This sounds familiar

I covered something pretty similar back in #WeekendWisdom number 42 where I covered Consent Phishing.

But credential phishing is where the criminals are going to try and get you to give up your login ID, usually your email address and your password. They can later on compromise your email account or perhaps log into your office systems to be able to execute a ransomware attack.

How do they carry out phishing for credentials?

The methods they use are varied, but a very sneaky one that they typically use is, they will send an email with an actual SharePoint link in there, or this could be a Google Drive link as well. People are very familiar with SharePoint links and Google drive links. They are usually fairly safe to click because these are things that people deal with on a day-to-day basis. They’re not some crazy dodgy site that you are being linked to. It’s something you’re familiar with.

Then when you click on the link, then it will say “Oh. You need to sign into your Microsoft account” or “… your Google account to be able to get into this document.” That’s where they catch you. They pop-up a login page and you give up your user ID and password in there. Now they have it.

How can you protect yourself from this?

So it’s really important that you implement something like multi-factor authentication to get an additional set of protections from these sorts of attacks.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 091 Phishing for Credentials appeared first on L2 Cyber Security Solutions Ltd..

Lets start with the basics. Phishing emails.

Most people are familiar with phishing emails that come in from strange email addresses, that come into their mailbox with attachments or links and they have received decent cyber security awareness training which means that they look at this and they say “There is an unsolicited email with a link or with an attachment. I should delete this because it’s malicious.” and get on with their day.

How is Email Thread Hijacking different?

But what happens if one of those emails comes into your mailbox and it’s actually a reply from somebody you know and is actually a reply from an email thread that you’re involved in. It might just say something like “Here’s the information you’re looking for.”

That’s going to be pretty believable and you’re probably going to click it to open that document or click on the link, that might open a document and you might get something that looks like this, this is saying this is an encrypted document or it could be just saying that it’s a protected document or it’s using a different version of word or an online version or an offline version.

But they always have the same instructions. Click “Enable editing” and click “Enable content”.

What happens if you fall victim?

So if you ever open a document and see this type of instruction, close the document immediately, never ever, ever click on “Enable content” because as soon as you do, the malware will run and it will go through your inbox and reply to emails in your inbox and try and spread this malware to other people by using the same technique.

So that’s Email Thread Hijacking. Never ever, ever click “Enable content”.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 062 Email Thread Hijacking appeared first on L2 Cyber Security Solutions Ltd..

So here it is. I’ve removed the identifying bits from my colleague’s company, but it was his domain name where shown.

The only red flag in this email was the From address. That was a peculiar looking domain name.

While there was no sense of urgency in the email, obviously the thought of your business having a negative listing isn’t good. Also this service is apparently “a FREE public service”, so surely it won’t cost anything to be able to make the listing positive. Right?

I’m sure if you clicked that link and sent an email looking for the report, an offer would be made to help you get a positive listing … for a small fee of a few hundred or thousand pounds (this is a UK site after all).

Even without the red flag on the from address, this whole email stank to me. It was simply trying to use a ruse to shame the domain owner into getting in contact to supposedly make their company GDPR compliant. As always treat any unsolicited email with the contempt it deserves.

If you received anything like this, you can always get in touch with us at info@L2CyberSecurity.com and we will be happy to clarify for free. If you’d prefer an official response, you could contact the Data Protection Commission at https://www.dataprotection.ie/en/contact/how-contact-us

Lets be careful out there.

#SecuritySimplified

#GDPR #SimpleGDPR

The post Not GDPR Compliant – Really? appeared first on L2 Cyber Security Solutions Ltd..

What I’ve talked about above, is all prevention. However that doesn’t help you if you are staring at a monitor with a ransom demand on it. Let me give you a couple of examples of recently reported Ransomware incidents and how they were handled.

Bristol Airport recovers from Ransomware Incident

On the weekend of the 15th and 16th September, Bristol Airport suffered a Ransomware incident. This incident took their flight information screens off-line for much of the weekend. Luckily no other safety or flight systems were affected.

How did the authorities at Bristol Airport deal with Ransomware? They re-built the systems and restored backups. They did not pay the Ransom.

Scottish Brewery suffered a Ransomware incident from a job application.

In the last couple of weeks, the Arran Brewery in Scotland had all of it’s systems affected by Ransomware. They had been running a recruitment campaign, advertising for a role via their own website. The evil doers took that ad and posted it to some international recruitment websites. The brewery then started receiving several e-mails a day from interested candidates from all over the world. In among those e-mails the bad guys slipped in one with Ransomware. The CV got opened and their files got scrambled. Not only were their live files affected, but their recent backups were too. These were stored online, attached to their network. Their most recent offline backups were 90 days old.

