Something smells Phishy

My alternative title for this post was " The IRS, a Nigerian Prince, and your CEO walk into a bar."

As you may have guessed, my last blog post of 2017 is about phishing.  We have all received these e-mails.  Usually written in either poor English or proper English (UK version), has typos, and written as a generic situation so the same e-mail can be sent to thousands of targets.  In most cases, the average person can spot them pretty quickly and don’t fall for them.  Although, you have to imagine that a certain percentage of folks must fall victim to them, or else the criminals would stop using this tactic.  Over the last few years as more people have become aware of these scams, and as their success rate has declined, the cyber criminals have begun to do their homework.  They are now having Americans write the e-mails to get around the language barrier (George Bernard Shaw would be proud), and more and more have changed their approach to spear phishing combined with Business Email Compromise or BEC for short. 

Spear phishing, or targeted phishing, is where the criminals attempt to learn as much as possible about you online in order to gain your confidence.  While this is used against individuals, it is more commonly used against businesses, schools, churches, and other not for profits.  The reasons are many.  First off, businesses and not for profit organizations have more money than the average individual, so it is more profitable to target an organization.  Secondly, businesses and not for profits tend to be very verbose online about their organization, events, officers, employees, board members, what software they use, etc., so the attackers can quickly accumulate a lot of intelligence on their target with a few Google, LinkedIn, and Facebook searches.  Thirdly, let’s face it, human nature is that we all want to be seen at work as cooperative and helpful to our executives.  This plays into the social engineering aspect of phishing.  An additional factor is that very few small to medium sized organizations provide their employees with security awareness training, mock phishing exercises, or have procedures in place to counter phishing attempts.  Given these reasons, small businesses and not for profits are becoming the target of choice by cyber criminals.

So how has this occurred historically?  Below is an actual scenario that I observed (the names have been changed for privacy purposes):

The CEO and his/her spouse goes to Europe for a 2 week vacation.  While there, the CEO checks in on Facebook at various tourist attractions, and posts photos every night of the places they visited that day.  Meanwhile, early in the month the company issued a press release about a new location that they will be breaking ground in the coming month to expand their customer footprint.  Details include the name of the general contractor, and specifics about the square footage of the office space and amount the company is investing in the building.  And the final piece to the puzzle, Mary the controller is very descriptive of her cash management duties for the company on her public LinkedIn profile.

The attacker spoofs the CEO’s e-mail (this is where BEC plays it's part), and sends Mary an e-mail stating:

========================================================================

TO: Mary@VictimCorp.com

From: CEO@VictimCorp.com

Subject: Need to Wire Construction Deposit ASAP!

Hi Mary,

I need you to do me a favor while I’m on vacation.  I just got a call from <name of general contractor firm>, they need us to wire a deposit to XYZ Co. so they can order the HVAC equipment now to ensure there will be no delays in the construction of our new Pine St. office.  Please wire $50,000 to ABC Bank, <routing number>, and <account #> for the benefit of XYZ Co.  Please send ASAP!

Thanks,

CEO 

PS:  We are having a great time in Paris.

========================================================================

So do you want Vegas odds on whether or not Mary quickly wires the money without calling the CEO to verify the transaction?

Every day, small businesses and not for profits are being spear phished in a manner similar to the above scenario.  And every day, a number of these organizations are robbed of millions of dollars.

Do you think your organization could fall for this? 

Are your employees trained in how to spot these? 

Do you have procedures in place to verify any unusual banking transactions?

This is why security awareness training needs to be a key part your overall information security program.  A cyber criminal can steal thousands, possibly millions, or get your customer and employee data without ever having to crack a password, infect your systems with a virus, or bypass your firewalls.  They can get your own employees to send them money or data using low tech methods that I regret to say, have been very effective during 2017.

Be Secure in the new Year!

