These Phishers Aren’t Even Making an Effort

Help Desk and Outlook are joining forces in a recent phishing scam. Ok, well they aren’t really, but phishers are using both in a scam that is making the rounds right now. However, if you take a few seconds to read the email that is sent from “IT-Service Help Desk,” you can spot the scam. And it does only take a few seconds. As opposed to some more recent sophisticated scams, in this case, the scammers aren’t even really trying.

There have been many warnings of late about how phishers are getting better and better at tricking us into clicking on malicious links and attachments in email, social media, and even text messages. Those warnings are still very valid. However, in a notice to staff and students at the University of Pittsburgh, a sample of a phishing email was included showing that sometimes the old and sloppy ways are still going on. All it takes is to read the greeting to pique suspicion. It starts with “Dear Staffs.”

The link in this email goes to a realistic looking Outlook login page that requests login credentials. Remember that your Outlook login credentials likely don’t just go to your email. Typically, they give you access to other areas of the network or to other accounts. Even if you think there is nothing in your email that is special enough for someone to want, there really is. If a cybercriminal can get your credentials to some server on the network, they can get to critical areas within the network, which is the ultimate goal.

Admittedly, people make mistakes when sending email messages and a greeting could indeed have a typo. Even so, it should cause you to take pause and look a little closer. In the case of this one, the sender asks the recipients to click a link to update their account information by clicking a link. If they don’t, their email accounts will be blocked.

The textbook clues are there: typos, poor grammar and punctuation, and a sense of urgency. Often these days, those simple clues are missing. Some of the signs are the same, but others to look for have changed. Now the biggest indications that it might be phishing are merely that the email itself, a link, or an attachment isn’t expected or you don’t know the sender.

And if you are thinking, “why would anyone target me?” that answer is that they probably aren’t. They are merely taking a stab at a large group of email addresses hoping that someone will take them up on it. Unfortunately, someone likely will. Just be sure it isn’t you.

© Copyright 2017 Stickley on Security

We Are Still Not Great at Spotting Phishing Emails

The United States reports more phishing scams than any other country. Software As A Service (SaaS) company, Diligent Corporation wrote that 156 million phishing email messages are sent out each day, with 16 million of them making it past spam and phishing filtering tools. In 2016, approximately 225,000 of these were sent out each month. To determine just how good we are at identifying these, Diligent surveyed over 2,000 people between the ages of 18 and 75 and the bottom line: We are very poor at distinguishing real messages from fake ones.

Two dozen email messages were sent to survey respondents. The goal was to find out just how successful they were at identifying email messages designed to scam them. The following percentages were the success rates as to how often they were tricked based on various details in the message:

– 68.3% if the message appeared to come from a co-worker asking to schedule a meeting.
– 60.8% from a social media site.
– 37.6% from the file-sharing site Dropbox stating a file is being shared with the recipient.
– 26.7% from a software company requesting that an update to an account be made.
– 23.9% from a social media company asking for login details to be changed.
– 22.1% involved a court notice of some type.
– 16.6% were supposedly from banks requesting information in order to restore account access.
– 14.7% appeared to be from the IRS advising the recipients of a tax refund.

As can been seen here, it is not so easy to spot the scams. There are warning signs, that are certainly not guaranteed to be a successful giveaway, but that can give us a few clues:

– Spelling and grammatical errors
– Generic greetings, such as “Dear User”
– The sender is not familiar or the information inside the message doesn’t make a lot of sense
– Requests that make something seem very urgent or that are threatening, such as “if you don’t send money now, your account will be locked”
– Requests for personal or sensitive information
– Something that is too good to be true
– The web address or URL is odd or suspicious
– Requests for money, especially in the form of gift cards or wire transfers
– The details of the message are vague and require the recipient to click on a link or download a file in order to get the missing details

A good rule of thumb for determining if something should be clicked, opened, or personal details sent as a result of an email received is to use common sense. If it is sent from an unfamiliar sender, includes vague details, is unexpected, or just seems suspicious, trust that instinct and put the message in the trash. To verify or change any account details, just go directly to the website login.

Interestingly, the lowest success rate for the email messages were those that claimed “you’re a winner.” Those duped fewer than 3%. The age group that was the best at spotting the fakes were between 45 and 54. The worst were over 65 followed closely by those between 18 and 24.

© Copyright 2017 Stickley on Security

Chinese Adware Annoys and Can Take Over Your Computer

We haven’t heard too much about annoying popup ads or malicious adware lately, but there is a story this week to whet our appetites. Researchers at Check Point have found a neat little program that not only pops ads up all over your screen, but also has the potential to be far more dangerous. So far, Check Point estimates that over 250 million computers have been infected with a malicious adware they are calling Fireball. Researchers tracked it back to a company in Beijing.

This neat little morsel will not only hijack your browser and change your search engine, but will also track your browsing and send the results to a digital marketing firm called Rafotech. Admittedly, it may not necessarily have been initially designed to be malicious, but the researchers discovered that it also installs a backdoor into all of the machines it infects that can potentially be used by whomever is behind it to run remote code, download other malicious files, steal information from the device, or make the device part of a botnet.