How did the brewery deal with Ransomware? They also re-built their systems and restored what backups they had. In this case though, they did consider paying the (GBP) £9,600 ransom. They came to the determination that the value of the data they lost (90 days of sales data) was less than the cost of the Ransom demand. They also took into consideration that paying the Ransom does not guarantee they would get back their data.

The brewery then did something really sensible. They have kept a copy of the scrambled data.

Help may be available from the good guys.

There is a not-for-profit, freely available service called No More Ransom (https://www.nomoreransom.org). This is run by various Law Enforcement and Cyber Security firms around the world. They are constantly working on cracking the codes for the different Ransomware variants and enabling people to recover their data for free.

So the Arran Brewery is holding onto the scrambled data in the hope that someday they will be able to unscramble it.

So how should you deal with Ransomware?

Prevention is always better than a cure.

The first thing is to make sure you get your staff some security awareness training. This is something that I deliver. Details of the complete training is available here. We can do customised training to suit your organisation too. Call me on 087-436-2675 or e-mail on info@L2CyberSecurity.com to discuss your requirements.

Then ensure that you have your systems updated/patched regularly, have security appliances like Firewalls in place, Anti-Virus is generally helpful against malicious software and also you shouldn’t insert strange USB devices into your computers.

Finally, you should have a good data backup system in place. This can be a very simple set-up or more complicated depending on your business needs. Again, I offer advice and support on backup strategies and business continuity planning. I also have a commandment about backups.

That’s it! With all of the above in place, in the very unlikely event that you do subsequently suffer a Ransomware incident, you will be able to recover from it.

What if it would cost me less to pay the ransom?

This is a genuine struggle for a business owner, particularly small businesses. Recovering systems from a ransomware incident takes time, which costs money, and the business may be unable to operate while recovery is ongoing, so is not generating revenue. A good business continuity plan, should reduce such risks.

If you are tempted to pay, I just have two things I want you to consider:

1. There is no guarantee that you will get your data back. Figures vary wildly from 50% to 100% failure to recover data. If you pay and don’t get your data back, you will then have to pay the full cost of recovery anyway.
2. You are funding organised crime. You are paying criminals who not only do cyber crime, but human trafficking, drugs, weapons, etc. People think I am being jokey or have my tongue in cheek when I refer to Evil Doers. I’m not. This is an accurate description of these people. They! Are! Evil!

If you pay once, then the bad guys reckon you might pay again, so you will be a bigger target. My advice to deal with Ransomware is to implement preventative measures (call me on 087-436-2675 or e-mail info@L2CyberSecurity.com to have a no obligation chat) and never pay these evil doers.

What else do you need to consider?

Don’t forget that if the data that gets scrambled contains personal data, then you have a data breach on your hands, which may be notifiable under the new Data Protection Act 2018 which incorporates the General Data Protection Regulation (GDPR). I’ve a short video here:

Finally, if you do suffer a Ransomware incident, a crime has been committed, so please report it to local Law Enforcement. They may not be able to do much about it, but it needs to be reported for statistical purposes if nothing else. If it can be shown that Cyber crime is as big a problem, as I know it to be, then the more reports to Law Enforcement will mean they will get more resources to be able to tackle it’s root cause.

#LetsBeCarefulOutThere and #StaySafe

#SecuritySimplified #GDPR

The post How to deal with Ransomware. appeared first on L2 Cyber Security Solutions Ltd..

The first thing to highlight is that the evil doers are now using partial telephone numbers in this sextortion scam instead of old passwords. This can be more effective than the old password ruse that was used last month. This could be because many people may have changed passwords since. However not too many of us regularly change our mobile number.

New development of the sextortion scam

We may also be quite used to seeing our number appear in a partially redacted manner.

So in this example, the victim sees the number +XX XXXXXX6074 instead of an old password. They have confirmed to the good folks over at the Internet Storm Centre (ISC) that those last 4 digits match their number. So that can really make people sit up and take notice.

The question arises though – why are they partially redacting the number? It’s not like these guys are reputable and are trying to protect your privacy by not emailing the full number. If they truly had your full information from a hack or a data breach, why not just put the whole thing in there? It would be very much more effective.

No, they don’t have your full number at all and as surmised by the team over at the ISC, they are probably getting the information from password reset forms. This is where the like of Google and Amazon will send you a text message with a code as part of the reset process. Or as part of a two-factor authentication step such as the following:

So the bad guys have upped their game here. Just don’t fall for it.

