06Jan

A Close Look at a Banking Scam

January 6, 2021By 0 comment

phishing campaign is targeting customers of Portugal’s Banco Millennium BCP (Portuguese Commercial Bank), according to Tomas Meskauskas at PCRisk. The emails inform recipients that their bank accounts have been frozen for security reasons, and they’ll need to either confirm their banking credentials or pay a €455 fine in order to regain access. The email contains a button that will take the user to a spoofed BCP login page designed to steal their bank account credentials.

While this campaign relies on users entering their credentials manually, Meskauskas explains that many other phishing attacks try to trick users into installing banking malware. This is usually accomplished by tricking the user into opening an attached Microsoft Office document. The document, when opened, asks the user to click the “Enable content” button in order to view the contents. This button will enable a macro to install malware on the user’s computer.

Meskauskas also stresses the importance of keeping software up-to-date, since older versions of Microsoft Office can run macros automatically.

“It is worthwhile to mention that malicious MS Office documents infect computers only when recipients open them and enable editing/content (macros commands) in them,” Meskauskas says. “However, it applies only to malicious documents that users open with Microsoft Office versions that were released after year 2010. If malicious documents are opened with older versions, then they install malware once they are opened. It is because older versions do not include the ‘Protected View’ mode.”

Meskauskas adds that users should be careful about where they go to download programs and updates.

“Files, programs should be downloaded only from legitimate, official web pages and via direct links,” Meskauskas writes. “It is not safe to use Peer-to-Peer networks, unofficial sites, third party downloaders (and installers), etc. Installed programs that need to be updated and/or activated should be updated and/or activated with tools that are provided by their official developers. Third party updating and activation tools can be (and often are) designed to install malware.”

New-school security awareness training can create a culture of security within your organization by teaching your employees to follow security best practices.

READ MORE
05Jan

Why Small Businesses Often Say ‘Why Bother?’ When Dealing With Cybercrime

January 5, 2021By 0 comment

Well, it happened again. As a security professional, I hear a lot of things being said that are exaggerated or just plain untrue. I’ve become used to that, however, there is one phrase that really drives me crazy when I hear it. That phrase is, “Why even bother trying?”

As security professionals, many of us are constantly observing situations in different settings with an eye toward security. Recently, I noticed my doctor entering his password so he could add notes to a patient profile. The password was a single digit. Just…one…digit. I couldn’t let that pass without some fun-loving teasing, which he took very well. This is when he said the magic words. He said he had just read about the SolarWinds debacle and how it had taken over so many networks and he wondered, if they can get into those networks, “why should I even bother trying”? He knows even though he is small that he is still a target. He is not confused about that, as he had heard of many other small medical offices scammed or hit by ransomware.

There it was, out in the open. The truth about how he felt. He feels helpless to defend against the attacks. He said that the person who recently set up his new digital x-ray machine told him he should not connect it to the network, but should take the data from the machine, put it on a USB drive and walk it over to his EMR station and attach it to the record there. He asked the rep why it mattered when it was going into a cloud-based system anyway, to which the rep had no good answer.

The Problem

As security professionals who live immersed in the world of scams and cyber criminal attacks, we sometimes forget that not everyone lives in this world. My chiropractor has patients to care for, the bakery down the street has pastries to finish. They are not cybersecurity experts, but they do handle valuable data, no matter the size of the organization. What they don’t have is the confidence that the time and effort they put into securing things will have any impact.

This feeling of hopelessness in the face of the threat is a real issue. While they may have an MSP (a.k.a. the IT person) that helps, they are usually focused on break/fix activities or setting up new machines, not securing the office. It can be tough to get small business owners to pay for services, like securing devices and people, when they don’t believe that there is value in doing so. Instead, they accept the risk, often without understanding what that risk really is. Even with the looming threat of HIPAA violations and potential fines, they believe that they have to risk it.

Now What?

So, how can we, the cybersecurity industry, help them? It starts with the messaging. We need to educate small business owners on the fact that most of the successful attacks they hear about with their peers is often the result of human error. This error could be sending information to the wrong person, or it could be clicking a bad link in an email. Both can be avoided, or at the very least, the risk can be reduced greatly by working with the staff.

We need to stow the FUD. FUD (Fear Uncertainty and Doubt) is the tool of marketing departments trying to sell “solutions”. We are better than that. We should educate these small business owners on the risks they face and ways to reduce the risk. They need understanding, not fear.

