It is tax season in the US at the moment and there are a lot of scams going on, which the IRS do warn people about. This one caught my attention because it was a simple attempt to steal e-mail account credentials. Apparently there have been some changes made to the US tax code, which people are aware of but may not fully understand them, which may be enough to cause somebody to fall for this scam.

What happens is the victim receives an e-mail with the subject of “Federal Tax Refund Information”.

This e-mail then says “Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details.” For those of you unfamiliar with Commandment 5, you might be tempted to open the attachment.

The PDF that is attached, when opened, simply contains what looks like a link to a Google Drive document.

Which of course you want to look at because, money! There is also a sense of urgency introduced by saying the tax refund document is only stored for 14 days. While this is a fairly lengthy period by phishing standards, it still sows a sense of haste.

Clicking on the link, brings you to a website that looks an awful lot like a Google Docs sign-in page which, if you are not paying attention, might cause you to give away your Gmail account name and password. I refer, of course, to not paying attention in regards to the address of the sign-in page, which is circled in red:

That is not “https://accounts.google.com” which would be what you are would normally expect. Of course if a genuine account and password is provided, then the evil doers will now take full control over the e-mail account and use it for nefarious purposes, UNLESS of course you had followed Commandment 7 and used two-factor authentication. If you had, you could then laugh at the bad guys attempting to login as you and failing because of this brilliant protection mechanism.

Then you calmly go ahead and change that password in ALL accounts that you used it in, because it’s now compromised.

While this has been relating to the US tax season, expect similar carry-on during October in Ireland.

The post Sneaky Tax Refund e-mails appeared first on L2 Cyber Security Solutions Ltd..

Here is the offending dodgy e-mail:

To me, there are a number of obvious indicators that this is a dodgy e-mail:

1. The sending address (the bit after “UPS View”) was not a UPS address.
2. The two links in the e-mail did not go to a UPS website.
3. Most obviously … I wasn’t expecting a delivery!

So lets take them one at a time:

• Some e-mail clients don’t actually show you the whole e-mail address of the sender. They just show the Display Name, which in this case is “UPS View”. So if you were using such a client, then it would appear to be a legitimate UPS e-mail address. However in my case, there was this @aol.com e-mail address, which is not associated with UPS.
• When you see a link in an e-mail or website, you can hover the mouse over it. Somewhere towards the bottom of your browser window, you should be able to see where the link is going to take you. In this e-mail’s case it was going here, which is not a UPS site:

• In my case I wasn’t expecting any delivery. But what if I was? What if I was an under pressure procurement clerk in a large organisation? I’d be getting deliveries on a regular basis. I’d be very inclined to click on those links.

Please note I carried out the following action on a sacrificial machine, so please do not be tempted to ever click on links to see what happens next. It could end very badly for you.

So what would have happened if I did click on the link? A word document, with a name that started “Tracking-3154631…” was downloaded. This document, if opened, would persuade me to click on “Enable Editing” and then click on “Enable Content”. Once I had taken those actions, macros (a set of instructions for a computer) in the word document would have downloaded a really nasty piece of software. Then all of my files would have been scrambled and I would be presented with a ransom demand to get my data back.

If I was that under pressure procurement clerk, it would not have stopped at just the files on my computer, but any files that I could access on the company’s network. That could be very, very disruptive to the organisation.

Out of curiosity, I checked the website (the bit before the “/UPS/16-Nov….”) that hosted that document. It appears to be a legitimate business website. However, they’ve probably been hacked by the bad guys, who are now using their site to host their malicious downloads.

UPS offer advice on fraudulent e-mails.

As usual, we’ve even got a commandment that covers dodgy e-mails too. So have a read to see what you can do to protect yourself.

The post Dodgy e-mail that looks legit. appeared first on L2 Cyber Security Solutions Ltd..

I bring this up as a real-life scenario came to my attention this week. I was giving a training session and during a break one of the attendees asked me about a strange WhatsApp message that she received.

She showed me the message, which reportedly came from Apple, about a transaction on her account, that occurred in Mexico, which they blocked. There was a link for her to check her account. She told me that she had clicked on the link, and after signing into her iTunes account nothing else happened. Before I could say anything, she clicked on the link again and there was the sign-in page.

I have to say, that the WhatsApp message and sign-in page looked very plausible and legitimate. There were no spelling mistakes or lousy formatting. I had to break the news to her that she had given her iTunes ID and password to the bad guys and she needed to change her password as quickly as possible. So I took her through the process on her iPhone. When we got as far as here, I breathed a sigh of relief.

