What Are The Newest Phishing Attacks?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Phishing is a term adapted from the word “fishing.” When we go fishing, we put a line in the water with bait on it, and we sit back and wait for the fish to come along and take the bait. Maybe the fish was hungry. Perhaps it just wasn’t paying attention. At any rate, eventually a fish will bite, and you’ll have something delicious for dinner.

How Does Phishing Work?
This is essentially how cyber phishing works. Cybercriminals create an interesting email, maybe saying that you’ve won a $100 gift certificate from Amazon. Sound too good to be true? Find out! All you have to do is click the link and take a short survey.

Once you click the link, a virus is downloaded onto your system. Sometimes it’s malware, and sometimes it’s ransomware. Malware includes Trojans, worms, spyware, and adware. These malicious programs each have different goals, but all are destructive and aimed at harming your computers. [Read more…]

New Whaling Schemes: CEO Fraud Continues To Grow

In previous years, the first clue that your corporate email has been compromised would be a poorly-spelled and grammatically incorrect email message asking you to send thousands of dollars overseas.

While annoying, it was pretty easy to train staff members to see these as fraud and report the emails. Today’s cybercriminals are much more tech-savvy and sophisticated in their messaging, sending emails that purport to be from top executives in your organization, making a seemingly-reasonable request for you to transfer funds to them as they travel.

It’s much more likely that well-meaning financial managers will bite at this phishing scheme, making CEO and CFO fraud one of the fastest-growing ways for cybercriminals to defraud organizations of thousands of dollars at a time.

Here’s how to spot these so-called whaling schemes that target the “big fish” at an organization using social engineering and other advanced targeting mechanisms.

What Are Whaling Attacks?

Phishing emails are often a bit more basic, in that they may be targeted to any individual in the organization and ask for a limited amount of funds.

Whaling emails, on the other hand, are definitely going for the big haul, as they attempt to spoof the email address of the sender and aim pointed attacks based on information gathered from LinkedIn, corporate websites and social media.

This more sophisticated type of attack is more likely to trick people into wiring funds or passing along PII (Personally Identifiable Information) that can then be sold on the black market. Few industries are safe from this type of cyberattack, while larger and geographically dispersed organizations are more likely to become easy targets.

The Dangers of Whaling Emails

What is particularly troubling about this type of email is that they show an intimate knowledge of your organization and your operating principles. This could include everything from targeting exactly the individual who is most likely to respond to a financial request from their CEO to compromising the legitimate email accounts of your organization.

You may think that a reasonably alert finance or accounting manager would be able to see through this type of request, but the level of sophistication involved in these emails continues to grow. Scammers include insider information to make the emails look even more realistic, especially for globe-trotting CEOs who regularly need an infusion of cash from the home office.

According to Kaspersky, no one is really safe from these attacks — even the famed toy maker Mattel fell to the tactics of a fraudster to the tune of $3 million. The Snapchat human resources department also fell prey to scammers, only they were after personal information on current and past employees.

How Do You Protect Your Organization From Advanced Phishing Attacks?

The primary method of protection is ongoing education of staff at all levels of the organization. Some phishing or whaling attacks are easier to interpret than others and could include simple cues that something isn’t quite right. Here are some ways that you can potentially avoid phishing attacks:

  • Train staff to be on the lookout for fake (spoofed) email addresses or names. Show individuals how to hover over the email address and look closely to ensure that the domain name is spelled correctly.
  • Encourage individuals in a position of leadership to limit their social media presence and avoid sharing personal information online such as anniversaries, birthdays, promotions and relationships — all information that can be leveraged to add sophistication to an attack.
  • Deploy anti-phishing software that includes options such as link validation and URL screening.
  • Create internal best practices that include a secondary level of validation when large sums of money or sensitive information is requested. This can be as simple as a phone call to a company-owned phone to validate that the request is legitimate.
  • Request that your technology department or managed services provider add a flag to all emails that come from outside your corporate domain. That way, users can be trained to be wary of anything that appears to be internal to the organization, yet has that “external” flag.

There are no hard and fast rules that guarantee your organization will not be the victim of a phishing attack. However, ongoing education and strict security processes and procedures are two of the best ways to help keep your company’s finances — and personal information — safe from cyberattack.

