are able to achieve success without being too creative.

Read more >

SE Labs has been hacked…

And we’re really quite proud about it!

SE Labs has been hacked

Our tests are so close to real-life hacking that sometimes there is no practical difference between the two. We don’t usually expect to interact directly with cyber criminals, but it sometimes happens. In this case, our attacker was rude enough to spoil our initial analysis and to leave a sexually aggressive message for our team, too. SE Labs has been hacked!

For immediate context, if you’ve never heard of SE Labs before, we are a computer security testing organisation. We expose our test systems to all manner of horrible software and people, to judge how effectively different security products work. No customer data was lost in this story!

Read more >

Serial Hackers

How we run our Breach Response testing, and why

Breach response testing

In this blog post our CTO Stefan Dumitrascu explains some of the challenges behind our newly launched Breach Response testing, why things are now different (better) and the background on how we came to make some of our decisions.

One of our most exciting projects this year has been the Breach Response testing programme. In this article we explain what has changed since last year, and why.

Read more >

SE Labs Annual Report 2020

awards winners testing like hackers

Well, 2020 was an interesting year! Some of the largest and newest security companies were bought and sold…

The world descended into chaos thanks to a biological virus (while digital viruses continue to wreak havoc)…

And SE Labs launched a new website and started using machine learning in its testing.

We appreciate some of these things are more important than others…

However, in the face of adversity we must all carry on and we are proud to announce our second annual report, in which we review the unprecedented year of 2020, announce our annual awards winners and discuss testing like hackers.

Read more >

Email security: Is it any good against hackers?

World’s first in-depth, public test of security services vs. targeted attacks.

This email security test report is the product of two years of advanced threat research. We have worked with the security companies themselves and with their customers.  We have monitored what the bad guys have been doing and identified and replicated real-world email threats that affect everyone generally, and also specific types of businesses.

There is no report like this anywhere in the public domain. We are extremely proud to present the results here.

Read more >

SE Labs Annual Report 2019

SE Labs has been working at the core of the cyber security industry since its launch in 2016. We work with all of the major developers of IT security products as well as their main customers and even investors looking to increase their chances when betting on emerging technologies.

Read more >

Targeted attacks with public tools

Over the last few years we have tested more than 50 different products using over 5,000 targeted attacks. And there’s news, both good and bad.

In this article we will look at the different tools available, how effective they are at helping attackers bypass anti-malware products and how security vendors have been handling this type of threat for over a year.

Read more >

Network security appliances vs. Word and PowerShell

Over the last few months we have seen a surge in attacks using apparently innocent documents that install malware covertly on victims’ systems.

Unless you are running specialist monitoring tools, or very effective security software, you probably won’t see any symptoms of the attack.

The goals of these attacks are varied. In some cases they provide remote access to hackers. In others so-called cryptocurrency mining software is installed. These programs (ab)use your systems’ processing power in an attempt to generate cryptocurrencies such as Monero. The attackers get rich off your power bill.

While there are variations in how the attacks work, the typical path to compromise involves opening the document, which could be in Microsoft Word format, after which an exploit runs a PowerShell script. This, in turn, downloads and installs the malware.

In this report we investigate how effectively some very popular network security products are at handling these and other threats.

As usual, we have also thrown in some particularly devious targeted attacks that appear to be completely legitimate applications but that provide us with remote access to unprotected targets. When we gain this access we try to hack the target in the same way a real attacker would. This gives the security products the best chance of detecting and potentially blocking the bad behaviour.

The good news is that all of these products were able to detect many (if not all) of the threats. Some were able to block most, although complete protection is not guaranteed. As always, a layered approach to protection is best. For advice on which endpoint software to choose see our Endpoint Protection test results on our website.

Latest report (PDF) now online.

Hacked! Will your anti-malware protect you from targeted attacks?

2017q4-4717048

The news isn’t good. Discover your best options in our latest reports.

Latest reports now online.

Criminals routinely create ingenious scams and indiscriminate attacks designed to compromise the unlucky and, occasionally, foolish. But sometimes they focus on a specific target rather than casting a net wide in the hope of landing something interesting.

