Something smells Phishy

My alternative title for this post was " The IRS, a Nigerian Prince, and your CEO walk into a bar."

As you may have guessed, my last blog post of 2017 is about phishing.  We have all received these e-mails.  Usually written in either poor English or proper English (UK version), has typos, and written as a generic situation so the same e-mail can be sent to thousands of targets.  In most cases, the average person can spot them pretty quickly and don’t fall for them.  Although, you have to imagine that a certain percentage of folks must fall victim to them, or else the criminals would stop using this tactic.  Over the last few years as more people have become aware of these scams, and as their success rate has declined, the cyber criminals have begun to do their homework.  They are now having Americans write the e-mails to get around the language barrier (George Bernard Shaw would be proud), and more and more have changed their approach to spear phishing combined with Business Email Compromise or BEC for short. 

Spear phishing, or targeted phishing, is where the criminals attempt to learn as much as possible about you online in order to gain your confidence.  While this is used against individuals, it is more commonly used against businesses, schools, churches, and other not for profits.  The reasons are many.  First off, businesses and not for profit organizations have more money than the average individual, so it is more profitable to target an organization.  Secondly, businesses and not for profits tend to be very verbose online about their organization, events, officers, employees, board members, what software they use, etc., so the attackers can quickly accumulate a lot of intelligence on their target with a few Google, LinkedIn, and Facebook searches.  Thirdly, let’s face it, human nature is that we all want to be seen at work as cooperative and helpful to our executives.  This plays into the social engineering aspect of phishing.  An additional factor is that very few small to medium sized organizations provide their employees with security awareness training, mock phishing exercises, or have procedures in place to counter phishing attempts.  Given these reasons, small businesses and not for profits are becoming the target of choice by cyber criminals.

So how has this occurred historically?  Below is an actual scenario that I observed (the names have been changed for privacy purposes):

The CEO and his/her spouse goes to Europe for a 2 week vacation.  While there, the CEO checks in on Facebook at various tourist attractions, and posts photos every night of the places they visited that day.  Meanwhile, early in the month the company issued a press release about a new location that they will be breaking ground in the coming month to expand their customer footprint.  Details include the name of the general contractor, and specifics about the square footage of the office space and amount the company is investing in the building.  And the final piece to the puzzle, Mary the controller is very descriptive of her cash management duties for the company on her public LinkedIn profile.

The attacker spoofs the CEO’s e-mail (this is where BEC plays it's part), and sends Mary an e-mail stating:

========================================================================

TO: Mary@VictimCorp.com

From: CEO@VictimCorp.com

Subject: Need to Wire Construction Deposit ASAP!

Hi Mary,

I need you to do me a favor while I’m on vacation.  I just got a call from <name of general contractor firm>, they need us to wire a deposit to XYZ Co. so they can order the HVAC equipment now to ensure there will be no delays in the construction of our new Pine St. office.  Please wire $50,000 to ABC Bank, <routing number>, and <account #> for the benefit of XYZ Co.  Please send ASAP!

Thanks,

CEO 

PS:  We are having a great time in Paris.

========================================================================

So do you want Vegas odds on whether or not Mary quickly wires the money without calling the CEO to verify the transaction?

Every day, small businesses and not for profits are being spear phished in a manner similar to the above scenario.  And every day, a number of these organizations are robbed of millions of dollars.

Do you think your organization could fall for this? 

Are your employees trained in how to spot these? 

Do you have procedures in place to verify any unusual banking transactions?

This is why security awareness training needs to be a key part your overall information security program.  A cyber criminal can steal thousands, possibly millions, or get your customer and employee data without ever having to crack a password, infect your systems with a virus, or bypass your firewalls.  They can get your own employees to send them money or data using low tech methods that I regret to say, have been very effective during 2017.

Be Secure in the new Year!