In my opinion, there are very few ways to reduce risk in these organizations that are better than a focus on the human factor since this is the root of so many issues. Before starting, we need to acknowledge the issue without blaming the individuals. Yes, they are the source of a lot of issues, however like the doctor or business owner, they have other jobs to do. To get the best ROI, training needs to be constant, not just a PowerPoint presentation once a year. This means short lessons that are relevant to them and current events. These lessons should cover best practices for password hygiene, spotting phishing emails and text messages and phone calls and tie them to current events. We also need to explain why certain things are so important instead of just telling them to do it.

An example of this is teaching people that reusing passwords is bad. Rather than just demanding compliance, teaching them a little about credential stuffing can help them understand why it’s bad and has a better chance of changing the behavior. Teaching people that phishing attacks usually rely on creating an emotional response and demonstrating how that works is better than trying to teach them about every iteration of these attacks. It’s like a magic trick. Once you know how the trick operates, it doesn’t matter if the magician uses a playing card or foam ball to do the trick; you can spot the trick.

There are a lot of free tools that are valuable as well. Many of these will support the training. If you teach people not to reuse passwords, while also providing them with a tool, such as a password manager, it will help them be successful. There are free and low-cost versions for any size business.

READ MORE
04Jan

Securing Remote Employees is the Top 2021 Cybersecurity Challenge for Organizations

January 4, 2021By 0 comment

Security vendor CheckPoint provides insight into what are the organizational cybersecurity priorities for next two years, as well as where cybersecurity is going to be challenging.

It’s no secret; cybersecurity has become much harder this year. The pandemic has taken a toll on every organization’s cybersecurity posture, making it increasingly more difficult as more users want to work from home and cybercriminals step up their game to take advantage of this “new normal.”

New survey data from CheckPoint highlights where the problems are and what organizations are planning on doing about it:

  • 58% of organizations feel they are facing an increase in cyberattacks since the pandemic
  • 95% say they changed security strategies mid-year
  • The two biggest security challenges are remote workers (47% of orgs) and protecting against phishing and social engineering attacks (42%)
  • Securing remote working is the top priority for the next two years (cited by 61% of orgs)
  • Half of orgs say their new security approach is here to stay, even after the pandemic subsides.

With a remote workforce, it’s imperative that organizations look to improve the security posture, even by those users working on a home network and a personal device. Security Awareness Training is the one part of your security strategy that can be easily applied regardless of where the user works, what device they are on, etc.

Organizations look to be getting serious about how they will maintain the same levels of security they’ve enjoyed for years within the corporate network now that a material portion of their workforce works remotely. Ensuring the user plays a part of that strategy is going to be the critical element to determine whether the org is truly secure moving forward.

READ MORE
31Dec

Beware of Puppy Scams

December 31, 2020By 0 comment

Researchers at Anomali have discovered eighteen scam websites offering pets for sale. Most of the websites purport to be selling dogs, although some offer cats and birds as well. The sites are all operated by the same group of scammers that use similar social engineering tactics to lure people in.

“The websites all share similar and sometimes identical text in their reviews/testimonials pages,” the researchers write. “There are also numerous typos in the testimonials with one post discussing how a German Shepherd had ‘hatched’ and was available, which is a clear copy-and-paste error from the actors’ bird fraud websites.”

While the scammers’ writing skills won’t win any awards, the photos of puppies may be enough to get people to lower their defenses. If a user clicks the “Buy me!” button, they’ll be taken to a contact form where they can get in touch with the scammers.

The researchers explain that the scammers are exploiting the holiday season as well as the increased demand for pets amid the pandemic.

“The COVID-19 pandemic has increased pet purchases as stay-at-home policies and remote work makes people seek companionship from their animal friends, a condition that may amplify the bad actors’ ability to run a more successful scam,” the researchers write. “Furthermore, these scams focus on purebred dogs, which again are increasingly difficult to find.”

Anomali offers the following tips for users to avoid falling for scams:

  • “Be extremely cautious if the price is too good to be true.
  • “Be extremely cautious if the site does not provide you with the owner’s names, address, and social pages.
  • “Pay attention to elaborate testimonials that are too good to be true. They are often copied too, so you may google a part of it to see if it is unique.
  • “Pay attention to typos and phrases like “Labrador baby had hatched,” scammers often sloppy in their templates and have bad English.
  • “If they give you a phone number, try Googling it. Often the fraudsters use the same phone number for different schemes, and it might be already listed on some scam lists.
  • “Be extremely careful if you are advised to pay for your future pet with Bitcoins or gift cards, which is even more suspicious.”