Are they making any money?

The other update in relation to this is about the money they have actually made from this sextortion scam. A couple of weeks ago the fine people at the ISC did an analysis of the bitcoin wallets that were included in the scam emails. These are the long string of characters and numbers that I redacted in the email example above.

“Wait a second” I hear you say, “Bitcoin is untraceable, anonymous money.”. Actually it’s not really untraceable as by the very nature of the blockchain on which bitcoin is based, each transaction is fully public. It would be more appropriate to say that it is unregulated money.

Anyway, their analysis revealed that of the many wallets they were monitoring:

• 123 payments were received
• $235,000 in total was paid to those wallets
• $4,900 was the biggest payment, with an average payment of $1,900

This was probably a subset of all the wallets in use across the whole campaign. However you can see that people were fooled into parting with their money in reasonably large numbers.

So you now want to easily protect you and your staff from these kind of scams, right? I do some pretty awesome security awareness training. If you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.

#LetsBeCarefulOutThere

#SecuritySimplified

The post Sextortion scam – a follow up. appeared first on L2 Cyber Security Solutions Ltd..

It is of course a scam, but having an old User ID and Password on the e-mail does seem to give it a sort of legitimacy, in that they may just have hacked your computer. If you happened to be somebody who recently viewed porn on that computer, one which has a webcam, then you may just fall victim to this sextortion scam. This is what a typical e-mail looks like:

The amount payable varies between the various e-mails, as does the Bitcoin wallet address (both circled above). There may also be a number of random words towards the end of the e-mail, which are used to defeat spam filters.

The bottom line here is, these people did NOT hack into your machine and record you watching porn. If they did, why wouldn’t they include a frame from said footage to prove that they had something on you.

The old User ID and Password that they included will have been picked up by the bad guys from a data breach sometime in the past. This stuff has been knocking around the internet for a loooonnng time. I did mention this last year when I talked about another scam e-mail that knew your name. They will have used other indexing techniques to associate the old account with your current e-mail address and then send you the scam e-mail.

Well known security reporter Brian Krebs, reckons that the evil doers may refine their technique and use more recent accounts that were part of a data breach.

As I always do in these e-mails I refer you to my fifth commandment. I’ll also throw in a shameless plug for the security awareness training that I provide, which, if you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.

Let’s be careful out there.

The post A Sextortion Scam appeared first on L2 Cyber Security Solutions Ltd..

It is tax season in the US at the moment and there are a lot of scams going on, which the IRS do warn people about. This one caught my attention because it was a simple attempt to steal e-mail account credentials. Apparently there have been some changes made to the US tax code, which people are aware of but may not fully understand them, which may be enough to cause somebody to fall for this scam.

What happens is the victim receives an e-mail with the subject of “Federal Tax Refund Information”.

This e-mail then says “Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details.” For those of you unfamiliar with Commandment 5, you might be tempted to open the attachment.

The PDF that is attached, when opened, simply contains what looks like a link to a Google Drive document.

Which of course you want to look at because, money! There is also a sense of urgency introduced by saying the tax refund document is only stored for 14 days. While this is a fairly lengthy period by phishing standards, it still sows a sense of haste.

Clicking on the link, brings you to a website that looks an awful lot like a Google Docs sign-in page which, if you are not paying attention, might cause you to give away your Gmail account name and password. I refer, of course, to not paying attention in regards to the address of the sign-in page, which is circled in red:

That is not “https://accounts.google.com” which would be what you are would normally expect. Of course if a genuine account and password is provided, then the evil doers will now take full control over the e-mail account and use it for nefarious purposes, UNLESS of course you had followed Commandment 7 and used two-factor authentication. If you had, you could then laugh at the bad guys attempting to login as you and failing because of this brilliant protection mechanism.

Then you calmly go ahead and change that password in ALL accounts that you used it in, because it’s now compromised.

While this has been relating to the US tax season, expect similar carry-on during October in Ireland.

The post Sneaky Tax Refund e-mails appeared first on L2 Cyber Security Solutions Ltd..

Here is the offending dodgy e-mail:

To me, there are a number of obvious indicators that this is a dodgy e-mail:

1. The sending address (the bit after “UPS View”) was not a UPS address.
2. The two links in the e-mail did not go to a UPS website.
3. Most obviously … I wasn’t expecting a delivery!

