Homeland Security Secretary Lists Phishing as Top Threat

Experts are often asked what is the biggest threat to cyber security and many answers may be given. If you ask the Secretary of Homeland Security, Jeh Johnson, you will hear something that may surprise you. Sure, if you hook up any device to the Internet, it is likely that someone will start attacking immediately with something for various reasons. But to Johnson, the biggest threat is good old reliable phishing.

Why is this? Because it’s tried and true. It is what catches out many with sometimes very painful results. In fact, it is how hackers were able to leak information from the Hillary Clinton campaign. It’s how Sony Pictures was so famously thrust into the cyber security spotlight, how the Target breach occurred, and how the “bad guys” ended up acquiring very sensitive information on over 21 million people in the Office of Personnel Management (OPM) incident.

It is increasingly critical that everyone knows how to determine if an email message is indeed phishing. It’s not so easy to just look at it and make that call anymore; we will give you that. However, it isn’t impossible either. Most of the time, we can rely on our own intuition. If whatever the message is asking or claiming seems “phishy” or just sounds too good to be true, it is. It really is that simple.

Remember that if you receive an email that you are not expecting, regardless of who sent it, it should always be met with a bit of suspicion. And if it comes from a company like Google or your financial institution claiming something has changed or is amiss with your account, don’t click links or attachments to figure it out. Instead, log in directly to your account using a previously bookmarked link that you know to be safe or by typing the address of the site into the browser. You can see communications or check information that way and feel good about it.

If you are a business, always make sure your employees, staff, and contractors are educated on phishing. Homeland Security tests its people by sending phishing emails promising a big prize. The email asked them to click a link and if they did, there were instructions on where they could go to pick up their prize. When they got there, not only were they disappointed to not get their promised football game tickets, but they also got a lesson on cyber security.

While implementing security tools is also a good idea and well worth the money and effort to protect your home or office network, it should not be the only tool in the toolbox. Always include a cyber security training program for everyone that connects to the Internet. This means spending some time teaching kids and all new Internet users how to browse safely.

Cyber criminals are turning to phishing more often these days not to infiltrate networks, but to capitalize on the gullibility of the human race for a quick buck. Now that means getting ransomware onto those computers. In fact, according to security company PhishMe, more than 97% of the phishing emails they analyzed contain ransomware. So rather than paying up because some nefarious person has encrypted your data, keep current backups of your files. This will allow you to quickly put them back online without sacrificing your hard-earned cash or getting your company into the news for a breach.

© Copyright 2017 Stickley on Security

Holiday Inn and Holiday Inn Express May Have Been Breached; Check Your Charges

InterContinental Hotels Group (IHG) reported recently that they are investigating a possible data breach at some of their brands. Specifically affected are Holiday Inn and Holiday Inn Express locations, but Crowne Plaza, Staybridge Suites, and Candlewood Suites may also be included. It isn’t known what specific details were accessed, but payment card information of some kind is part of this.

It is advised that anyone using a payment card at the hotels or at retail locations including restaurants in any IHG property be especially diligent at checking payment card statements. If anything looks suspicious, report it right away to the card issuer. While consumers have limited responsibility with regard to fraudulent charges on their cards, it is still up to them to report suspicious charges within a reasonable amount of time. That typically means within 30 days. The sooner these are resolved, the less expensive for the consumer as well as the financial institutions.

Usually breaches like this happen when malware is installed on the point-of-sale (POS) machines in the retail locations. That can happen several ways:

Someone clicks a phishing link or opens an attachment with malware included in it.

A system is not updated with the latest patches and a cyber criminal takes advantage of a vulnerability to get inside the network.

A third party gets access to administrator login credentials.
POS malware has been responsible for many breaches lately included the infamous Target breach, as well as Home Depot. More recently this group included CiCis Pizza, Eddie Bauer, Wendy’s, and Noodles & Company. Other hotel chains that have been hit with it recently include, HEI Hotels, which runs many Omni, Marriott, and Hyatt locations as well as other chains, Hilton, Starwood, and Trump Hotels.

IHG has issued a statement that they are committed to quickly resolving this matter and are continuing to work with the payment card networks. They also have hired a top outside security firm to help investigate.


© Copyright 2017 Stickley on Security

Fake iTunes Invoices Attempt to Trick Users by Claiming Ridiculous Charges Made to Accounts

Phishers are getting better and better. Recently a very good replica of an iTunes invoice has been spotted around that attempts to trick people into clicking a link that is either malicious or requests personal information that can be used to steal identities.