With this Two-Factor Authentication turned on, the evil doers would not be able to access her iTunes, without access to her phone. That’s because Two-Factor Authentication is like a double check. When you sign in to an account with an ID and password, the service does a double check and sends a code to your phone as a text message, which you then type in to complete the sign in.

While we were reassured that her iTunes account was reasonably safe from being immediately hacked, I still got her to change her password to something new. I also advised her to change any other account that used that password as well.

This Two Factor Authentication malarkey is such a good idea, I’d even created it’s own commandment.

The post Double check your security. appeared first on L2 Cyber Security Solutions Ltd..

The first occurred on Friday, late afternoon. I was speaking with a client on my business phone, when a call came in on my personal phone. It was a UK number +44-141-846-1617. I didn’t answer and let it go to voicemail, which a minute or so later showed that I had a message. When I finished speaking with my client I dialed 171 and listened to it.

There was silence for a long time and then “Hi. A free Euromillions Lottery ticket is waiting for you at the upcoming 45 million Euro jackpot draw. To redeem, press 1.”. This was repeated until the voicemail cut out. Here is a recording:

There was probably some sort of auto-dialler that was cycling through a set of numbers and playing the message at them. Presumably if somebody pressed 1, they would be connected to an “agent” who would kick off the sales-pitch, with “Oh good news, you have won a thousand Euro in a special draw, just give me all of your bank account details and PIN number and we can transfer that money for you.” and then proceed to empty your account. 

There were some reports in May about these calls coming from an Irish number, but this week it was a UK number.

The second of the phone scams came yesterday and was the old SMS text message with a link to a photo (apparently), and here is said offender:

It would be so easy to click on that link, but as I am a firm believer in Commandment 5, I resisted the temptation to click and instead fired up a sacrificial machine and typed the link into that instead .  After a moment of the web address changing in the browser (also known as a redirect) I was presented with, what appears to be, the start of a movie trailer and then this message:

So like a good sucker, I clicked on OK and was presented with:

Anybody who read last week’s post, will know that these kind of sign-ups, will usually mean entering a credit card number somewhere, which will then be milked dry by the evil doers. I traced the original link to a company based in the Seychelles, so at least the money would be going somewhere nice 

So, please don’t fall for these phone scams. There are many others, so if in doubt, just remember “If it sounds too good to be true, then it probably is.” and follow Commandment 5 for unsolicited e-mails, texts or social media messages with links.

The post Phone scams – some current examples appeared first on L2 Cyber Security Solutions Ltd..

Essentially this is where the bad guys have a web page at an address that is very very very close to the spelling of a popular or well known webpage and they count on you having a typo and either missing a letter (e.g. instgram.com) or hitting an adjoining letter (e.g. facebooo.com) in error.

Don’t try this on your desktop/laptop/tablet/phone. I have a separate, sacrificial machine which I can use for such things.

I tried to access www.instgram.com (missing the “a” in the middle) and received the following page:

Notice the address where it is going to (circled in yellow) – that is not an Instagram address, but some sort of ad/advertising address.

When I clicked to continue, I got:

I didn’t continue any further, as I googled gr8musik.com and the results indicated it was a scam site, which if you registered with it, would take money from your credit card, even though you were supposed to be in some kind of a free trial period.

Similarly, I tried www.facebooo.com (an “o” instead of the “k”) and got the following:

This was just some kind of survey. But you never know what you will get. A subsequent attempt to go to www.instgram.com brought me to the survey, followed by the survey (again), followed by a sign-up form for mcplayz.com (identical to the above gr8musik.com). So these crooks are randomly sending you to different pages trying to compromise you in someway.

According to this post, the victim’s typo sent him to a “Technical Support” page, where he was advised that his PC was locked and he needed to telephone for support. If he did this, the scammers at the other end of the line would have talked him through giving them remote access to the PC and then they would have totally locked him out and looked for his credit card details to “fix” the problem.

Some pages reached by a typo try to apparently show you a video, but then indicates there is a problem and that you need to download a specific video player to watch it. For example, the following headline is tempting you to watch the video to get your hands on software worth $7,000.

These will typically download what is referred to as adware, and if you read our last week’s post about the Fireball adware, you can see  how insidious that adware can be. Adware will take control of your browser and fire ads at you while you are trying to use the internet. It might also re-direct your searches to odd search engines, which will likely attempt to track you and violate your personal privacy on the internet.

So just be careful when typing addresses. Better still use bookmarks.

If you do inadvertently get taken to some page that you never intended to go to, just close the browser immediately by way of the X in the top right-hand corner of the window. You might get warnings about losing data, just ignore them and close that browser. It would do no harm to run a spyware check on your PC at this point, in case any adware did manage to sneak in without your knowledge or permission. There are free tools from Malwarebytes or Safer Networking that can do this for you, but you might want to also talk to some real life technical support (a techy friend or the IT team in your place of employment) about it and have them give your PC a once over.

