Tag Archives: Phishing

Security News for the Week Ending November 26, 2021

Tesla Locks Owners Out of Cars – On Accident

Hundreds of Tesla owners got locked out of their cars when a server that powers the Tesla app crashed due to load. Apparently those owners forgot there is such a thing as a car key. The outage lasted about 5 hours and Elon Musk later tweeted that they would work to avoid this in the future. This doesn’t happen often; just a reminder that no tech is perfect. Credit: The Guardian

The Zelle Fraud Scam – Don’t Fall Victim

The Zelle fraud scam starts with a fake text message that asks if you made a Zelle payment in the amount of $X. If you respond to the text with anything, you will get a call from the scammer pretending to be your bank. The scammer asks for your online banking USER NAME (not password) and the hacker then does a password reset, asking you for the PIN that your bank sends to do the password reset. And then empties your bank account. For more details, see the Brian Krebs account of the attack.

Microsoft Says Attackers Don’t Bother to Brute Force Long Passwords

A Microsoft engineer analyzed over 25 million password attempts against a honeypot of SSH servers and discovered that 77% of the attempts to brute force a password used passwords of 7 characters or less and only 6% used passwords of over 10 characters. Also, only 7% of the attempts used a special character. This gives users some parameters for constructing passwords. Credit: The Record

US Sanctions 28 Quantum Computing Companies in China, Russia, Pakistan and Japan

The US continues to work on protecting our technology from foreign bad actors. The Commerce Department added 28 companies in multiple countries as a risk to the US. These sanctions prohibit US companies from dealing with these organizations. Given that quantum computing is a strategic technology for everyone, we do not want to accidentally be helping the bad guys. For a list of these companies, check out this article.

Israel Bans Sales of Hacking Tools to 65 Countries

In the wake of all of the negative press that Israeli hacking tools company NSO Group is getting, including being banned in the US, Israel reduced the list of countries that companies like NSO can sell to from 102 to just 37 countries. See the list here.

India to Ban Almost All Private Crypocurrencies

India is about to ban almost all private cryptocurrencies. A new bill will create a framework for an official digital currency, to be issued by the Reserve Bank of India. Included in the ban would be Bitcoin and Ethereum. Effectively, if this bill becomes law non-fiat cryptocurrency would cease to exist in one of the world’s most populous countries. Credit: Euronews

Security News for the Week Ending December 4, 2020

France Says it is Going Ahead with Digital Tax

France has been complaining that U.S. companies (mostly) have not been paying their fair share of French taxes since they are not selling widgets that delivered in France, so they came up with this digital tax, a 3% tax on digital services delivered in France. They held off for a while trying to get some sort of international tax agreement, but that does not appear to be happening, so they are moving forward with the tax. Only affects companies doing business in France with revenue more than 25 million Euros. Is this the wave of the future? Credit: Cybernews

FCC Chairman Pai to Step Down on Jan 20

Ajit Pai announced that he will step down from the FCC on inauguration day rather than having the new President fire him, which is almost guaranteed. Pai, a former telecom industry lawyer and lobbyist, said that he may try to create some rules in his remaining two months in support of the President’s efforts to hurt Facebook, Twitter and similar companies. Those rules would likely be reversed on the day after inauguration, so it is not clear why he would waste taxpayer money doing that, but that is Washington for you. Credit: CNBC

How Many Phishing Sites?

Since the beginning of this year, Google has flagged 46,000 web sites EACH WEEK as phishing sites. That is over 2 million so far, this year. This is a 20% increase over last year and the year is not over. Hackers can buy as many sites as they want, but, in part, they are looking for “look alike” sites – sites with a zero swapped for an Oh or an “L” swapped for a “1”. But also, they just take over sites with bad security. There is almost no way to track that, but I can say from personal analysis, that there are way more of the second kind than the first kind. Credit: KnowBe4

Docker Malware – Its a Thing

Docker containers are the darling of the development world – light weight and easy to deploy; self contained and OS agnostic, supported in the cloud – everything that developers want.

Three years after the first Docker malware showed up, it is now common. Malware gangs are now targeting Docker and Kubernetes.

Many of the attacks – surprise – are due to misconfigured Docker servers, leaving them exposed to attack. It appears that we in IT never learn. Just because tech is delivered slightly differently, the basics still apply.

To make a point, researchers looked at images publicly available in the Docker Hub. 51% had critical vulnerabilities and 6,500 of the images tested could be considered malicious.