So lets take them one at a time:

• Some e-mail clients don’t actually show you the whole e-mail address of the sender. They just show the Display Name, which in this case is “UPS View”. So if you were using such a client, then it would appear to be a legitimate UPS e-mail address. However in my case, there was this @aol.com e-mail address, which is not associated with UPS.
• When you see a link in an e-mail or website, you can hover the mouse over it. Somewhere towards the bottom of your browser window, you should be able to see where the link is going to take you. In this e-mail’s case it was going here, which is not a UPS site:

• In my case I wasn’t expecting any delivery. But what if I was? What if I was an under pressure procurement clerk in a large organisation? I’d be getting deliveries on a regular basis. I’d be very inclined to click on those links.

Please note I carried out the following action on a sacrificial machine, so please do not be tempted to ever click on links to see what happens next. It could end very badly for you.

So what would have happened if I did click on the link? A word document, with a name that started “Tracking-3154631…” was downloaded. This document, if opened, would persuade me to click on “Enable Editing” and then click on “Enable Content”. Once I had taken those actions, macros (a set of instructions for a computer) in the word document would have downloaded a really nasty piece of software. Then all of my files would have been scrambled and I would be presented with a ransom demand to get my data back.

If I was that under pressure procurement clerk, it would not have stopped at just the files on my computer, but any files that I could access on the company’s network. That could be very, very disruptive to the organisation.

Out of curiosity, I checked the website (the bit before the “/UPS/16-Nov….”) that hosted that document. It appears to be a legitimate business website. However, they’ve probably been hacked by the bad guys, who are now using their site to host their malicious downloads.

UPS offer advice on fraudulent e-mails.

As usual, we’ve even got a commandment that covers dodgy e-mails too. So have a read to see what you can do to protect yourself.

The post Dodgy e-mail that looks legit. appeared first on L2 Cyber Security Solutions Ltd..

I bring this up as a real-life scenario came to my attention this week. I was giving a training session and during a break one of the attendees asked me about a strange WhatsApp message that she received.

She showed me the message, which reportedly came from Apple, about a transaction on her account, that occurred in Mexico, which they blocked. There was a link for her to check her account. She told me that she had clicked on the link, and after signing into her iTunes account nothing else happened. Before I could say anything, she clicked on the link again and there was the sign-in page.

I have to say, that the WhatsApp message and sign-in page looked very plausible and legitimate. There were no spelling mistakes or lousy formatting. I had to break the news to her that she had given her iTunes ID and password to the bad guys and she needed to change her password as quickly as possible. So I took her through the process on her iPhone. When we got as far as here, I breathed a sigh of relief.

With this Two-Factor Authentication turned on, the evil doers would not be able to access her iTunes, without access to her phone. That’s because Two-Factor Authentication is like a double check. When you sign in to an account with an ID and password, the service does a double check and sends a code to your phone as a text message, which you then type in to complete the sign in.

While we were reassured that her iTunes account was reasonably safe from being immediately hacked, I still got her to change her password to something new. I also advised her to change any other account that used that password as well.

This Two Factor Authentication malarkey is such a good idea, I’d even created it’s own commandment.

The post Double check your security. appeared first on L2 Cyber Security Solutions Ltd..

These details included weakly protected passwords, so it is likely that the bad guys have accessed this individual’s account and downloaded his contacts. Here is the malicious e-mail in question, I’ve redacted the name portion of the e-mail address to protect the individual:

• So the Subject of the e-mail is “Statement from <compromised e-mail address>”.
• The individual’s e-mail address is buried in the “From” address in the e-mail.
• Also the last line of the e-mail is the name part of the e-mail address.
• However this malicious e-mail did not actually come from that person’s Yahoo! account, but rather that “rimports.hostpilot.com” domain that Google picked up on. This e-mail originated in the Philippines.

The use of the address is all an attempt to make it look like this e-mail is from somebody you know and perhaps trust and you may therefore be inclined to click on the link, as in this case. I’ve also redacted a part of the link in case any of my curious readers attempt to go to that address. I don’t want you to compromise yourselves. ?

Even without Google’s spam filters, I would have been suspicious of this e-mail, as I had only ever exchanged 2 e-mails with him 3 years ago. So I would have abided by Commandment 5, I was not expecting that e-mail from that individual, so I certainly wouldn’t have clicked on the link.

So please watch out for any unusual e-mails that come to you from people with Yahoo e-mail addresses.

Let’s be careful out there.

The post Malicious e-mail from Yahoo! breach. appeared first on L2 Cyber Security Solutions Ltd..