Relentless Spammers Phish Office 365 Users

Lately, it seems the spammers trying to fish for your login credentials for your Office 365 account are working overtime. A barrage of phishing spam has been hitting inboxes and they are relentless this time. The subjects change, the message change, and they are becoming so flawless in their phishing “artistry” that it is nearly impossible to tell if they are real or not. Odds are, however, that they are most certainly NOT legitimate, so pay close attention and use your phishing detectors to weed them out of your inbox.

In the latest versions, they have sent malicious links saying, “an important document” is at the other end of it, that your account will be suspended unless you click a link to update some details, and even that “Office 365 has flagged your Account, because of a violation of our Terms of Service.”

Always watch for signs of phishing:

1. Malicious email messages often arrive from legitimate email addresses.

It’s not difficult to create an email address from a well-known email service or to make one look like a sender you know. Not long ago, a previous wave of attacks hit Office 365 users. These attacks will likely continue as more people start using this service.

2. Attackers take advantage of information they find on social media and other internet places

All that information that is floating around on the Internet may be, and likely is used against you in some way. In this case, it’s to spam your email address. Attackers can “harvest” personal data off various social media like Facebook and LinkedIn to personalize their messages. Personalized messages are 40% more likely to get someone to click a link or open an attachment.

3. Still be on the lookout for typos and poorly written text and hover over links first

These phishers are getting quite “professional” at crafting messages. However, there are still plenty of them that get out with typos, poor grammar and punctuation, or that are not written in the proper native language. You can also hover over any links to see where they are going. If it isn’t going to where you expect it to, it could very well be phishing and you should definitely not click it. On mobile devices, you can hold your finger on them for a few seconds and the entire link will appear. Just be sure to hold it long enough that it doesn’t actually go to the site.

4. Expect the unexpected

When it comes to email messages, any link or attachment that hits your inbox should be met with suspicion if it was not expected. This applies even if it looks like it came from your colleague, a vendor, or your mother. If it has something to do with an account, rather than clicking a link or attachment go directly into your online account and check on status there. If it’s something else, take a minute to place a phone call, send a text, or pay a personal visit to the sender before taking action on the email.

5. If there is a threat or a sense of urgency, it may very well be phishing

Often scammers will try to create a sense of urgency in their messaging so users will get anxious and just click something. Don’t let fear get the best of you. If it’s so important that you can’t take a few minutes to examine it first, they would try to reach you some other way, such as by phone.

Phishing in all its forms (spear-phishing, whaling) continues to be very effective and can be quite lucrative for attackers. While it is always important to have security tools installed and kept updated on your devices, you will always be the final line of defense for phishing. So keep your eyes open and don’t fall for any of the Office 365 lures that may be coming your way.

© Copyright 2017 Stickley on Security

Phishing Through Homographs: You Might Not Be Seeing What You Are Actually Seeing

For those who primarily visit websites strictly in English, we expect to see a letter or character in a browser URL and that is exactly what it is…for the most part. There are exceptions to the rule now, and those are what are allowing phishers to trick us if we merely visit a website. It has to do with the conversion of Roman characters, used in English language, and those that are not. The latter are what phishers are using against us as the Internet expands across the globe.

So far, researchers have found that Safari and Internet Explorer address this problem completely and those using these two browsers should be protected. Chrome addressed this in Chrome 58 (the latest version is Chrome 59). Firefox users however, are behind the curve and are still vulnerable to this.

A homograph is usually a word that is spelled the same as another, but means something different. There are a lot of these in the English language; bass, bat, fine, lead, project, tear, wind, etc. In this particular case, there are words that are spelled differently, but they look the same when you see them in a website address. This is a problem with characters used in international domain names (IDN). Some of the characters used, such as Cyrillic or Kanji aren’t represented in the original 26 Roman characters (or the numbers 0-9 plus the hyphen) that were used to translate domain names to a set of code on the Internet. So, they are not necessarily translated correctly when the address is converted and directed to a website.

Well, phishers are using this to their advantage and registering domains that appear to be legitimate when viewed in the browser address bar. One example of it not working is converting “apple” from Cyrillic to Roman characters. It converts to look exactly the same, but it isn’t. This means that someone who isn’t aware of this problem would be none the wiser that the site was malicious.

So, in case the displayed page is a clone of the legitimate page there is no reason to doubt regarding its authenticity.

If you come across a site that asks you to install a new font, you might want to take a second look at it to make sure you didn’t make a typo. Try retyping it to see if that dialogue disappears. If not, there is a good chance you’re being phished or the site has been hijacked and you may want to skip a visit to that site.