Inside The Anatomy Of The Human Firewall

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Each year, around 61% of small businesses become the victims of a malware attack. While many small businesses may think no one would ever come after them because of their size, know that over half of the total global attacks hit small businesses and, for thieves, getting access to your systems is becoming increasingly lucrative.

Companies collect more about customers than ever before: medical history, financial records, consumer preferences, payment information, and other confidential information.

Some of this information could be used in malicious ways to either harm your business or directly harm the customers, so we all understand that we must protect it from cyberattacks.

Creating a human firewall is the best way to keep your system and data safe, but what exactly is a human firewall, why do you need one, and how can you build one? Let’s take a look! [Read more…]

Researchers Turning To Algorithms To Combat Phishing

Chris Myers is a field service technician for Tech Experts.

Phishing is a type of social engineering attack used to steal user information such as login credentials, bank account information, or credit card numbers. The most commonly seen phishing attack is when an attacker, posing as a legitimate source, tricks a victim into clicking on a malicious link in an email. Once clicked, the link installs malware on the user’s computer and possibly gives the attacker access to other devices on the same network.

Often, the link opens a website owned by the attacker, specifically designed to look like a normal login or account validation page. However, when users enter their information into this website, all they are doing is giving that information directly to the attacker.

Phishing emails have been around since the dawn of the Internet, even having a paper and presentation discussing their use at the 1987 conference for the International HP Users Group, “Interex.”

While the basic premise hasn’t changed since then, attackers have had decades to improve their technique and automated delivery systems.

A New Defense
Jeremy Richards of the mobile device security company Lookout has been developing a novel solution to this problem. Lookout records the network traffic of over 60 million mobile applications and, as such, has a large amount of real-time data it can analyze.

After manually tracking phishing websites through this network, Richards discovered many telltale digital signs of phishing websites. He started creating tools to assist in this detection, but those quickly evolved into their own automated search engine.

The program now goes through several steps to algorithmically narrow down and positively identify malicious websites. For example, the program will check new domains (website addresses) for misspellings of technology or financial companies, or special characters used in place of normal lettering.

Once it spots a suspicious website, it will take a screenshot of the homepage and then automatically search for the logos of thousands of companies. Phishing websites almost always try to look official by using the actual logos from companies like Apple, Microsoft, and Google.

Once a site is confirmed to be malicious, Lookout can report them to the authorities, download the specific phishing code used by the attackers, then look for that code in future scans to find additional websites.

As phishing attacks occur with increasing frequency, these automated solutions will be necessary for us to stand any chance at stemming the tide of cybercrime.

How To Spot Phishing Emails
Here are some common characteristics of phishing emails that you can identify:

Poor grammar – Since most emails aren’t composed by native English speakers, they usually contain many grammar, spelling, and capitalization mistakes, along with unusual phrasing.

Generic or informal greetings – If a message doesn’t address you by name, it’s another sign that it is from an unknown attacker.

Sense of urgency – Most phishing emails want you to rush through the message and click on a link without looking at it too closely.

Hyperlinks – Hover over any links to make sure they go where they say they are going.

Attachments – Many phishing emails will include malware in attachments.

Unusual sender – If it’s from someone you don’t know, pay extra attention to the contents.

Google Study Reveals Phishing Attacks Are The Biggest Threat To Web Security

A recent study by Google and UC Berkeley suggests that cyber thieves are successfully stealing 250,000 valid usernames and passwords every week.

The study, which was based on 12 months of login and account data that was found on criminal websites and forums, aimed to ascertain how the data had been hacked and the actions that can be employed to avoid criminal activity in the future.

Google claims the research is vital for developing an understanding of how people fall victim to scammers and hackers and will help to secure online accounts.

The research found that, over a 12-month period, keyloggers (programs that monitor every keystroke that someone make on a computer) stole 788,000 account credentials, 12 million were harvested via phishing (emails or phone calls that con people into handing over confidential data), and an incredible 1.9 billion were from breaches of company data. The study found the most productive attacks for cyber-thieves came from phishing and keylogging. In fact, in 12%-15% of cases, the fraudsters even obtained users’ passwords.

