These Phishers Aren’t Even Making an Effort

Help Desk and Outlook are joining forces in a recent phishing scam. Ok, well they aren’t really, but phishers are using both in a scam that is making the rounds right now. However, if you take a few seconds to read the email that is sent from “IT-Service Help Desk,” you can spot the scam. And it does only take a few seconds. As opposed to some more recent sophisticated scams, in this case, the scammers aren’t even really trying.

There have been many warnings of late about how phishers are getting better and better at tricking us into clicking on malicious links and attachments in email, social media, and even text messages. Those warnings are still very valid. However, in a notice to staff and students at the University of Pittsburgh, a sample of a phishing email was included showing that sometimes the old and sloppy ways are still going on. All it takes is to read the greeting to pique suspicion. It starts with “Dear Staffs.”

The link in this email goes to a realistic looking Outlook login page that requests login credentials. Remember that your Outlook login credentials likely don’t just go to your email. Typically, they give you access to other areas of the network or to other accounts. Even if you think there is nothing in your email that is special enough for someone to want, there really is. If a cybercriminal can get your credentials to some server on the network, they can get to critical areas within the network, which is the ultimate goal.

Admittedly, people make mistakes when sending email messages and a greeting could indeed have a typo. Even so, it should cause you to take pause and look a little closer. In the case of this one, the sender asks the recipients to click a link to update their account information by clicking a link. If they don’t, their email accounts will be blocked.

The textbook clues are there: typos, poor grammar and punctuation, and a sense of urgency. Often these days, those simple clues are missing. Some of the signs are the same, but others to look for have changed. Now the biggest indications that it might be phishing are merely that the email itself, a link, or an attachment isn’t expected or you don’t know the sender.

And if you are thinking, “why would anyone target me?” that answer is that they probably aren’t. They are merely taking a stab at a large group of email addresses hoping that someone will take them up on it. Unfortunately, someone likely will. Just be sure it isn’t you.

© Copyright 2017 Stickley on Security

Summer Is For Fishing And Not Phishing

Summer has arrived all around the northern hemisphere. Many of us prefer to jump up and head outside to enjoy the spoils of the season and that is certainly fantastic. However, scammers don’t honor the seasons. They will try to trick us with their own version of phishing all year round. As we go into relaxation mode, it’s still important to keep an eye out for attempted scams and particularly for the phishing that doesn’t involve a pole, a boat, or water.

Phishing is still the most common way, by far, that information is stolen and malware makes its way onto computers and mobile devices. It’s worth taking a moment to review the signs that an email message or phone call may be phishing for you.

  • A reward is offered, such as a gift card or some other freebie.
  • There is a sense of urgency, such as an account will be blocked or a punishment will occur if you don’t do something.
  • An attachment or link is included in an email that is unexpected or from an unfamiliar sender.
  • There is a request to open a file, click a link, or share something. If a form follows a click that asks for information to be entered or login credentials to be entered, it should be considered suspect.
  • The greeting and message are generic. If it doesn’t have any indication that the sender knows something personally about you, it could be a scam.
  • The sender’s email address is strange or unfamiliar. If you open it up by clicking it, you can see the entire address; not just the name.
  • If a link inside goes to a web address that seems strange or unexpected. If you hover the mouse pointer over those links, you can see where it will take you.
  • A site asks for sensitive information, regardless of how you arrived at it, and the address isn’t preceded by “https:”
  • The caller on the phone starts asking for sensitive information such as passwords, login credentials, or payment card information.
  • A caller tries to scare you into providing or doing something.

Even if none of these indicators are present, it’s not a guarantee that the message is phishing. However, the risk is significantly lower.

It’s unlikely anyone will give up the Internet for the summer, nor is it expected. So just be sure to stay on your game for spotting phishing, so you don’t take the bait.

© Copyright 2017 Stickley on Security

Fall Back in Love With Your Home

Many of us reach a point where we begin to feel a little blah about our home, but moving is not always an option. Here are some tips on how you can get a “new” home without a new mortgage—and increase your home’s value.

Little changes can have a big impact

A home makeover does not have to involve spending big bucks. Things like painting walls, changing light fixtures and knobs, and adding curtains and plants can give your home a completely different look for only a few hundred dollars. Rearranging furniture, artwork, and knick-knacks can also freshen things up, and the only cost is a little time. If you have some items that you are tired of but are in good condition, you may be able to arrange a swap with a friend. Perhaps he or she has been eying your table, which clashes with your other furniture, while you would not mind having theirs instead.