The Center of Your Online Life is Not Social Media

While I might have an entire generation of Millennials that disagrees with this statement.  E-mail is the hub in which all other online activities revolve around.  To prove this point, take a look at the last 30 e-mails you have in your Inbox (disregarding any spam).  You probably have an e-mail or two from your financial institutions (banks, loan company, insurance, and brokerage), e-mails from online eCommerce sites that you frequent, e-mails from all of your social media sites, your mobile phone provider, and possibly your utilities as well.  Also, if you think about it, every website that you are registered on does password resets via e-mail.   While some may also have SMS text as an option, or as an additional factor, the majority still just use your e-mail to reset your password.  And that is what makes e-mail a huge cyber risk area.  Should your e-mail be compromised by a hacker, while yes,  they can read your e-mail or send e-mail on your behalf, the worst part is that they can quickly inventory every website and bank that you do business with.  This combined with the ability to reset your online passwords through your e-mail makes for a dangerous combination.  And once they have access to your e-mail, they can intercept and delete any alert e-mails you get from your banking and eCommerce websites of transactions, address changes (for shipping credit/debit cards or merchandise paid for with your account), or other suspicious activity.  

Also, the common mistake people make is that they use the same password for their e-mail that they use for their other online accounts.  So before a hacker even tries a password reset, which may be noticeable by you, and may send an SMS text alert to your phone, they will first try your e-mail password on your other websites as a one-time attempt.  This way they will not trip the “3 strikes and you’re out” password lockout rules, and will most likely get some hits, preferably on a banking site or eCommerce site that you’ve stored other information on such as your date of birth, social security number, or your masked credit/debit card that shows the last 4 digits.  Although it is PCI compliant to mask all but the last 4 digits of your credit/debit card, it is also another data point that many organizations use to identify you if you call in to their contact center.

To sum it up, your e-mail is used on all your other web/mobile sites.  It is used for identification, for password resets, for communication with you, and contains a history of messages from all websites you have interactions on.  You need to protect your e-mail account.

So how do you do this?  Follow my tips below:

• Don’t use the same password for your e-mail that you use on other websites.  (If your account is compromised on another website, and your e-mail uses the same password, then the Hacker has control of your e-mail)
• Don’t recycle old passwords.
• Change your passwords every 30 – 45 days. (See my blog post on changing passwords frequently)
• Make your password a complex password that can’t be guessed.  Use lower and upper case, numbers, and special characters.  The longer the better (10-14 characters).  Never use dictionary words of names of people.
• Be alert of suspicious activity in your Inbox, such as e-mails that are in a “read” status that you did not read yet, or e-mails that have been moved to Deleted Items, that you did not delete.  Also check your Sent items to see if there is anything in there that you did not draft.
• Be cautious when using public computers (libraries, hotel business center, etc.).  Make sure you totally log out of your e-mail, and it is a good idea to change your password when you get back to home/work and can access a computer that you trust.    

Be secure!
   

Benjamin Franklin’s advice on changing your passwords

If Benjamin Franklin was alive today, what would his advice be on changing your passwords?

I would imagine wise old Ben would say something similar to his quote on politicians:

“Passwords are a lot like diapers. They should be changed frequently, and for the same reasons.”

Like most people, you have heard that you need to have a complex password, but what you may not be told very often is that you need to change them frequently, preferably every 30 days.  The reasons for this are many.  Most importantly, should your password be captured by a cyber-criminal, more times than not it is captured through the use of an automated tool such as a sniffer or your password hash (your password encrypted) is obtained off of a website that you use that is compromised.  In both cases, there is some time between when the password is in the hands of the hacker, and when it is actually used.  Even if your encrypted password is captured, it can be cracked.  A complex password can be cracked in less than 45 days, hence why you should change it at a minimum every 45 days.  The best security, is security that is constantly changing.  In theory, if your password is captured, and you change it frequently, then it has a very short shelf life and will be of little use to a hacker. 