You can wait until you are compromised or you can get ahead of the freight train. Credit: ZDNet and Dark Reading

Even Before Dust Settles on Swiss/CIA Deal to Subvert Encryption …. Another One

Even before all of the investigations are complete of the CIA’s compromise of Crypto AG and selling compromised encryption hardware to both our friends and enemies so we could spy on them, another story surfaces. Apparently Crypto AG was not the only one. Now the Swiss media is reporting that the CIA controlled another Swiss crypto company, Omnisec. The Swiss politicians are going crazy and calling for executions in the public square. Stay tuned, but assume your crypto has been compromised. By someone. Credit: Security Week

Very Creative Phishing Attack

It all starts with a calendar invite, but there is a setup. The con is that your bank account has been compromised and you need to fix it.

The attack starts with an email titled (like) “Fraud Detection from Message Center”. This part of the attack uses a real but compromised Office 365 account, complete with legit email security like DKIM and SPF.

The invite is hosted on the real Office 365 Sharepoint.com and contains a link. Clicking on the link causes another relatively simple document to open with another link.

Since hackers are equal opportunity crooks, when the user clicks on this link, they get transferred to a phishing site hosted at Google where the user is presented with a very convincing Wells Fargo site page.

The user is then prompted for the login information, PIN, various account number details and email credentials.

Assuming the user falls for all of this, they are taken to a legitimate Wells Fargo login page designed to make the user think the account was secured, when in fact, the user just gave the hacker the keys to the cookie jar. And likely all of his or her money.

According to the security vendor (Cofence), this is not the first time that hackers have used Google’s infrastructure to host malware. Credit: SC Magazine

So what should you be doing?

Education. Education. Education.

Anti-phishing training should be a requirement at all companies and for all employees. At the low end there is free training, but for most companies, there is a moderate cost solution that is highly effective.

Some companies send the same phishing email to everyone, maybe once a quarter. That is not an effective approach to train employees. The program needs to be much more active in order to be effective.

As you can see from the sophistication of the attack above, the hackers are working overtime to steal your money.

You need to work equally hard to protect it.

If you need help with your anti-phishing training, please contact us.

Security News for the Week Ending May 8, 2020

The Contact Tracing Horror Begins

The UK is now saying that all of the contact data that they are collecting from the app people install on their smart phones – that data may be kept by the government forever and no, you can’t ask them to delete it. Credit: The Register

Singapore will require smartphone checkins including people’s national identity number at all businesses. People have to both check in and check out. But, not to worry, it will only be used by “authorised” people. Not only will you have to do that when you enter a business, but also when you go to the mall or the park. Credit: The Register

And India made contract tracing app mandatory in ‘hot-spots’, which could be a problem given that half the population does not own a smart phone. Credit: The Register

Governments have found a great new source of data to mine and sell.

Hackers Have Figured Out How to Make a Plane Go Up or Down at up to 3,000 feet a minute

TCAS, the collision avoidance system that the aircraft industry and governments have adopted to ‘discourage’ planes from crashing into one another by telling two planes that are close to one another to move in opposite directions from each other, is, apparently, susceptible to hacking.

The hack works by presenting phantom data to a plane that it is about to collide and needs to dive or climb. Some TCAS systems can even take over the controls. As I recall, TCAS has no security protocol as part of the system and just trusts the data it receives.

While technically pilots can disable the system to mitigate the risk, we saw how well that concept worked with the now-grounded 737 Maxs. Pilot tend to trust their instruments way more than they should. Credit: The Register

Hacking Campaign Targets 900,000 WordPress Sites

Hackers targeting WordPress sites that are not current on their patches. Wordfence security saw 20 million attack attempts on over a half million servers on May 3rd alone. The attack redirects visitors to malvertising and administrators get to deploy a free backdoor for the hackers. If you are not running Wordfence on your WordPress site, do that now. If you are not current on your patches, well, it might be too late. Credit: Bleeping Computer.

Covid-19 Themed Phishing Subjects

As Coronavirus becomes the topic of the day, hackers are using themes like these:

  • Because of COVID-19, payroll is making adjustments and we need to update account information (see hyperlink)
  • Your office location is closed, please remote in today (see hyperlink)
  • Al employees are asked to sign in (see hyperlink) and update their wellness status
  • Relief donations are being solicited (see hyperlink)

Now would be a good time to up your anti-phishing training, but be understanding that this is likely a stressful time for employees. Credit: NCMS mailing list

Ransomware. Ransomware. Ransomware

New York based law firm Grubman Shire Meiselas & Sacks, who represents dozens of A-List artists such as Madonna, Lady Gaga, Elton John, Robert de Niro and many others was hacked by the Sodinokibi ransomware group.

The hackers claim to have stolen over 750 GB of data and has published snippets of a number of documents. This hacking group is very financially successful. Given who the clients are, money is not an object and their ability to sue this law firm out of existence is also probably a good guess.

I suspect a ransom payment will be made. Not in Bitcoin – too traceable. These guys only accept Monero.