The positive side of this is that developers have figured out a workaround to allow international characters to convert in other browsers. This allows anyone who registers an international domain name (IDN) to have their site converted so the address is in the native language for those who type it in that way, such as using the umlaut or kanji characters. This allows us all to be globally connected. And it works most of the time. Just beware of the few times it doesn’t. Make sure to update your browsers and keep all device software updated too.

© Copyright 2017 Stickley on Security

Phishing Getting Even Better At Fooling Us With Replies

If you are a busy person, as we all are, it might be worth a little bit of time to study your email replies before clicking on anything within them. In a recent Comodo Threat Intelligence Lab Report is information on a new iteration of the typical phishing email message. Instead of merely looking like it’s from someone you know or a vendor with which you are familiar to catch you off guard, it now even looks like a reply to one of your own previous inquiries.

 

The typical format of this new one resembles a message you may receive from a shipper or vendor when you do legitimately ship something. The subject starts with the familiar “Re:” followed by subject such as “shipping information.” However, the included, which is disguised to look like a link to a label or status update will actually redirect users to a site that downloads malware.

To avoid deploying any type of malware onto your work network, be sure you take a little bit of time to review any links or attachments inside email messages before taking any action. Although it is getting more and more difficult to detect the fake ones these days, you can still go through the motions and usually make the right choice.

– Carefully review the text for misspellings and grammatical and punctuation errors. These still happen, even though less frequently.

– Watch for imperfections in the logos or other graphics.

– Hover the mouse pointer over the link to make sure it’s headed where you think it should be. If it just looks like a bunch of random characters, it probably is not a real link.

– Look for extra spaces, underscores and special characters littering the URL. In the image posted by Comodo, there is an extra space at the beginning where it should be “www.”

– The attack documented in this report lasted for about seven hours, targeted 50 enterprise customers, and affected approximately 3,000 users. It used 585 IP addresses throughout the world. However, the vast majority of those (513) were located within the U.S.

It’s easy to get overwhelmed with activities at work. There is a lot to get accomplished these days and sometimes, even eight hours at the office doesn’t seem long enough. Those in middle management are even more at risk of being victims of phishing emails. So, rather than click through just to get the “new message” dot to disappear from your messages, spend a few seconds reviewing any links or attachments. Then you can avoid setting off potentially another WannaCry incident.

© Copyright 2017 Stickley on Security

Your Email Message Could Be The Front Page News

Throughout history, politicians and others have learned the hard way not to put anything in writing. After all, it could (and will) end up in glaring headlines on the front page of a major publication such as The New York Times. Avoiding this embarrassment is a hard lesson for many to learn. Salacious headlines and ugly news may be avoided by simply picking up a phone or calling a personal meeting to discuss sensitive matters. That’s not always a feasible option. But remembering that whatever you do, to not put it in writing, takes on new meaning these days.

Email communications have been rocketing private communications into the stratosphere for some time now. Information formerly jotted down on paper is now written in email, running the same risk of ending up in the headlines or leading to a data breach. From politics to business and everywhere in between, emails are the new hand-written notes. Keeping potentially sensitive messages between sender and receiver is becoming a security priority for public and private citizens alike. Regardless of whether or not your email is encrypted, the assumption should always be that if it’s email, it is automatically public information and/or available to a cyber criminal. That’s because email is not a secure form of communication.

How to keep these emails from creating headlines is a common sense and technology issue. Suggestions on how to combat this new era of information are beginning to take shape.

– Never send sensitive or confidential information through email. Business email compromise (BEC) is big business. The FBI continues to warn of this scam continuing to circulate via email. If someone asks for W-2 information or other sensitive data, question why it is needed and who is asking. If it is a legitimate request, find another way to get it to the requestor other than email.

– Vigilance against phishing and other security breach issues by employees and private citizens alike is key. Clicking on unsecured links and malware opens the user up to all types of security risks, including access to private emails.

– Businesses and organizations are beefing up methods of encryption and system fortitude. Finding ways for technological transparency can pinpoint security weaknesses. It’s one big way to stop them and it’s an ongoing effort. However, none of the solutions are foolproof.

– There’s no replacement for a level head and good judgment. Whether personal or business related emails, know that your words now exist permanently and ad infinitum in cyberspace. Just ask Sony executives. If you don’t want your words to become public or if they involve sensitive data, don’t send them in an email.

Maneuvering without risk in the world of emails is a challenge in the very least. For now, sending an email you assume is private can be instantly forwarded to countless entities worldwide. Email is the new wild west of front-page news and the more senders are protected from themselves–by common sense and cyber security efforts–front-page exposure opportunities will be minimized.