Adware alone isn’t necessarily malicious, even if it is really bothersome. However, often it can be used for ill intent. Earlier this year, Google Chrome was used as part of a click fraud scheme and at the end of 2016, it was discovered that malware-as-a-service had been created and is being sold as a package which can provide a quick turn-key solution for anyone wanting to get into that business. While they often are used to market products and services en masse, they are also often used for exactly what Fireball has potential to do.

Always have antimalware and antivirus solutions installed on all devices. It should just be automatic to do this whenever a new computer or mobile device is purchased or acquired. Keep it updated at all times and to make it easier on yourself, enable the automatic update features. If you have downloaded this or another “potentially unwanted product” (PUP), use that antivirus product to get rid of it.

Be careful when downloading free products too. Check Point believes that this PUP was bundled with products called Soso Desktop or FVP Imageviewer, among others. These products aren’t particularly popular in the United States, but are well known in other countries and likely this same product is bundled with some type of freebie that is known in the U.S. and other countries. If there is an option to download add-on products included in software you are installing, make sure it’s unchecked to avoid things like downloading unwanted search engines.

Check Point estimates that one in five corporate networks around the world have at least one infection of Fireball. The number of anticipated infections in the U.S. in miniscule (5.5 million), relatively speaking. The bulk of them are in India and Brazil. Those two countries likely have 25 million infections each.

It’s not clear if those behind Fireball are monetizing it possibly by getting paid from clickthroughs or whenever someone visits sites of its customers. But that’s just a side note as to what this malware is about. The search engine uses results from Yahoo and Google, which could somehow contribute to that goal, but it can’t be verified at the moment.

© Copyright 2017 Stickley on Security

Common Amazon Phishing Scam Getting Traction

It seems there is an uptick in a common phishing scam at the moment. Some people are reporting seeing several notices from a very popular online retailer that claims a recent order placed has been cancelled. Fortunately, the scammers put in all the necessary information making it very easy for the users to simply click a link to check up on the order and give away login credentials at the same time. However, they also make it easy to see that it’s a fake.

The email messages come with a “primitive” looking type stating that a recent order placed with Amazon was cancelled. It even has the description of the item included, which likely isn’t something the user ordered. When a popular movie or music album is released, for example, it’s common to see phishing spam with those purchases listed in emails like this one. The sender email appears as if it is from Amazon, but if you look at the actual address, it replied back to an “amazoncomrade.com” email.

The point of this poorly done scam isn’t necessarily to convince anyone that it is indeed real. It is trying to scare people into thinking someone acquired their credentials. The hope of the attackers is that users will quickly click the included link and enter actual Amazon credentials.

Always take a few minutes to think about such messages if they do manage to make it past your spam filters and into the inbox. There is no reason what-so-ever that an extra few minutes will make a difference. If you want to verify your orders, log in to your account directly from the site and make sure they reflect what they should. Don’t click links or attachments to verify account information, regardless of who the sender appears to be. Even if you are 95% sure it’s legitimate, don’t take chances. Just go to the site from a previously safe bookmark or another way you know is 100% safe.

© Copyright 2017 Stickley on Security

Don’t Be Scared of the Internet; Just Follow These Guidelines

Even if you hate technology, it’s everywhere and it’s here to stay. In fact, the Internet of Things (IoT) is probably just going to get more prevalent. Therefore, it’s always a good idea to keep a few security tips in mind when turning on your mobile device or computer and hopping on the Internet.

Passwords

Strong passwords are not only highly recommended, but are also often mandatory these days. And it can be frustrating when that error pops up that yours doesn’t meet the minimum requirements, yet it doesn’t always let you in on what those are for a particular site.

A good guideline is that they should be eight characters and include a combination of upper and lower case letters, at least one number, and a special character; or several of them. Avoid using dictionary words or information that is private or easy to guess, such as birthdates of loved ones. Whatever you do, don’t use “football” or “password” as your password. Those are on the list of worst, but most used passwords for 2016. Unfortunately, “password” and variations of “1234567890” are also on that list. There’s a reason. They really are bad and definitely not strong.

In addition, every online account should have a unique user name and password combination. Rotate the use of your passwords. Change them as often as possible, but at least quarterly.

Use Multi-Factor Authentication

When multi-factor authentication (MFA) or two-factor (2FA) authentication is offered, take advantage of it. This means you will need to use more than one way to confirm your identity when logging into your account. Often it means receiving an email or text with a code that needs to be entered before the site will allow access. However, there are other ways this can be done as well. A newer and increasingly preferred method is to use a security key. It’s an actual piece of hardware, about the size of a house key that you plug into your computer’s USB slot. It prevents unauthorized access to your accounts, because if you don’t have the key, you cannot log in. Sites such as Google and Dropbox support this technology.

Keep Software Updated

Know what operating system is on your computer. It will typically be some version of Microsoft Windows or Apple iOS. However, there are others as well, such as Linux. Keep it updated with the latest fixes and version updates so that it continues to be supported by the vendors.