Malicious hackers had the most success with phishing and were able to pick up about 234,000 valid usernames and passwords every week, followed by keyloggers who managed to steal 15,000 valid account details per week.

Hackers will also look to gather additional data that could be useful in breaching security measures, such as the user’s Internet address (IP), the device being used (Android versus Apple) and the physical location. Gathering this data, however, proved far harder for those with malign intent.

Of the people whose credentials were secured, only 3.8% also had their IP address identified, and less than 0.001% had their detailed device information compromised.

Google said in a follow-up blog post that the research would be used to improve the way it detects and blocks attempts to misappropriate accounts.

Historical data of the physical location where users logged on and the devices they used will increasingly be used as part of a range of resources that users can use to secure their accounts.

The research, however, did acknowledge that the account hacking problem was ‘multi-pronged’ and would require countermeasures across a number of areas including corporate networks.

Education of users is set to become a ‘major initiative’ as the research also revealed that only 3.1% of people whose account had been hijacked subsequently started using enhanced security measures such as two-step authentication (Google authenticator or a similar service) after control of a stolen account was regained.

Gone Phishing! How To Spot A Phishing Scam

If you are a user that has been around for a while, there is a pretty good chance you’ve been targeted with a phishing scam. You may have a long lost relative in another country who left you millions – and all the executor of the estate needs is your banking information to send you your inheritance! Or a prince of a small country is trying to move some of his fortune and escape to America – and if you can help, you will be rewarded!

These are some oldies-but-goodies, however phishing scams have and will continue to get better and smarter.

There was a time when phishing scams almost always came filled with poor grammar, spelling errors, and writing that just seemed a little off. While these still exist, things have become harder to detect.

These scammers are always looking for your personal information. There are a few ways they can do this, but most of them begin with email spoofing, where a sender will mask their actual email address with a familiar one.

If it isn’t a spoofed email, it may come from an address that is very close to that of a known and trusted sender. This could have an extra letter or even just a period to try to trick you into completing whatever task they are using in an attempt to get your information. This could be something as simple as a link to “family photo” or video and it could very well open your system to different vulnerabilities.

Something like a keylogger, a program that tracks your keystrokes, can be almost undetected while also gathering your online banking or credit card information.

Lately, phishers and scammers have pulled out all the stops. There have been cases where phishers will not only spoof an email, but also documents. These can look pretty real, so take a close look.

A new long-shot, big-payoff scam is to spoof an email address of a financial institution to try to intercept money from home purchases. This is done with forged documents and a fake email. While it’s a long shot for something that big to happen, do big business in-person or through trusted secure communications.

What to watch for:

When you have email communication from a known sender that doesn’t quite add up (or doesn’t sound like them), don’t assume they’re just having an off day. One example: if you know your family member shares all of their photos on Facebook, would they really email you a link with little to no writing in the email?

Any “company” asking for any personal information or passwords through email should also raise red flags. While this might seem obvious if the email address doesn’t match, a spoofed email address can make this trick easier to fall victim to.

Also, be wary of anyone asking for your bank account number via email. Even if it is legitimate, there are other ways to send this information. Protect yourself by choosing a more secure method of communication.

What to do:

If something seems off, research it. If you get a weird email requesting something or asking you to click on a link, don’t assume it’s safe. If it’s from someone you know, ask them if they did send it.

If you are the one “sending,” check your Outbox or Sent folder. This is a good indication if the email came from you or someone you know.

Do You Have A Blind Spot In Your Security?

Security is only as good as its weakest link — one blind spot and a company can be compromised. It is important that each aspect of a company’s security is understood and up to date.

With the following best security practices, it can be better understood what to be aware of and how to better advance a company’s security.

From remote hackers, to in-person social engineering, and even your own e-mail, there are different methods of attacks and means of defense to maintain a company’s integrity.

Physical Security
The basic defense that predates IT security is physical security. Locked doors, restricted access, and watch patrol are some of the oldest methods to prevent aggressive physical security breaches.

Technology has only made physical security even better with security cameras, alarm systems, RFID badges, and biometric systems that identify a person from their physical being. Having the appropriate physical security is key to preventing and deterring break-ins and stolen items.