The Center of Your Online Life is Not Social Media

While I might have an entire generation of Millennials that disagrees with this statement.  E-mail is the hub in which all other online activities revolve around.  To prove this point, take a look at the last 30 e-mails you have in your Inbox (disregarding any spam).  You probably have an e-mail or two from your financial institutions (banks, loan company, insurance, and brokerage), e-mails from online eCommerce sites that you frequent, e-mails from all of your social media sites, your mobile phone provider, and possibly your utilities as well.  Also, if you think about it, every website that you are registered on does password resets via e-mail.   While some may also have SMS text as an option, or as an additional factor, the majority still just use your e-mail to reset your password.  And that is what makes e-mail a huge cyber risk area.  Should your e-mail be compromised by a hacker, while yes,  they can read your e-mail or send e-mail on your behalf, the worst part is that they can quickly inventory every website and bank that you do business with.  This combined with the ability to reset your online passwords through your e-mail makes for a dangerous combination.  And once they have access to your e-mail, they can intercept and delete any alert e-mails you get from your banking and eCommerce websites of transactions, address changes (for shipping credit/debit cards or merchandise paid for with your account), or other suspicious activity.  

Also, the common mistake people make is that they use the same password for their e-mail that they use for their other online accounts.  So before a hacker even tries a password reset, which may be noticeable by you, and may send an SMS text alert to your phone, they will first try your e-mail password on your other websites as a one-time attempt.  This way they will not trip the “3 strikes and you’re out” password lockout rules, and will most likely get some hits, preferably on a banking site or eCommerce site that you’ve stored other information on such as your date of birth, social security number, or your masked credit/debit card that shows the last 4 digits.  Although it is PCI compliant to mask all but the last 4 digits of your credit/debit card, it is also another data point that many organizations use to identify you if you call in to their contact center.

To sum it up, your e-mail is used on all your other web/mobile sites.  It is used for identification, for password resets, for communication with you, and contains a history of messages from all websites you have interactions on.  You need to protect your e-mail account.

So how do you do this?  Follow my tips below:

• Don’t use the same password for your e-mail that you use on other websites.  (If your account is compromised on another website, and your e-mail uses the same password, then the Hacker has control of your e-mail)
• Don’t recycle old passwords.
• Change your passwords every 30 – 45 days. (See my blog post on changing passwords frequently)
• Make your password a complex password that can’t be guessed.  Use lower and upper case, numbers, and special characters.  The longer the better (10-14 characters).  Never use dictionary words of names of people.
• Be alert of suspicious activity in your Inbox, such as e-mails that are in a “read” status that you did not read yet, or e-mails that have been moved to Deleted Items, that you did not delete.  Also check your Sent items to see if there is anything in there that you did not draft.
• Be cautious when using public computers (libraries, hotel business center, etc.).  Make sure you totally log out of your e-mail, and it is a good idea to change your password when you get back to home/work and can access a computer that you trust.    

Be secure!
   

Benjamin Franklin’s advice on changing your passwords

If Benjamin Franklin was alive today, what would his advice be on changing your passwords?

I would imagine wise old Ben would say something similar to his quote on politicians:

“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”

Like most people, you have heard that you need to have a complex password, but what you may not be told very often is that you need to change them frequently, preferably every 30 days.  The reasons for this are many.  Most importantly, should your password be captured by a cyber-criminal, more times than not it is captured through the use of an automated tool such as a sniffer or your password hash (your password encrypted) is obtained off of a website that you use that is compromised.  In both cases, there is some time between when the password is in the hands of the hacker, and when it is actually used.  Even if your encrypted password is captured, it can be cracked.  A complex password can be cracked in less than 45 days, hence why you should change it at a minimum every 45 days.  The best security, is security that is constantly changing.  In theory, if your password is captured, and you change it frequently, then it has a very short shelf life and will be of little use to a hacker. 

As always, frequent change is just one piece of the security puzzle.  To extend your password life, use a password that has a minimum length of 10 characters (14+ is preferable), uses upper and lower case alpha, numerical, and special characters (!@#$%&?).  Most importantly, stay away from dictionary words and people’s names.   I recommend using a combination of things in your life to make the password easy to remember by you, but hard to guess and difficult to be cracked be a hacker.  For example, let’s say you drive a BMW 330i (or it’s your dream car), your daughter’s name is Karen, and your wedding anniversary is on June 9^th.  A good password would be K@r3n330!9, whereby you replace vowels with numbers and special characters.  Memorable for only you and harder to crack than a non-complex password.  