Even if it isn’t reasonable or possible to update the operating system every time a new one is released, ensure that all critical and security updates are applied as soon as they are made available. Once the developer no longer supports an operating system or software version, it is time to get update. Once they are no longer supported, critical and security patches are no longer released for the version opening you up to far more security risks.

Install some type of anti-malware protection on the computer. There are many choices ranging from basic protection against viruses to more thorough solutions that act as personal firewalls. The price ranges are vast as well; from free to hundreds depending on individual needs.

Backup Critical and Files That are Important to You

Get into the habit of backing up important files and programs. There are many ways these can be lost, including a hard drive failure, or accidentally executing ransom ware that holds those files hostage until money is paid to a bad guy. Backups can be done easily to an external hard drive. Some are so simple that they just need to be plugged into the computer with a USB connection and the hard drive just grabs the files.

Copying them to some type of cloud service is also an option. Many vendors offer this service and some provide a basic amount of storage space at no charge. The more space needed, the more it costs.

Do these backups regularly, depending on how often your data changes. The more recent the backup, the less re-work needed should the backed-up files be necessary to retrieve.

Security Tools

There are tools that help keep your information and equipment safe. Some are locks to keep a thief from walking off with the computer and others are software solutions such as Virtual Private Networks (VPN) and solutions for encrypting software. Also, make sure the popup blockers are switched on for each browser used when surfing the Web and consider getting an ad blocking software. This will help to avoid accidental clicking on malicious ads.

Review Social Media Profiles and Postings

Most who are skeptical of new technology and particularly online technology may not be as likely to use social media. However, even those who don’t like sites such as Facebook and Instagram, may have a need for using business-related social media. Use caution, regardless of the website, about connecting with those who are strangers. Not everyone really wants to be your friend or colleague.

Be cautious of your posts and profile information too. More often, that is being harvested by hackers and used for spear-phishing and whaling attacks. These are targeted attacks with the intent of gaining specific information, such as W-2 data or convincing someone to make a wire transfer to a scammer’s bank account by posing as an executive.

Email

It is nearly impossible to be a consumer without using email. When opening email messages, be extra certain the sender is trustworthy. If there are attachments or links included, don’t open them unless you are certain it is absolutely safe. Take extra time to learn how to identify phishing email messages. This is the number one way in which malicious programs are let loose on computers.

There is plenty of information on products and safe browsing habits and it can even be found in books that can be physically held in hand. So, jump on in to the virtual world. While it can be overwhelming, as long as you maintain good cyber habits, you can lower your risk of becoming a victim of fraud or identity theft.

© Copyright 2017 Stickley on Security

Recent Study Finds Social Media Passwords Just Don’t Get Changed

Social media can be a great way to connect to people. It can also be a great way for us to become connected to the cybercriminal world. Consider all of the information that we display in what is a public forum when we complete profiles on Facebook, LinkedIn, or Twitter. We post status on our days, how our kids are doing, where we are going or did go on Vacation and on LinkedIn and other business networking sites, we display where we work and often our roles and responsibilities. It’s easy to see who our colleagues are as well. This is how the cybercriminals take advantage of us.

Phishing and spear-phishing are rampant and it doesn’t take a rocket scientist to perpetrate a phishing scam. In fact, various scams come wrapped up for sale in neat little packages these days. They can attempt to get online account credentials using forms that pop up on a screen or download malware to your computer in the background just because you clicked a clever link on Facebook. They can also spear-phish for W2 information or convince someone to wire frauds to a criminal’s bank account.

Always be aware that these scams and attacks are taking place all the time. If someone gets a password from a social media account, significant damage can be done. You’ve likely seen warnings from friends that their accounts were “hacked” and whatever that last embarrassing post was, it really wasn’t from them. But that is the least of the trouble that can ensue. Consider what can happen if someone takes over your social media site and sends a malicious link to everyone connected to you? Not only will it annoy your friends and colleagues, but it’s also a very efficient way for ransomware, for example, to affect a lot of people.

In February, the company Thycotic conducted a survey at the RSA Security Conference in San Francisco. It found that 53% of users of social media sites had not changed passwords in over a year. Even more startling was that 20% had never changed them at all. On top of that 25% change their work passwords only when they are reminded or required to do so. In 2016, over 3 billion sets of user credentials and passwords were stolen. That calculates to around 95 every single second.

Changing passwords should be part of everyone’s regular routine, like changing batteries in the smoke detectors; only more often. Doing this will prevent them from being reused later in case of a release of old data, for example. Yahoo announced a couple of different breaches last year. Data was posted publicly on the company’s users that was from a few years earlier. A similar incident happened with Last.fm, MySpace, and Tumblr. If your password is changed often, then you won’t be caught out by situations like that.

In addition, always make sure you don’t include personal details in your passwords and that each one is unique to a corresponding online account. Password reuse really does happen and is being blamed more often these days. It was blamed for the UK National Lottery breach last year as well as incidents with the music streaming service, Spotify and the income tax company, TaxAct.

Unfortunately, the security industry isn’t necessarily practicing what it preaches. The same Thycotic Survey found that approximately 30% in that field are still using birthdates, pets and kids’ names, and addresses for their work passwords.

© Copyright 2017 Stickley on Security