© Copyright 2017 Stickley on Security

Brute Force Attack Targets Office 365 Accounts; Reminder To Use Unique Passwords

A brute force attack is a method of attack using automated systems that generate a large number of consecutive guesses to retrieve its targeted information. This means whoever is attacking wants encrypted data, such as passwords for various accounts. In a recent case, Skyhigh Networks found this being used in attempts to get corporate users’ Office 365 account information. They were pretty sneaky about it too. The pattern of attack was slow and methodical to escape detection.

Skyhigh mediated the attack and found over 100,000 failed logins from 67 IP addresses and 12 networks, targeting 48 different organizations. The specific targets were senior employees across multiple departments within these Fortune 2,000 organizations.

Because brute force attacks use automated systems that try various combinations of login names and passwords until they strike gold. And considering that password reuse is still running amok, it’s not unreasonable to believe they could be successful.

So don’t reuse your passwords for multiple accounts. It’s that simple. While it might seem overwhelming to keep track of all the passwords one may need in a given day, here’s a tip to help:

– Try using one base passphrase and adding to it depending on the website you’re visiting. For example, make your base XUP%2H. That’s what you would use on every site you log into. Then, say you’re going to your financial institution’s site, which is myfinancialorg.com. You could bookend your base passphrase with letters from the website. For example, using the first two letters, it would become “mXUP%2Hy.” Or at the end: XUP%2Hmy. Any pattern you come up with will allow you to remember the unique password for every site.

– Remember that a strong password or phrase should be a minimum of eight characters. They should include upper and lower case letters, at least one number, and at least one special character. Because it seems to be pretty standard for people to tack on a special character at the end of their passwords, try putting that in a different spot within your passphrase, just to be different. It’s only a matter of time before these brute force programs are able to succeed even with more complex passwords just because most people put that character at the end.

– Do not use dictionary words either. Brute force attacks count on being able to make small changes to the words to succeed. If your passphrase is gobbledygook, this becomes substantially more difficult.

In this recent attack, the perpetrators tried logging in with various versions of the employees’ Office 365 credentials. According to analysts, this suggests that they already had access to some combinations of this info previously and were seeking confirmation in order to perform spear-phishing attacks. Therefore, watch out for those as well. If you receive an email from an executive or manager that seems suspicious, such as those used for business email compromise (BEC) attacks asking for W-2 or other sensitive information, question it. Pick up the phone and call the sender or take a walk to his or her desk and ask for confirmation. If it’s a legitimate request, then no harm done (although it’s not advised to email such information). If it isn’t, your management will thank you for stopping a potentially damaging phishing attack.

Office 365 is becoming a bigger target these days. It accounts for 58.4% of all sensitive corporate data that is stored in the cloud. So it’s no surprise that it’s a big target.

© Copyright 2017 Stickley on Security

The Love Of Denim May Make You A Fraud Victim

Attention denim lovers! You may have been the victim of a data breach within the year. The Buckle Inc. issued a press release informing shoppers of an undisclosed number of its physical locations that point of sale (POS) malware made it onto their systems and stole information from payment cards used at the stores. The malware was designed to grab information from the magnetic strips on the cards, which means those using the cards’ EMV chips are likely not affected.

Anyone shopping at any of the stores between October 28, 2016 and April 14, 2017 should pay close attention to payment card charges for at least the next year or until they are issued a new card from their financial institution. Those are the dates that The Buckle believes the malware was roaming the POS system. Investigators do not think, however, that information was stolen from every store on each day within that time frame. They also, however, have not broken it down into detail either.

If any suspicious charges are found on your statements, contact the issuer right away for resolution. The sooner you bring it to their attention, the less liability for both sides.

Although no social security numbers, physical addresses, or other identifying information is thought to be part of this breach, always keep an eye on your credit reports. One is available from each of the three reporting bureaus every year: Equifax, Experian, TransUnion. Contact them separately to order yours. Keep in mind that any information about you can be used against you in a phishing scam. Be ready for scammers to create realistic Buckle emails about this breach that try to get you to click a link or open an attachment. Your best bet in almost all cases is to never click on anything that you are not expecting from a source you know. If you want more information about any situation like this one, the safest practice is to navigate directly to the company website via your browser.

What is believed to have been accessed were account numbers, expiration dates, and names from the cards. Investigators are still trying to determine if more was accessed.

If you are at a payment terminal and still given a choice to use debit or credit with your card, choose the credit option. If you enter your PIN and the data is accessed, it’s possible for the thieves to recreate your card and empty your account. It may not be always convenient, but use your debit card as credit when possible.

The Buckle authorities do not believe their online shoppers were affected with this. So if you order at buckle.com, although you should still monitor your purchases, the likelihood your data was accessed during this event is thought to be low.

© Copyright 2017 Stickley on Security