A good password checker that runs on your PC (and it's free) is at https://sensepost.com/blogstatic/2010/04/password-strength-checker.html . 

Keep in mind, even my example only rates as “Reasonable”.

Be secure!

Google thy self,,,,and often

Two cyber risks that can impact both individuals and businesses is information leakage and online damage to your brand.  

Information leakage is where private information about you has found its way onto the Internet.  Examples could be your passwords, bank account information, unlisted phone numbers, photos, videos, private documents, etc..   In my career, I have found scanned copies of checks, credit cards, medical records, marketing plans and drivers licenses that where either inadvertently posted to a public section of a website, or the website was supposed to have been secured, and wasn’t.  In addition, when cyber criminals either obtain someone’s userID/e-mail and password, they tend to post it on a hacker password listing site.  For businesses, you would be surprised how many times your employees inadvertently post sensitive information online.  Many times it’s an IT employee posting on a technical site seeking guidance from peers.  Unfortunately, more times than not they post using their company e-mail address which identifies the organization, and then in their posting, they disclose which version of the system/application that they are seeking advice on, and potentially a security vulnerability.  If your organization doesn't already have one, a Policy regarding posting on public forums, comments sections, reviews, etc. using your company e-mail address, should be drafted ASAP to forbid this practice.

Online damage to your brand can negatively impact your reputation which can cause you to miss opportunities (jobs, customers, partnerships, hiring talent, etc.).  Negative reviews, ratings, stories could be the result of disgruntled current/former employees, dissatisfied customers, or your competitors.  Identifying what is out there, and then determining why and who will guide you in how to resolve any negative posts about you and/or your organization.

To see if you or your organization is currently exposed to these risks, a good practice to get into is to Google yourself and your organization at least monthly.  What you want to find out is what does the rest of the online world see when they are looking you up online.  As an individual, this could have an impact on job applications, college acceptance, business opportunities and applying for credit. For an organization, it could impact customer growth, revenue, recruiting talent, and investment. 

I recommend you use www.google.com and https://www.ixquick.com/ for your searches as follows:

On Google, use the following search strings (using the quotes):

•         “Your Name”
•          “Your organization name”
•         “@your domain” (your organization’s e-mail) – This will show you all company e-mail address postings

On IXQuick you can do some more sensitive searches as IXQuick does not share your search strings with online marketing companies:

•        “Your e-mail address”
•         “Your phone number”
•         “Your e-mail address : * ” – This will show you if your e-mail password has been posted online.
•         “Your company userid : *” – This will show you if your company login credentials have been posted. 
•         You could also search on variations of your SSN or TIN, ie. “All numbers” or with dashes.

The asterisk “ * “ is a wildcard which may give you back your userid and your password if it has been compromised.

In addition, for businesses, you should look at your organization’s reviews and ratings on Google, BBB, Glassdoor, and all of your social media sites or any other websites you advertise on that offers ratings or reviews.

By doing this, you can stay on top of any private information that is posted, and hopefully contact those sites Web Admins to have erroneous information removed, and be aware of reviews, ratings, and complaints against your organization and respond to them timely and professionally. 

Remember, a customer complaint needs to be converted into an opportunity for improvement, and always take the high road as your responses will be viewed by future potential customers, employees and investors.

Too much information - 5 Tips for Businesses

Our reality is that we live in an age where information that was once an online currency has been devalued by one simple fact.  We give it away for free everyday.  Whether as individuals or as businesses, your online footprint is most likely pretty large.  We want to let our friends and families know about the big events in our life, trips we take, places we are at, where we work, and things we buy.  At the same time, businesses need to have a large online presence to do business in the 21st century.  One of the first lessons of SEO (Search Engine Optimization) is to be listed on as many sites as possible.  While this is all well and good for improving communication with friends families and to market products and services for businesses, it is also feeding cyber criminals valuable intelligence on how and when to strike.