As always, frequent change is just one piece of the security puzzle.  To extend your password life, use a password that has a minimum length of 10 characters (14+ is preferable), uses upper and lower case alpha, numerical, and special characters (!@#$%&?).  Most importantly, stay away from dictionary words and people’s names.   I recommend using a combination of things in your life to make the password easy to remember by you, but hard to guess and difficult to be cracked be a hacker.  For example, let’s say you drive a BMW 330i (or it’s your dream car), your daughter’s name is Karen, and your wedding anniversary is on June 9^th.  A good password would be K@r3n330!9, whereby you replace vowels with numbers and special characters.  Memorable for only you and harder to crack than a non-complex password.  

A good password checker that runs on your PC (and it's free) is at https://sensepost.com/blogstatic/2010/04/password-strength-checker.html . 

Keep in mind, even my example only rates as “Reasonable”.

Be secure!

Google thy self,,,,and often

Two cyber risks that can impact both individuals and businesses is information leakage and online damage to your brand.  

Information leakage is where private information about you has found its way onto the Internet.  Examples could be your passwords, bank account information, unlisted phone numbers, photos, videos, private documents, etc..   In my career, I have found scanned copies of checks, credit cards, medical records, marketing plans and drivers licenses that where either inadvertently posted to a public section of a website, or the website was supposed to have been secured, and wasn’t.  In addition, when cyber criminals either obtain someone’s userID/e-mail and password, they tend to post it on a hacker password listing site.  For businesses, you would be surprised how many times your employees inadvertently post sensitive information online.  Many times it’s an IT employee posting on a technical site seeking guidance from peers.  Unfortunately, more times than not they post using their company e-mail address which identifies the organization, and then in their posting, they disclose which version of the system/application that they are seeking advice on, and potentially a security vulnerability.  If your organization doesn't already have one, a Policy regarding posting on public forums, comments sections, reviews, etc. using your company e-mail address, should be drafted ASAP to forbid this practice.

Online damage to your brand can negatively impact your reputation which can cause you to miss opportunities (jobs, customers, partnerships, hiring talent, etc.).  Negative reviews, ratings, stories could be the result of disgruntled current/former employees, dissatisfied customers, or your competitors.  Identifying what is out there, and then determining why and who will guide you in how to resolve any negative posts about you and/or your organization.

To see if you or your organization is currently exposed to these risks, a good practice to get into is to Google yourself and your organization at least monthly.  What you want to find out is what does the rest of the online world see when they are looking you up online.  As an individual, this could have an impact on job applications, college acceptance, business opportunities and applying for credit. For an organization, it could impact customer growth, revenue, recruiting talent, and investment. 

I recommend you use www.google.com and https://www.ixquick.com/ for your searches as follows:

On Google, use the following search strings (using the quotes):

•         “Your Name”
•          “Your organization name”
•         “@your domain” (your organization’s e-mail) – This will show you all company e-mail address postings

On IXQuick you can do some more sensitive searches as IXQuick does not share your search strings with online marketing companies:

•        “Your e-mail address”
•         “Your phone number”
•         “Your e-mail address : * ” – This will show you if your e-mail password has been posted online.
•         “Your company userid : *” – This will show you if your company login credentials have been posted. 
•         You could also search on variations of your SSN or TIN, ie. “All numbers” or with dashes.

The asterisk “ * “ is a wildcard which may give you back your userid and your password if it has been compromised.

In addition, for businesses, you should look at your organization’s reviews and ratings on Google, BBB, Glassdoor, and all of your social media sites or any other websites you advertise on that offers ratings or reviews.

By doing this, you can stay on top of any private information that is posted, and hopefully contact those sites Web Admins to have erroneous information removed, and be aware of reviews, ratings, and complaints against your organization and respond to them timely and professionally. 

Remember, a customer complaint needs to be converted into an opportunity for improvement, and always take the high road as your responses will be viewed by future potential customers, employees and investors.