Social Engineering
With the right words and story, some people gain access to compromising areas and information that can give a company a real bad time.

Without a physical break-in or even a computer, social engineering works against human psychology, finding the vulnerabilities of staff and workers to trick and deceive their way past security. The best way to defend from this is to have a strong and easily understood security policy that educates staff and workers not give out credentials and access to unauthorized personnel.

Phishing
Billions of emails are sent out every day — promising a vacation, warning people about their bank accounts, or asking for charity — that are entirely design to steal or compromise a person or company. Phishing targets everybody, asking for credit card numbers, asking a person to sign in to their account on a fake site, or taking something in other ways.

Do not open emails or download email attachments with suspicious or unknown origins. If an email looks odd or is too good to be true, call or check a website directly to confirm if an email is legitimate.

Clicking or falling for phishing could end with a stolen identity, stolen money, or a locked PC or network demanding ransom money. Be smart and wise about checking emails.

Hackers
There are people that spend most of their day trying to break security codes, finding software loop holes, and other abstract means to force their way through digital security to gain illegal access to computers.

There are just as many (if not more) people working together to prevent such people from ever gaining access with new security measures and patches. To protect a PC or a company from hackers, always update your security definitions on Windows and antivirus software. Knowing what software to trust and what updates are needed are important ensuring digital security. We at Tech Experts make it our business to keep digital security online and updated at all times, so that no one has to fall victim to the unseen security threat.

Being aware of these different security risk and knowing how to defend from them can give a strong basis in understanding and learning in what needs to be done to keep a company or person secure.

Security is always evolving and changing, but having a modern understanding with security in place can make the difference between a secure environment and a risky work place that could come to a grinding halt when security is breached. Be safe, be smart, and be productive with good security.

Beware Of These Tax Return Scams

In the online world, it seems that there is always a new threat cropping up on the horizon. There is one, however, that has been returning year after year following the onset of online tax filing.

This is the prime time for tax phishing scams, and it is important to recognize the signs of a cyber-criminal going after your identity and holdings.

Since tax season is often a mystifying time financially with ever-changing laws that directly affect your pocketbook, it isn’t far-fetched to believe the IRS or a related government agency may need to double-check your data or ask for additional information via email or text.

This is a situation that sophisticated thieves are well aware of, and they do not hesitate to exploit citizens’ lack of knowledge of how the revenue service actually conducts its business.

In fact, approximately 25,000 phishing emails (messages asking for personal data like Social Security numbers and the like) and 611 scam websites were shut down during the last tax season. It is probable that far more efforts went unreported.

Fortunately, it is easy to thwart criminals’ efforts to gain access to your personal information and financial holdings when you are on the alert.

First, no government agency will ask for such information through an unsecured email or text. If the tax agency, tax-preparation company, or related organization needs additional sensitive information from you, you will be contacted by mail, phone, or directed to a secure website.

In the case you are suspicious of a particular communication, double check that the email or physical address matches that of the legitimate organization.

Also, beware of messages that do not use your full name with something generic, such as “Dear valued customer,” or warn that there will be dire consequences if you do not reply right away.

If there is any doubt whether an email or text is a scam, report it to the organization in question or law enforcement agencies.

Tips To Protect Your Business PC From Malware

Michael Menor is Vice President of Support Services for Tech Experts.

In today’s online world, technology users are essentially in a state of near-constant attack. Almost every day, there’s a new data breach in the news involving a well-known company and, quite often, fresh rules for protecting personal information are circulated.

Because of malware in email, phishing messages, and malicious websites with URLs that are one letter different from popular sites, employees need to maintain a high level of awareness and diligence to protect themselves and their organizations.

Phishing activities are especially pervasive, including attempts to steal users’ credentials or get them to install malicious software on their system. The astonishing success rate of phishing attacks makes them a favorite.

Why? More than 70% of people will follow the link to a phony website and, of those that followed the link, 30%-50% will routinely give up their usernames and passwords.

Many like to think of the network perimeter with all its firewalls and other fancy technologies as the front line in the cyber war, but the truth is there’s a whole other front.