Targeted attacks can range from basic, like an email simply asking you to send some money to an account, through to extremely devious and technical. If you received an email from your accountant with an attached PDF or Excel spreadsheet would you open it?

Most would and all that then stands between them and a successful hack (because the email was a trick and contained a dodgy document that gives remote control to the attacker) is the security software running on their PC.

In this test we’ve included indiscriminate, public attacks that come at victims from the web and via email, but we’ve also included some devious targeted attacks to see how well-protected potential victims would be.

We’ve not created any new types of threat and we’ve not discovered and used ‘zero day’ attacks. Instead we took tools that are freely distributed online and are well-known to penetration testers and criminals alike. We used these to generate threats that are realistic representations of what someone could quite easily put together to attack you or your business.

The results are extremely worrying. While a few products were excellent at detecting and protecting against these threats many more were less useful. We will continue this work and report any progress that these companies make in improving their products.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Can You Hear Me?

index-7618371

Are cyber-scammers creating their own fake news stories to exploit? Jon Thompson investigates.

The UK media recently exploded with news of a new phone-based scam. Apparently, all that’s needed for fraudsters to drain your bank account is a recording of you saying “yes”. It runs as follows:

  1. Someone calls and asks if you can hear them
  2. They record you saying “Yes”
  3. They take your ID and money

What doesn’t ring true is the lack of detail between steps 2 and 3. How, exactly, do attackers use this snippet of audio without the rest of your identity? Myth busting site Snopes has the answer: they don’t. A good half hour of searching also failed to turn up a single verified victim of the scam despite a huge number of almost identical news reports warning people about it.

Whether it’s a hoax or not, it’s certainly easy to see how cyber-scammers can take advantage of the generated fear. Your “bank” calls, says you’ve been the victim of this very scam, and asks you to visit a special web site to enter your details and get your money back. Previous cybersecurity incidents certainly provide good evidence that such secondary scams may soon plague a phone near you.

Remember the TalkTalk hack of October 2015 and the scandalised headlines that followed? Four million customers were suddenly at risk, according to some ill-informed reports. The supposed Russian jihadist gang behind the attack was ransoming the purloined data. The Daily Express even reported that they were already raiding the accounts to fund their evil deeds.

The truth was far more mundane. A 17-year-old boy from Norwich had discovered an SQL injection using a vulnerability scanner, and syphoned off about 157,000 account records. However, with this data potentially in the wild, any attempted fraud experienced by TalkTalk customers was suddenly blamed on the hack.

In fact, telephone-based cyber-fraud is a numbers game. The more calls you make, the more likely it is that you’ll hit the right set of circumstances. It’s a brute force attack, and that’s exactly what the scammers started to do. Nearly 18 months later, they’re still finding ways to use the hack as a pretext to call unsuspecting customers.

talktalk_logo_0-9139318

At the time, some customers even reported that their broadband was being deliberately slowed by criminals, who then called them offering to fix the problem in exchange for visiting a phishing site and entering account details to get a special refund. Again, this is a numbers game: for every set of circumstances that make the scam work, there might be thousands of calls to people with the wrong broadband provider or who have no bandwidth problems. It’s never the precision spear phishing attack it’s reported to be by the bemused victims.

So, high profile hacks can subsequently spawn profitable campaigns for fraudulent callers keen to cash in on the chaos and fear. The problem is, juicy high profile hacks come along at random. What’s needed is something more dependable.

This brings us back to the supposed “Can you hear me?” scam. Several reports in the past few days on Who Called and other very active nuisance call sites have mentioned the scam in passing as something else to look out for, but none say that this was the focus of the call being reported. The story has begun to take on a life of its own, but without any direct evidence that the scam actually exists.

Could it be that scammers themselves have concocted and spread a fake news story, which they intend to subsequently exploit with a campaign? It’s not that great a leap of imagination, given the innovations developing in other areas of bulk cybercrime, such as ransomware. Only time will tell, but the next few months should be fascinating for both threat watchers and cyber-criminals alike.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press