Whatever you do, don’t continue to engage with a website that you weren’t intending to visit and stay safe.

The post How a typo can cause you problems. appeared first on L2 Cyber Security Solutions Ltd..

Even though it is written in the scam-iest possible language with the bad spelling and poor English, because it is addressed direct to you, you are going to sit up and take notice. So much so, that you might be very tempted to open the attachment to see what other information this person has on you. You should know me by now – Just DON’T open the attachment on an e-mail from a stranger – delete the damned thing, as set out in Commandment 5.

If you did open it, it will ask for the password, which is specified in the evil e-mail:

And after you enter that, it will want you to disable all of the security protections in Microsoft Word, so it can attempt to do it’s nasty work on your desktop/laptop:

If you follow through and do what it asks you to do, you wont see any further information about you, you will see an “alternative fact” – It will tell you the file is corrupted and can’t be opened:

In fact this is a sign that the evil e-mail has done it’s worst and may be scrambling your files and locking you out of them. The payload can vary, depending on what the evil doers decide they want to achieve. Trust me on this, it will not be anything in your best interests.

So please, JUST DON’T do anything with the e-mail! Delete the damned thing and go on with your life.

The fact that they have your name and address, while concerning is maybe not terribly surprising. After all in 2016, there was at least 3.1 billion records reported as being leaked in various data breaches. So it is possible that your name, address and e-mail have made it into the hands of the criminals who are now trying to exploit the data in this nasty phishing scam.

Delete the e-mail and move on.

And let’s be careful out there.

The post Evil e-mail has your name and address! appeared first on L2 Cyber Security Solutions Ltd..

Here’s the best possible protection for your GMail password

The post Scary new way to have your GMail password and account stolen. appeared first on L2 Cyber Security Solutions Ltd..

This is pretty compelling. It looks like there is a video of you on YouTube with nearly 384K views. You’ve got to go see what everybody is looking at … right?

The post Facebook Messenger scam … it’s nothing new, but it’s still effective. appeared first on L2 Cyber Security Solutions Ltd..

I yearn for the days when evil e-mail was so easily identified “becuse it wuz ritten in, gud, inglish wit grate spellhng an pun.tation”. ?
In the last couple of days, the evil doers have been varying their scam e-mails fairly wildly and it’s bound to catch out some people.
I’ll run through three sneaky methods that have been attempted on others over the last 48 hours.

(1) Non-Delivery Receipt.

You know these e-mails. You get them when you send an e-mail, but you make a mistake and send it to an address which doesn’t exist or the mailbox has a size limit and your e-mail breaches that limit. This is the text of the Non-Delivery Receipt (NDR) in this instance:

Your message was not delivered due to the following reason(s):

Your message could not be delivered because the destination server was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

There is a ZIP file attached to the NDR, which of course has some nasty software that does not have your best interest at heart. ?
Just delete the scam e-mail.

(2) A Microsoft Sharepoint Notification.

This is a particularly sneaky one, as lots of larger organisations depend on Sharepoint’s sharing abilities.
The e-mail looks something like this:

The Link in the body text would take you to a not particularly nice website. No doubt it might attempt to infect your computer. ?
Just delete the scam e-mail.

(3) Somewhat abusive attempt to get you to open the attachment.

Please be warned, there is a profanity ahead. I wanted to leave it in as it does generate something of a visceral reaction when you read it.

Subject: credit card charge from <your company’s domain name> 

What is this fucking charge on my card?
I never visited or bought anything from <your company’s domain name>.
I have attached a screenshot of my statement.
I want my money back!!!
I have attached my card statement, please get back to me ASAP.

Thank you

company name

person name

phone

fax

There is a Word document attached to the e-mail, which of course has … nasty ransomware, which will scramble all of your files and leave you with a very bad day ahead. ?
Just delete the scam e-mail.

Conclusion

I hope you noticed that I was pretty consistent in my recommended action … this is because it is from Commandment #5 in our Ten Commandments of Cyber Security.
If you wish to train your staff on how they can spot these type of e-mails, then have a read of this course outline and contact us on the number or e-mail address at the end of that. We’ll be happy to discuss your training requirements and provide a quotation to cover same.
And lets be careful out there.

H/T to the SANS Institute’s Internet Storm Centre @ https://isc.sans.edu/

The post There is a lot of variations in scam e-mail the last couple of days. appeared first on L2 Cyber Security Solutions Ltd..

The post Snail mail delivers USB keys … WTF? appeared first on L2 Cyber Security Solutions Ltd..