Every single member of a company’s staff who uses email or the Internet is also on the front line and these people are generally considered a softer target than hardware or software. It’s simple: if the bad guys can get an employee to give up his or her user credentials or download some malware, they can likely waltz right past the technological controls, basically appearing as if they belong there.

When using a computer for personal functions, a user generally has to have the ability to install software and modify the system configurations. Typically, such administrative functions are not available to all users in a corporate environment.

c471994_mAs a result, even if an organization has made an effort to improve a system’s security, a user doing work on a personal computer has the ability to disable and circumvent protections and has the privileges to allow for the installation of malware.

As companies migrate toward a world of bring-your-own-device policies, some companies are developing strategies to help address these risks. But, as a rule, using a work computer for personal reasons or doing work on a personal computer (or tablet or smartphone) can significantly increase the threat level that an employer has to protect itself against.

To help their organization protect systems and data, employees need to implement some smart web browsing habits. Smart web browsing means engaging in the following activities:

Beware of downloads
Malware can be hidden, not just in applications or installation programs, but in what appear to be image and video files also. To limit the likelihood of downloading content that contains malware, only download from reputable sites. With sites that are not a household name, take the time to do a little research and see if other people have had issues.

Additionally, be sure that antivirus software is set up to automatically scan downloads. Or scan downloads manually, even when receiving them from name-brand sites, as it is not unheard of for infected files to make their way onto otherwise legitimate web sites.

This is especially true for file-sharing sites where the site owner cannot control every piece of content a user may place there.

Be wary of deceitful sites
Those running sites already breaking the law by illegally distributing copyrighted materials — like pirated music, movies or software — probably have no qualms about including malicious content in their downloads or stealing information.

Many popular web browsers today have built-in functionality that provides an alert when visiting a website that is known to be dangerous.

And if the browser doesn’t give a notice, the antivirus software may provide that function. Heed the alerts!

Employees need to protect their devices from online and in-person threats. Start by keeping the company’s system patched. Configure it to automatically apply updates or issue notifications when there are updates and then apply them as soon as possible. This doesn’t just apply to the operating system.

Keep all installed applications updated; sometimes this takes a little extra work.

Remember, the challenge of security is that the bad guy needs to find only one hole in a security system to get past it, so fix them all. Think of it as putting dead bolts on doors, but leaving the basement window wide open.

To that end, security professionals like to debate the usefulness of today’s antivirus software. And it’s true that malware continues to become more sophisticated and harder to detect. But it always amazes me how old some of the malware running around is. As a result, use antivirus software and keep it up-to-date.

Also, use a software firewall, either the Windows firewall or one provided in an antivirus package. This is especially true for laptops connected to public wireless access points at hotels or coffee shops, but it also applies to home systems. It just provides that extra layer of defense.

And finally, please, don’t ever give passwords to anyone. Be vigilant and question anything new, especially emails and forms in the web browser that request work credentials, no matter how nicely the request is made.

(Image Source: iCLIPART)

Phishing Schemes Are On The Rise

A phishing e-mail is an e-mail sent by a hacker designed to fool the recipient into downloading a virus, giving up their credit card number, personal information (like a social security number), or account or login information to a particular website.

Often these e-mails are well designed to look exactly like an official notification from the site they are trying to emulate.

For example, a recent phishing e-mail was circulated that appeared to come from Facebook stating that videos or photos of Osama Bin Laden’s death were posted online. These e-mails looked exactly like a legitimate Facebook e-mail and even appeared to come from “Facebookmail.com.”

Once you clicked on the e-mail the phishing site would attempt to install a virus on your machine.

And now due to recent security breaches with Sony and e-mail marketer Epsilion, phishing attacks are going to increase – and they are going to get more sophisticated and harder to distinguish from legitimate e-mails.

That’s because the hackers that were able to access the private databases of the above mentioned companies now have the name, e-mail and interests of the subscribers, and in some cases birthdays, addresses and more. That means a phishing e-mail can be personalized with relevant information that the user provided to Sony, making the e-mail appear to be more legitimate and the user more likely to click on the links provided and take the actions requested. Now more than ever it’s critical that you are wary of e-mail notifications and the actions they request you take. Even having good anti-virus software installed won’t protect you if you give your account information away freely.