And besides, people who can’t keep the puppies and the hatchlings apart in their own minds can hardly be reliable pet sellers. And, as always, new-school security awareness training can teach your employees to follow security best practices.

Anomali has

READ MORE
29Dec

Cybercriminals Attempt to Exploit Australian Fears on COVID-19

December 29, 2020By 0 comment

The bad guys are attempting to take advantage of Australian fears of COVID-19 in 2021. The National Identity and Cyber Support Service of Australia and New Zealand ID Care recently warned of COVID-19 phishing attacks using deepfakes that is set to launch in 2021.

ID Care analysts stated that the cybercriminals will likely use COVID-19 vaccine as a target through the first half of 2021. “This is likely to lead to an increase in phishing scams, with the intent of scaring people into clicking on harmful links,” stated the service provider.

The bad guys could also take advantage through check-ins with QR codes. “And when you think of the information stored on there – your name, address and phone number – this information could be a honeypot for cyber criminals,” the service stated. It’s important to also be vigilant about deepfakes – a realistic video or audio recording of someone well-known that is computer generated. “And don’t believe every video clip you see of a famous person, whether it be a celebrity endorsing cryptocurrency or a President giving a “speech” via YouTube,” ID care said.

Fortunately, vaccine providers Pfizer and Moderna are already working in tandem with America’s Homeland Security department to prepare for incoming vaccine scams. It’s important to not open any links in email or reply to texts that you are unfamiliar with. ID Care is expecting the scammers to portray as health officials or government agencies, so do not release any personal information whatsoever.

With the new year already facing potential attacks, it’s important to continually educate your users of the latest threats. New-school security awareness training can teach your users how to analyze and report any suspicious activity in their day to day job functions.

READ MORE
24Dec

Private Online Shopping Risks Affect Businesses, Too

December 24, 2020By 0 comment

Consumers aren’t the only ones who can be victimized by social engineering attacks while shopping online, according to Arab News. Employees who use work devices for personal shopping are at risk of falling for scams and potentially letting attackers into the company’s network. Arab News quotes Werno Gevers, regional manager at Mimecast Middle East, discussing the findings of Mimecast’s recent report on how employees use company-issued devices.

“The research showed that 81 percent of participants had received specific work-from-home cybersecurity training, yet 61 percent still admitted to opening emails they thought were suspicious,” Gevers said. “This shows that while there is a lot of awareness training offered, the content and frequency is completely ineffective at winning the hearts and minds of employees to reduce today’s cybersecurity risks. Training needs to be regular and memorable if organizations are to protect workers and company systems from compromise.”

Cybersecurity expert Abdullah Al-Jaber told Arab News that employees should avoid using company devices for personal matters.

“Don’t use a work laptop for personal use, such as emails and surfing the Internet,” he said. “Make sure to enable two-factor authentication whenever available on any platform and use complex passwords that cannot be guessed easily. And, of course, report any suspicious emails or calls.”

In addition to attacks that affect an organization directly, phishing campaigns that impersonate a company’s brand can impact the company’s reputation.

“As part of its regular security research, Mimecast monitored 20 leading global retail brands and found almost 14,000 suspicious, recently registered website domains using names related to those brands,” Arab News says.

While these attacks aren’t the fault of the impersonated organization, Gevers explained that they can still have an impact on the organization’s reputation.

“The damage to a company’s reputation following a successful online brand exploit can take a long time to repair, so it’s in the best interest of the organization and its customers to take preventative measures,” Gevers said.

New-school security awareness training can enable your employees to follow security best practices and avoid falling for social engineering attacks.

READ MORE
23Dec

Wedbush Analyst: “Cybersecurity spending will increase 20% in 2021 Due To SolarWinds.”

December 23, 2020By 0 comment

Wedbush senior tech analyst Dan Ives says cybersecurity spending will increase by 20% in 2021 as more companies ramp up protection following the SolarWinds hack that compromised state agencies and corporations including Microsoft.

Ives said he’s very bullish on cybersecurity stocks given a “perfect storm of demand” in the field. He raised price targets for several cybersecurity stocks in a Sunday note. Names specifically in advanced threat detection, zero trust architecture, data security, and identity security will see a near-term surge of budget allocation based on the nature of the SolarWinds hack, said Ives.  Story at BusinessInsider:

https://markets.businessinsider.com/news/stocks/cybersecurity-stock-outlook-impact-of-solarwinds-attack-further-acceleration-wedbush-2020-12-1029912129

READ MORE
22Dec

Eye-Opening Password Predictions: Remote Work Will Increase Risk for Data Breaches

December 22, 2020By 0 comment

Ponemon’s State of Password and Authentication Security Behaviors Report analyzes password and security behaviors over time with similar trends. We wanted to deep dive into the reports of years past and give some predictions as we move closer to 2021.