Expand

If you are feeling cramped, paint and new curtains are not going to solve the problem. Converting an unfinished attic or basement can be a great way to get extra space at a fraction of the cost of building an addition. For either project, you can expect your home’s value to increase by around 70% of what you spend, which is not that bad as far as remodeling projects go. Adding a deck is another fairly simple way to increase your space. If you are hiring a contractor, be sure to get quotes from at least three and check their complaint history with the Better Business Bureau (www.bbb.org).

Make the most of what you have

What if you have no cash to finish your attic or basement—or do not have an attic or basement? There are many ways that you can make your space seem bigger without actually increasing your square footage. The cheapest—although perhaps least fun—thing you can do is clean and throw away, donate, or sell anything you don’t need. (If you have not worn or used it in a year, you probably do not need it.)

If you have a little cash to spare, you can buy organizational tools, like shelves and hooks, or furniture that provides extra storage space, such as a coffee table or bed with drawers. If your space is especially challenging, consider hiring a professional organizer. He or she may come up with some creative solutions to your space and interior design issues.

BALANCE

Sporting Events on a Budget – It’s Possible with a Plan

Season ticket holder or first timer, watching your team take the field or visiting new teams in a different venue, gripping your seat tightly during the finger-biting last minutes of a close game or cheering on a decisive win – sports can certainly be some of the best entertainment possible.

Whether you enjoy baseball, football, soccer, hockey or any other sport, the roaring crowd, sights and smells that fill a stadium have something to offer everyone. A little planning can help keep your costs under control, and you can apply the ideas below to almost any sporting event.

Save money on the tickets. You may be sticking with your home team through thick and thin, but you can still look for ways to save money. Avoiding the most popular games, such as those on the weekends and when you’re playing against big-name teams, can be helpful. To further maximize your savings, consider the following tips:

  • Find tickets on reseller websites. Buying tickets from a scalper could save you money, but it also opens you up to the possibility of getting scammed. Instead, you could look for secondhand tickets on legitimate reseller websites that verify authenticity and guarantee your purchase.
  • Connect with a season ticket holder. Try to connect with a season ticket holder who can’t make a game and offer to buy their tickets. Even if they’re going to the game, a season ticket holder might be able to get you a good deal. For instance, Major League Soccer (MLS) season ticket members can sometimes get a discount on additional tickets.
  • Check for an employee discount. Some companies offer their employees discounted tickets to sporting events as a benefit. Government employees and current military members or veterans may also be eligible. However, sometimes you can only choose from a limited list of games.
  • Join the fan club. Becoming a member of a team’s official fan club can cost $20 to $40 a year and could more than pay for itself with discounts on tickets or gear and access to special events.
  • Go during the preseason. Preseason tickets can be especially cheap. In 2016, you could buy preseason NFL tickets for less than $10. You may not get to see your favorite players on the field, but it you could still save money while spending quality time with your kids or friends.
  • Try the minor league. A minor league game can be a fun alternative to a major league game. Some of the teams have an enthusiastic and loyal fan base and the stadiums are often smaller, which lets you get closer to the action. The extras, like parking and snacks, are often cheaper as well.

Timing your purchase can also be important. If you suspect a game will sell out, it may be better to buy early than risk having to pay above face value on a reseller site. With less popular games, ticket prices tend to drop as game day approaches.

Compare transportation options. Public transportation isn’t a guaranteed money saver if you’re going with a large group. Carpooling or splitting the cost of a ride from a car-sharing app could be cheaper. If you’re driving, look for off-premises parking lots. You may need to walk a bit, but you’ll also be able to save money and might avoid some of the post-game traffic.

Eat before and bring snacks. Everyone knows stadium food is expensive and filling up on a big meal before the game can help you avoid cravings. Unbeknownst to some fans, stadiums might let you bring in outside food. However, there’s often a strict bag policy, which could limit the size of your bag and may require bags to be transparent. Check the stadium’s policy closely and call the team’s office if you need clarification.

Bottom line: A sporting event can be a wonderful way to build memories and spend a day with your friends or family. However, the expenses from a single game can quickly stack up if you’re not careful. Luckily, there are many ways to save money on tickets, transportation and food and still have a memorable experience.

by Nathaniel Sillin

We Are Still Not Great at Spotting Phishing Emails

The United States reports more phishing scams than any other country. Software As A Service (SaaS) company, Diligent Corporation wrote that 156 million phishing email messages are sent out each day, with 16 million of them making it past spam and phishing filtering tools. In 2016, approximately 225,000 of these were sent out each month. To determine just how good we are at identifying these, Diligent surveyed over 2,000 people between the ages of 18 and 75 and the bottom line: We are very poor at distinguishing real messages from fake ones.