From a personal standpoint, there have been cases where burglars created fake Facebook profiles and then would be able to get a number of people in their area to accept friend requests.  Then once someone posts that they are going to be on vacation for a week, that is when the burglars would strike.  And now with Geo-location features on various apps and social media sites, your "friends" and followers can track your physical movements, which will automatically tell bad actors when you are not home.  For your personal online footprint, the FBI has recently released tips for giving out too much information on social media.  Rather than restate these tips, below is the URL:

https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/fbi-tech-tuesday-building-a-digital-defense-against-the-dangers-of-using-social-media-while-traveling

For businesses, it can be more difficult to reduce the amount of information about your business online as that is contrary to your goals of customer acquisition and increased sales.  So for businesses, not for profit organizations, and municipalities, below are my 5 tips on how to better defend yourselves:

1. Limit your information leakage to the public - Over the years, one of the things that drove me nuts was the amount of company specific details that Human Resources and/or hiring managers would put in job postings online.  If you are hiring a Database Administrator, it is sufficient to say "Experienced with Oracle".  You do not need to put the version and release number you are currently running in the job posting.  Also many medium to large companies may have in-house developed applications.  Stating in the job description, "Experience with the STARS loan system" not only serves no purpose (As only your current and former employees would have experience with it.), but now you just let every cyber criminal know the name of your loan system, which could be used in a social engineering attack on your company.
2. Train Employees - If Mary in accounting is the person who wires money to pay vendors and performs your organization's online banking activities, please train Mary not to put that little tidbit of information on her public LinkedIn profile.  Give employees security awareness training, and tips on how to state their job duties on LinkedIn so that it doesn't make them a phishing target.  On the subject of phishing, train employees how to recognize phishing e-mails, not to click on e-mails from people they don't know, and not to click on attachments they were not expecting.  It may seem like a little thing, but the untrained employee is still the best asset a cyber criminal has.
3. Mis-information - This can be one of the most effective strategies I've seen used.  As an example, the one company I worked for would always include the official name (as it is stated on the Deed) of our headquarters building on their website and in press releases.  It was the Kent Building.  The interesting thing is that internally, all the employees had a nickname for the building, and it wasn't shared outside the organization.  So as you would imagine, we would get a number of calls and e-mails from bad actors saying they were a contractor, or a new employee and needed to get their password reset.  When the help desk would inquire which building they were in, sure enough, they were in the "Kent Building".  That would be one of many signs that this request was a scam.  So think of something that you can put out there that is not key to your business, but could mislead an attacker, and signal your employees on the front line that it's a scam.
4. Social Media & Communications Policy -  Have a company policy on who can post on the companies social media and websites, a review process to ensure that what is posted is appropriate and not leaking any internal information.  Also the policy should include what employees and contractors can and cannot post on their personal sites regarding the organization.  Believe it or not, but I've seen an IT Ops guys take selfies in the Network Operations Center of himself, with monitoring consoles in the background showing every major system in the company on the photo,  and it was posted to his Facebook page as "Tim at work".  A policy won't prevent anyone from doing something stupid, but it does at least let them know upfront that it is not allowed and what the consequences are if you violate the policy.
5. Authentication Procedures - I'm not talking about entering your user id and password here, but taking that concept and employ it with any type of front line points of human contact, ie. phone calls, e-mails, chat, texts, etc.. (In other words, defend against Social Engineering)   Employees who are responsible for servicing your customers, deal with vendors, perform banking activities, or administer security should have written procedures on how to make sure that e-mail instructions are authentic, or that the person on the other end of the phone is who they say they are.  Too many times organizations have had their security compromised because of the "new employee" on the phone that got locked out of the VPN, or the CEO e-mailing Mary in accounting to send a wire for $1 million to a bank overseas to fund a new project.  Your employees need to have procedures, and be trained on them, so that they can verify these seemingly normal requests before they act. If left unchecked, this could could cost your organization big time!