The National Cyber Security Centre Finland’s weekly review – 8/2023

Topics covered in this week’s review

• Elderly friends dodge digital scams in the Think Twice campaign
• Phishing messages impersonating the Kanta services going around
• Key cyber security controls in industrial automation
• Advertisements as channels for spreading malware
• Critical online server vulnerability being actively exploited for data breaches

Elderly friends dodge digital scams in the Think Twice campaign

Finnish people lose tens of millions of euros to digital scams every year. The best way to avoid falling victim to digital scams is to learn how to identify them. In recognition of this, the Ministry of the Interior and Finnish police have launched a campaign aimed at teaching people to think twice to avoid digital scams.

The NCSC-FI considers the campaign to be an important contribution to Finnish cyber security and efforts to prevent online fraud.

“Raising people’s awareness and reaching the general public are difficult and time-consuming tasks. There are a lot of people to reach in Finland, any one of whom can end up being targeted by scammers. As such, the police’s Think Twice campaign is needed now more than ever,” praises Information Security Advisor Juha Tretjakov from the NCSC-FI’s scam and phishing monitoring group.

Phishing messages impersonating the Kanta services going around

Personal data are a valuable commodity for criminals, as exemplified by the fact that there are once again phishing messages going around in Finland impersonating the My Kanta service. Various kinds of My Kanta scams tend to pop up every now and then, with some having different variants for different channels, such as search engines, SMS and email. The messages may contain a link to a website that closely resembles the actual kanta.fi website. If you enter your credentials on the fake website, they will end up in the hands of criminals. Recently the NCSC-FI has also been receiving reports of phishing messages that directly ask the recipient for their personal data.

The email phishing messages currently going around ask the recipient to send a picture of their personal identity documents, such as a driving licence, passport, national identity card or residence permit. The reason given is that the recipient’s account has been locked, but can be unlocked with a picture of an ID document. The messages are written in fluent Finnish, and the sender’s email address has been spoofed to look like the address used by the customer service department of My Kanta services.

It is important to remember that the Kanta services will never ask you for your personal data via text message or email. If you have mistakenly sent a picture of your personal identity documents or disclosed your personal data to a scammer, proceed as follows:

• File a police report.
• Monitor your invoices and accounts and contact your bank if you notice someone making purchases in your name.
• If you feel the need to discuss the matter with someone, Victim Support Finland (External link) can help.

The five most important cyber security controls in industrial environments

There are never enough resources available to perfectly manage cyber security. How, then, can you make sure that the cyber security controls that you decide to employ actually provide sufficient security? This is a particularly tricky question in industrial environments, where digital technology is a critical part of production. The most serious risks in production environments are unexpected stoppages and losing control of the production process. Because of this, the priorities for industrial environments are markedly different compared to the cyber security of conventional information technology.

Luckily the issue has been analysed by several parties, who have also published instructions regarding good practices. The NCSC-FI has also just released a set of guidelines in which we recombine recommendations from the publications of several national authorities and information security firms and supplement them with our own experiences. The key points are:

• preparedness for incidents
• a system architecture designed with resilience in mind
• transparency in production environments
• secure remote operation
• risk-based vulnerability management
  

Read more about the information security controls of industrial automation (External link)

Advertisements as channels for spreading malware

The volume of online advertising has more than doubled during the last five years. According to an estimate by Statista (External link), an online portal specialising in international statistics, this growth shows no signs of stopping, with the annual value of online advertising expected to exceed one trillion dollars in 2027. It is safe to assume that the volume of malicious advertising will also keep growing at a similar, if not faster, pace.

Malware spread through advertising, or malvertising, can be roughly divided into two main categories. The first consists of advertisements that contain malicious code themselves. The purpose of this malicious code, which activates on page load, can be to determine vulnerabilities in the software used to access the page, for example. Examples of these types of attacks include various types of pop-up windows and other similar ‘warnings’ that may give the user the impression that their device has been contaminated or is in need of updates. Often in these cases the user is also offered the opportunity to either update their browser or prompted to carry out some other interaction that triggers the actual attack. More information on malvertising that falls in this first category is available on the websites of Malwarebytes (External link), Fortinet (External link)and Crowdstrike (External link).

The second category consists of attacks that exploit Google and other digital advertising platforms. For example, criminals can purchase an advertisement to be displayed in Google’s search results so that their scam website is raised to the top of search results, above genuine websites. These scam websites can be spoofed versions of software download pages, for example, with the aim of getting users to download and install malicious or manipulated software on their computers. The United States Federal Bureau of Investigation (FBI) (External link) published a public service announcement about these types of attacks in December.

The warning published in 2021 by Finance Finland (External link) is also a good example of the manipulation of search results for online banks. This was another case where criminals attempted to raise very convincing but malicious websites above the websites of real online banks in search results.

Security instructions listed by Finance Finland:

• Criminals have managed to slip their malicious websites into search engine results.
• You should never sign in to your bank by searching for the name of the bank on Google. Instead, you should write the address of the bank in the browser’s address field.
• Banks report that the scam websites are very convincing.

Critical online server vulnerability being actively exploited for data breaches

This critical vulnerability enables access to an online server. The vulnerability is already being actively exploited for network attacks.
CVE: CVE-2022-39952
CVSS: 9.8
Product: Fortinet FortiNAC versions 8.3 - 9.4.
Fix: Update to the latest version

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.