The email message that is being sent claims that the users have been overcharged for a recent download. In some cases, it is $25 for a song that is typically only $1.99 or $45 for the Netflix app, which is actually free.Instead of panicking, take a bit of time and think it through. Instead of clicking links or attachments, go directly to your iTunes account using a previously bookmarked link or by hand typing in the URL into the address bar of your browser. There should be a record of your purchases in your account and you can see if there are any unauthorized ones from there. If so, contact your payment card issuer and Apple to get it resolved. If not, you can be certain that the email message is indeed an attempt to phish for information or to do something malicious.

Avoid clicking any links or attachments that arrive in email messages unexpectedly. This applies even if you recognize the sender. It is not difficult to spoof the name in the “from” line of an email, so don’t get fooled by it. Instead, if you aren’t sure of the authenticity of the email, contact the sender by phone, text, or by creating a completely new email message. In other words, don’t just hit the reply button.

Take some time to ensure that you do have anti-malware and anti-virus software installed and updated on your devices. This goes for all products including Apple products. Despite some beliefs, they are not immune to these things anymore and in fact one study released by Marble Labs from 2014 have shown they are becoming as vulnerable to malware as devices running on other operating systems. The FBI has also warned of a significant rise in mobile malware on all types of devices as their use for tasks such as performing banking transactions increases.

Don’t be fooled by phishing. Take some time to read the messages, think about whether it is reasonable for them to be true and act accordingly. Phishers count on the panic affect; so don’t give in to fear.

© Copyright 2017 Stickley on Security

Research Finds Sharp Increase in ‘Whaling’

Whaling is not just another fish story. It’s a real threat. The terms whale phishing and whaling are used to describe a type of attack that targets the “big fish” in a company. However, more often it is when someone impersonates the “big fish” in the company to trick employees into doing something that results in a financial gain to the criminal and loss to the company. A survey conducted by Mimecast, Ltd. of 436 IT experts around the world found that 67% of the respondents saw an increase in fraudulent payment attacks and 43% reported an increase on attacks attempting to get confidential information such as tax or HR information.

Spearphishing is typically how whaling attacks are perpetrated. Someone will send an email pretending to be a CEO or other executive to an employee in the targeted department, such as accounting or HR. Often they will ask for wire transfers, such as what happened to Ubiquiti Networks, resulting in losses to that company of $46.7 million. In the case of Seagate, an employee was tricked into sending income tax data of all employees by posing as the company’s CEO. And a Snapchat employee handed over payroll data to a scammer after being convinced it was a request from that company’s CEO.

Business Email Compromise (BEC) scams such as these are on the rise and according to the FBI have increased 270% since January of 2015. Therefore, it’s important to be aware of them and how not to fall victim.

  • Always confirm with the requester any wire transfers or transfer of sensitive information before taking any action. Do this by making a phone call to him or her, by emailing with a completely new email message (do not hit the reply button), or by walking to the requester’s office or desk. Doing this will take very little time, but could save your organization millions of dollars.
  • If there is not a process in place for multiple approvals for wire transfers, put one in place. The more people that see such requests, the less likely a fraudulent one will occur.
  • Be wary of any email request that seems so urgent that you don’t have time to verify it. If you are made to believe it’s just too urgent to confirm, it should be considered a big red flag that it is a scam.
  • Never give out login credentials to anyone, especially if they are requested in email. Email is usually not a secure form of communication, so anything you send is in plain text for those who wish to steal credentials to easily get.
  • Use caution in what you post on social media and networking websites. Often, the scammers find out whom to target in spear-phishing using sites like LinkedIn.
  • Get training on cyber security or provide training if you have the authority and ability to do so. If you can’t do it yourself, there are many qualified and reputable companies that will provide everything from annual training, to ongoing training and testing on cyber security threats.

Whaling and other types of phishing are not going away any time soon. That’s because they work. No industry is immune and smaller organizations are being targeted more often. So, don’t get complacent and let the phishers hook you, even if you think you are just a small fish.

© Copyright 2016 Stickley on Security


Gooligan Malware Takes Over Android Devices at a Rate of 13,000 Per Day


Android devices are again the targets of malware. This one has been roaming the wild for a couple of years, but is showing up again, some would say “en masse.” Gooligan has been found in at least 86 malicious apps. Around 13,000 Android devices are being infected on a daily basis, according to the Israeli security company Check Point Software.

