Anomali, provider of market-leading threat intelligence platforms, has today revealed the prevalence of suspicious brand spoofing and mass compromised credential exposures of the Financial Times Stock Exchange 100 (FTSE 100). Over the last three months, eighty one companies in the FTSE 100 had potentially malicious domain registrations against them, enabling cyber criminals to create dummy websites that can be used to trick users into supplying private data. The report also discovered that 5,275 employee email and clear text password combinations from FTSE 100 companies were found on a number of sites from which they can be stolen, publicly published or sold. This leaves the UK’s largest businesses open to cyber-attacks and puts critical business content and personal information at risk.
The report, The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures, reveals the total number of detected malicious domain names registered was 527 over the last three months, an average of five per company. These are instances in which a cyber attacker has created a domain name that is only slightly different from a company’s official domain name, which tricks users into clicking it and entering their data. From this point, a hacker can then sell the data or use it to access and attack a company’s network.
Additionally, the report discovered:
Most of the suspicious domains were registered using a Chinese address. The second most were from the US and the third most were from Panama.
The vertical hardest hit with suspicious domain registrations is financial services with 376, followed by retail at 175 and critical infrastructure at 75
Jamie Stone, VP of EMEA of Anomali:
“Cyber-crime is rising at an astonishing rate, and it’s now a board-level issue for businesses. Nevertheless, the evidence gathered across our threat intelligence platforms demonstrates that some basic security measures are not being adopted or followed at some of the largest and most prominent companies in the UK. The results of the report should be a wake-up call for these organisations, highlighting just how vulnerable they are in ways they might not even have considered.”
Employees Put Businesses at Risk
FTSE 100 employees are using their work email and password combination for non-work-related websites, such as gaming sites. This creates a cyber security threat for companies when those sites are hacked and credentials made public. In fact, 5,275 compromised email and unencrypted password accounts were found to be on the Darkweb, paste sites, hacking forums, or posted through accidental exposure. Using this data, cybercriminals may be able to access corporate networks and potentially steal or tamper with sensitive information.
Significantly, out of the 5,275 FTSE 100 email and password combinations that were found to be compromised, the oil and gas industry accounted for 20%. This represents a worrying cyber security vulnerability as the 20 to 30-year-old industrial control systems grow more tightly interconnected with IT systems and Internet-connected devices.
On average, this means that 50 employees for each FTSE 100 company have had their email and data credentials exposed due to employees’ visiting non-work-related sites that have then been hacked by cyber attackers. For example, more than 40 corporate credentials across 23 companies were compromised in April when a major UK-based football website had its database dumped and exposed on the Darkweb, an encrypted network that holds the illegally stolen data.
“Understanding the importance of monitoring copies of brand domains and compromised employee credentials can’t be overstated. Companies must be able to make sense of the threat intelligence that is available to them so that it provides relevant, actionable data to their business. The ability to learn and understand the impact of these additional fake domains and gather metrics about how employees use their work-related credentials outside of the workplace is absolutely crucial to maintaining security across the business,” finished Jamie Stone.
The focus of the FTSE 100 Threat Report is to provide reconnaissance on the Financial Times Stock Exchange 100 (FTSE 100 Index) to identify suspicious domain registrations and potentially compromised employee email accounts that could be used as part of an attack. This is the first in a series of reports to be published by Anomali Labs, the Research and Development arm of Anomali. The purpose of the report is not to disclose specific company names but rather to examine trends and heighten awareness of domain registrations and credential exposures as a valuable source of information and an early warning of a possible attack.
Anomali delivers earlier detection and identification of adversaries in your organization’s network by making it possible to correlate tens of millions of threat indicators against your real time network activity logs and up to a year or more of forensic log data. Anomali’s approach enables detection at every point along the kill chain, making it possible to mitigate threats before material damage to your organization has occurred. Headquartered in Redwood City, Calif., the company is privately held and has received venture capital backing from General Catalyst Partners, GV, Institutional Venture Partners, and Paladin Capital Group, as well as individual investors. To learn more, visit www.anomali.com and follow us on Twitter: @anomalidetect.