We’ll start with 2019 – according to the report, extremely poor password management habits by those in IT were making a hacker’s job much easier. One of the most surprising stats from that report 51% of IT admins reuse the same password across an average of five business and/or personal accounts.

Now onto 2020 – based on the updated report, there were several findings, including two-thirds of IT organizations use older best practices such as requiring periodic password changes (67%), a recommendation Microsoft has officially killed. It also revealed that 20% of users don’t take any steps to secure passwords.

What similarities can we find year over year? For starters, re-use of the same passwords across multiple accounts is still happening a lot. Password policies are also not being updated, with organizations still sticking to the old-school approach. This lack of best practices has also shown an increase in data breach attacks year over year.

The only wrench in the 2020 report was the COVID-19 pandemic, causing millions of companies to move to a remote workforce. With 2021 still moving in that direction, there are some causes for concern what next year’s report will look like. We have some predictions:

  • Increase in attacks on multiple accounts – according a recent report from Security Magazine, 53% of people admit to reusing the same password for multiple accounts. Now that users are working remote, it’s a larger attack surface for the bad guys to go after.
  • Passwords re-use will continue – without any strict password policies, users will continue to go on a downward spiral of reusing the same passwords on multiple accounts

As we continue to work in a remote environment, user education is of high importance. New-school security awareness training can keep your users informed about good password hygiene and avoid potential data breaches.

READ MORE
21Dec

Beware! The Holidays Bring the Worst Out in Cyber Scammers

December 21, 2020By 0 comment

With emotions running high, time running out to get that last needed gift, and a returned focus on family and what’s truly important, scammers are taking advantage at every turn.

Every year – and this year in particular as people are looking to the holiday season to bring back some resemblance of normalcy – cybercriminals find a myriad of ways to use holiday-themed scams and use social engineering to fool victims out of credit card information and even hard-earned money. And with COVID putting a damper on in-person shopping, the massive reliance on online shopping makes the bad guy’s job even easier.

Some of the common scams to be mindful of include:

  • Social Media Deals – that convenient ad on your favorite social media site can take you to what appears to be a legitimate website (that you’ve never heard of) offering the perfect gift for someone you care about at an unheard of price. And once they have your credit card details, they can be used or sold within minutes. Remember, even criminals can pay to have ads posted…
  • Charity Scams – A simple pulling of the heart strings with an email, social media post, etc. about how you can help is designed to take advantage of your giving spirit. Be sure any charity asking for your money is legitimate before giving.
  • Fake Shipping Notifications – sent via email or text, the simple message that delivery is being delayed and may not make it by Christmas is all that’s needed to get the potential victim invested enough to need to find out more, click links, provide credentials, etc. Any legitimate shipping notification will provide some details you already known (e.g., the company shipping the item, your address, etc.).

There are many more – free gift cards, payment declines, look-alike websites, etc. What’s needed is to be mindful that not everything one reads, is sent via email, is received via text, etc. is real; a modicum of suspicion and scrutiny is needed, even while staying in the holiday spirit.

READ MORE
18Dec

Over Half of Users Admit to Reusing the Same Password on Multiple Accounts

December 18, 2020By 0 comment

New data reported earlier this year by Security Magazine shared a report from Secure OAuth that 53% of users reuse the same passwords on multiple accounts. Among those 44% admit to using their personal passwords at work.

Additional findings include management having the worst password hygiene. Only 38% of those in leadership positions say their work passwords are unique. 34% of Director-level positions admit to using one of the most common passwords.

In 2018, OpenVPN reported that the number of employees reusing common passwords on their accounts was only 25%. This year, the percent has nearly doubled.

Password sharing also runs rampant in the office, with text message being the common way people share a password. As most users continue to work in a remote environment, it’s important to teach your users how to have healthy password hygiene to avoid any potential data breach or malicious attack.

Some ways to avoid reusing the same passwords would be to invest in a password management system. Password management systems can help your users store complex passwords without having to remember the laundry list of passwords for you. You can also implement effective password policies, such as giving a timeframe on how often users should update their passwords, or consequences if a common password is used.

Consistent education is essential in ensuring your users are prepared with the tools to apply these best practices to their day-to-day work functions. New-school security awareness training can teach your users tips and tricks on how you can stay safe from the bad guys from infiltrating your account.

READ MORE