Again, these apps made it onto the various devices as a result of the owners sideloading them from PCs or other devices. Therefore, if you are known to do this, reconsider that and only download them from the official app store.

Some may not even know what operating system, which is what “Android” refers to, is on their devices. At a high level, if you are using a Google device such as the new Pixel smartphone or the Nexus tablet, it will most certainly be running Android. If you use a Kindle, an HTC, LG, or Samsung smartphone, it is also most likely using the Android operating system. If you don’t know what your devices are using as an operating system, find out.

Gooligan uses a type of malware called Ghost Push. Once it gets onto a device, it can do all kinds of things such as send annoying pop-up ads in an effort to get the user to install even more malicious apps, as well as get access to Google accounts that are associated with the user’s Google credentials. This is because a token is issued by Android that allows those devices to permanently, or mostly permanently, log into the device automatically. Therefore, Gooligan can pretend to be a user, submit 5-star reviews, and attract others to apps that distribute it. This is why it is so important to check reviews and do research on apps before allowing them on your devices. If there are only a few reviews and they are all glowing, maybe it’s a good idea to wait a while before downloading it. You want to see constructive reviews as well, not just a bunch of 5-star ratings.

Some good news is that it does not appear that Gooligan steals sensitive data. Google is also working hard to block Ghost Push. It has tracked more than 40,000 Ghost Push Apps and taken action against them. It has also been able to interfere with the command-and-control servers trying to distribute it.

Check Point has “Gooligan Checker” web page that supposedly allows users to see if their Google account has been compromised. A few of the affected apps are reported to be called StopWatch, Perfect Cleaner, and WiFi Enhancer and will exploit devices running Android 4.1-4.3 Jelly Bean, 4.4 KitKat, and 5.0-5.1 Lollipop. This is a good reminder to update all of your devices that are running older versions of Android and to keep them updated with the latest security patches. The most current versions of Android are 6.0 Marshmallow or 7.0-7.1 Nougat.

© Copyright 2016 Stickley on Security

Early Bird Holiday Shoppers Targeted with Fake Apps in Apple Store

Online shopping concept nackground. Mobile phone or smartphone with cart and boxes and bag. 3d

Each year it seems that the holiday shopping season starts earlier and earlier. As soon as the jack-o-lanterns and super hero costumes are put away, the wreaths and sparkly lights seem to appear, as if by the flick of a magic wand. Unfortunately, the fraudsters are at it earlier and earlier too and hundreds of phony shopping apps have been spotted in Apple’s App Store for those in the holiday spirit already to get duped right at the start of the season.

Phony shops such as Dollar Tree, Dillard’s, Nordstrom, Zappos, and Footlocker as well as designer name brand shops such as Jimmy Choo and Christian Dior have been found in the app store without being caught by Apple’s review process.

Always use caution when downloading apps, even from the app store. As more and more apps apply to get into the various stores, it is more difficult for the companies to review and approve all of them. The Apple App Store has over 2 million apps already. That puts more pressure on the consumer to do research and make sure the apps are the real ones. Read the reviews to see what others are saying and if they aren’t so good, perhaps it’s best to skip it. In addition, if there are no or very few reviews, particularly for a large department store, second-guess it. While being an early adopter has its perks for a lot of things, in this case patience is a virtue. Wait a few weeks before trying again. If results are the same, it’s probably one of the fake ones.

Many of the fake apps seem to come from Chinese developers who are paid to write the apps in English. One had a menu with drastically misspelled English words, such as spelling Friday as “Firday.” Keep an eye out for those types of errors too and if there are any, don’t use the app.

Don’t assume that Android apps are safe. In fact, because of the less restrictive policy for getting apps into the Google Play store, there are similar risks of downloading phony apps there.

The recent apps have largely been found to pop up annoying ads rather than do real damage. However, some of them do ask for payment card information and other personal details. Therefore, if there is any doubt about the app’s legitimacy, don’t download it or delete it if you already have.

While you’re at it, make sure your devices are updated with the latest versions of the operating systems and apps, and confirm that anti-malware is installed on them and is updated too. As mobile becomes a preferred way to shop, it’s more likely that malicious apps that do harm will show up.

© Copyright 2016 Stickley on Security