Two dozen email messages were sent to survey respondents. The goal was to find out just how successful they were at identifying email messages designed to scam them. The following percentages were the success rates as to how often they were tricked based on various details in the message:

– 68.3% if the message appeared to come from a co-worker asking to schedule a meeting.
– 60.8% from a social media site.
– 37.6% from the file-sharing site Dropbox stating a file is being shared with the recipient.
– 26.7% from a software company requesting that an update to an account be made.
– 23.9% from a social media company asking for login details to be changed.
– 22.1% involved a court notice of some type.
– 16.6% were supposedly from banks requesting information in order to restore account access.
– 14.7% appeared to be from the IRS advising the recipients of a tax refund.

As can been seen here, it is not so easy to spot the scams. There are warning signs, that are certainly not guaranteed to be a successful giveaway, but that can give us a few clues:

– Spelling and grammatical errors
– Generic greetings, such as “Dear User”
– The sender is not familiar or the information inside the message doesn’t make a lot of sense
– Requests that make something seem very urgent or that are threatening, such as “if you don’t send money now, your account will be locked”
– Requests for personal or sensitive information
– Something that is too good to be true
– The web address or URL is odd or suspicious
– Requests for money, especially in the form of gift cards or wire transfers
– The details of the message are vague and require the recipient to click on a link or download a file in order to get the missing details

A good rule of thumb for determining if something should be clicked, opened, or personal details sent as a result of an email received is to use common sense. If it is sent from an unfamiliar sender, includes vague details, is unexpected, or just seems suspicious, trust that instinct and put the message in the trash. To verify or change any account details, just go directly to the website login.

Interestingly, the lowest success rate for the email messages were those that claimed “you’re a winner.” Those duped fewer than 3%. The age group that was the best at spotting the fakes were between 45 and 54. The worst were over 65 followed closely by those between 18 and 24.

© Copyright 2017 Stickley on Security

Chinese Adware Annoys and Can Take Over Your Computer

We haven’t heard too much about annoying popup ads or malicious adware lately, but there is a story this week to whet our appetites. Researchers at Check Point have found a neat little program that not only pops ads up all over your screen, but also has the potential to be far more dangerous. So far, Check Point estimates that over 250 million computers have been infected with a malicious adware they are calling Fireball. Researchers tracked it back to a company in Beijing.

This neat little morsel will not only hijack your browser and change your search engine, but will also track your browsing and send the results to a digital marketing firm called Rafotech. Admittedly, it may not necessarily have been initially designed to be malicious, but the researchers discovered that it also installs a backdoor into all of the machines it infects that can potentially be used by whomever is behind it to run remote code, download other malicious files, steal information from the device, or make the device part of a botnet.

Adware alone isn’t necessarily malicious, even if it is really bothersome. However, often it can be used for ill intent. Earlier this year, Google Chrome was used as part of a click fraud scheme and at the end of 2016, it was discovered that malware-as-a-service had been created and is being sold as a package which can provide a quick turn-key solution for anyone wanting to get into that business. While they often are used to market products and services en masse, they are also often used for exactly what Fireball has potential to do.

Always have antimalware and antivirus solutions installed on all devices. It should just be automatic to do this whenever a new computer or mobile device is purchased or acquired. Keep it updated at all times and to make it easier on yourself, enable the automatic update features. If you have downloaded this or another “potentially unwanted product” (PUP), use that antivirus product to get rid of it.

Be careful when downloading free products too. Check Point believes that this PUP was bundled with products called Soso Desktop or FVP Imageviewer, among others. These products aren’t particularly popular in the United States, but are well known in other countries and likely this same product is bundled with some type of freebie that is known in the U.S. and other countries. If there is an option to download add-on products included in software you are installing, make sure it’s unchecked to avoid things like downloading unwanted search engines.

Check Point estimates that one in five corporate networks around the world have at least one infection of Fireball. The number of anticipated infections in the U.S. in miniscule (5.5 million), relatively speaking. The bulk of them are in India and Brazil. Those two countries likely have 25 million infections each.

It’s not clear if those behind Fireball are monetizing it possibly by getting paid from clickthroughs or whenever someone visits sites of its customers. But that’s just a side note as to what this malware is about. The search engine uses results from Yahoo and Google, which could somehow contribute to that goal, but it can’t be verified at the moment.

© Copyright 2017 Stickley on Security