For companies that store any kind of sensitive information, this is a heads up. We are hearing about this happening (stealing your information and demanding a ransom not to publish it) every single day. Good backups will not protect you from this type of attack. Credit: Bleeping Computer

Massive Docusign Phishing Attack After Breach

Docusign is one of the major eSigning providers in the country.  eSigning allows customers to electronically sign documents instead of having to go somewhere to place a pen on paper and sign those documents with ink.  As a result of this convenience, eSigning is extremely popular.  It is used in every industry vertical where document signing is a part of the process.

Docusign noticed an uptick in phishing emails targeting its customers this month.  The emails targeted existing customers of Docusign.   Docusign says that they have 100 million users in their system.

Initially they thought that this was just another of many generic phishing attacks, but they soon realized that the hacker had too much very realistic information.  Docusign had been hacked.

The company discovered that what they call a non-core system had been compromised and their customer list taken.  At this time the company says that no financial information or signed documents were taken, but what was taken – names and emails – allows attackers to launch a very targeted attack against Docusign customers.

The way the attack works is that the customer receives an email that looks strikingly like a real Docusign request EXCEPT that it is asking the user to download and open a Word document – something that Docusign does not do.  Of course, most Docusign customers do not know this.  If they do open the document and follow the rest of the instructions from the attacker, the user’s system is now compromised.  The attacker can do whatever he or she wants to do.

While this campaign uses a Word document, the next campaign could use something else – maybe a malicious URL.

For companies that use any eSigning technology, it appears that now would be a good time to educate your users about what a legitimate eSign request looks like and what an eSign phishing attack looks like.

For the mortgage industry, which is a big user of eSign technology, this is just another attack vector.  Just like the industry has set up processes to warn its clients about fake wire transfer requests, it looks like the industry now has to warn its clients about fraudulent eSign requests.  Today it is Docusign;  tomorrow is could be any Docusign competitor.  In fact, any mortgage purchase or refinance client could be a target – eSign or not.  After all, clients are deluged with requests during the mortgage process and it is very hard for clients to know what is real and what is fake.

Another day, another opportunity.

Information for this post came from KnowBe4 and KrebsOnSecurity.

Phishing Still Works

CSO Magazine has a great piece on social engineering/phishing scams.  The article quotes both vendors that we resell – Wombat and KnowBe4.

Bottom line – the Verizon 2016 data breach report says that 30 percent of the phishing emails were opened compared to 23 percent last year.  12 percent clicked on the link.

If 12 percent of the folks in your company clicked on a malicious link, YOU. ARE. TOAST!

Stu Sjouwerman, CEO and Founder of KnowBe4, an anti-phishing and security education provider says that “a handful of competing cyber mafias are casting their nets wider and wider.”  What this means is that the bad guys have launched an all out assault and situations like the ones that I wrote about the last two days – one company closed its doors, the other lost north of $40 million  – are likely the tip of the iceberg.

One cyber mafia alone netted close to $100 million during the first half of 2016.  That’s a pretty good incentive to hack since it is all tax free.

McAfee recorded 1.3 million new ransomware samples in the first half of this year.

The most commonly successful phishes?

  1. It looked official. – Wombat, a competitor to KnowBe4, says that users are better at detecting personal phishing attacks but do poorly with work related ones.  I guess that is how the hack of Leoni worked.  Send an email from the CFO to accounting, asking them to wire $40 mil to the Czech Republic and DONE!
  2. You missed a voicemail.  Attachments that are designed to look like voicemail messages get people to click,.  And get their computers infected.  You click on it and they own your computer.
  3. Free stuff. People cannot resist free stuff.  Even stuff that they down’t want and won’t use.  if it is free, they want it.  Of course the hackers attach an extra prize to the free stuff.  Once that piece of malware is installed after you click, things won’t seem so free any more.
  4. Fake social media invitations.  LinkedIn, Facebook.  Whatever.  If YOU don’t have a FB or LI account then a scammer can create one using your name.  Then invite your friends.  Or maybe the fake account belongs to the CEO.  Who wouldn’t accept his invitation.  Now they can steal your information or get you to click on a malicious link.
  5. Social Media at Work.  If your company allows you to use twitter, etc.  Wombat says that employees missed an average of 31 percent of the social media question on their tests.  Since most organizations allow employees to use social media at work but a third of the time users cannot detect malicious activities, what does that say about keeping the bad guys out?

Part of it is that the bad guys are getting better.  Much better.  I look at some of the malware and it is very impressive.

What is an organization to do?

If you are not actively phishing your employees on a regular basis (at least once a month, if not more) with very realistic phishing emails, you are missing a training opportunity.  And the cost is very reasonable.  Contact us for details.

Information for this post came from CSO Magazine.