Business Email Users Fail to Identify Phishing Scams

Via SpamFighter:

Security firm McAfee has warned that four-fifths of business email users are not able to identify phishing scams making the enterprise vulnerable to cyber crime.

According to McAfee Labs Threats Report: August 2014, 79% of business users , who were subjected to McAfee Phishing Quiz, failed to detect at least one scam containing malicious links or malware out of the seven emails shown to them.

It is more alarming that the test seems to reveal that people in Finance and HR departments of organizations who hold some of the most sensitive corporate data are the worst in identifying such scams.

It will be disastrous for a business to click a link in a phishing email as it will enable hackers to install malware or redirect users to compromised websites making the corporate network exposed to attackers.

Researchers of McAfee observed that spoofed email addresses fooled respondents most effectively and explained in a report stating that a UPS (United Parcel Service) phishing email using this tactic coupled with branding elements was very much successful.

Infosecurity-magazine.com published a statement during first week of September, 2014 quoting raj Samani, EMEA CTO of McAfee as saying “Our latest report highlights that phishing continuous to pose significant security risks for consumers and businesses. Moreover, it is a matter of worry that due to lack of knowledge in identifying the phishing emails, we receive many such emails daily and it’s no longer enough to react to threats as and when they happen.”

Channelweb.co.uk published a report on 4th September, 2014 quoting a comment on the findings of quizzes by Amichai Shulman, Chief Technology Officer of security firm Imperva, as “end users should not be blamed for falling to phishing scams because of old-fashioned approach by McAfee to deal with security threat. Its one thing to expect an employee to refrain from opening an apparent executable file enclosed in a slurred out-of-context email. It’s absolutely unreasonable to expect a normal person to inspect carefully each and every attached or downloaded file which looks like a PDF especially if the enclosed message is in context (eg an unpaid invoice or an unsolicited CV).”

 

read more

The New Face of Social Engineering and Fraud

Via PC World:

 

You’ve probably heard by now that eBay is the latest victim of a massive data breach. The popular online auction site has asked users to reset their passwords as a precautionary measure, but the data that matters most is already compromised, and there is nothing you can do to “reset” it.

You’ve probably heard by now that eBay is the latest victim of a massive data breach. The popular online auction site has asked users to reset their passwords as a precautionary measure, but the data that matters most is already compromised, and there is nothing you can do to “reset” it.

Details are still sketchy–sort of standard operating procedure for data breach incidents. What we know is that the breach occurred between February and early March, but was just recently discovered. eBay claims that email addresses, encrypted passwords, names, addresses, telephone numbers, and user’s birth dates were compromised.

Because the passwords were encrypted, there is no immediate risk, but it’s only a matter of time before attackers are able to decrypt them. It definitely makes sense for eBay users to change their passwords. It’s also worth reiterating standard password security practices like making sure you use a strong password, don’t use the same one for multiple sites or services, and change them periodically.

But your eBay password may be the least valuable piece of information from the data that was compromised.

“The fact that user email addresses and physical addresses were taken in the breach is more concerning,” says Dwayne Melancon, CTO of Tripwire. “Criminals could use that information to masquerade as eBay customers on other sites, or perhaps ‘social engineer’ their way to users’ other accounts. Unlike the passwords, the other user-specific information was not encrypted and therefore it can be easily reused by attackers.”

“Many sites can be easily tricked into resetting passwords–requiring a minimum of personal information to do so,” says Paul Lipman, CEO of iSheriff. “The non-encrypted personal data that was stolen from eBay could potentially enable users’ credentials to become compromised on a wide array of other sites through this kind of social engineering technique.”

The attackers can also use information like your phone number, email address, and mailing address for targeted phishing campaigns.

You can’t trust any emails or phone calls you receive. You can’t even trust snail mail. Any communication you receive should be treated with skepticism, and you should contact the company in question yourself to make sure it’s legitimate.

Lipman summed up on a somber note: “Unfortunately, we likely haven’t yet heard the end of this story.”

read more

An Iranian Threat Inside Social Media

Via IsightPartners:

 

iSIGHT Partners believes Iranian threat actors are using more than a dozen fake personas on social networking sites (Facebook, Twitter, LinkedIn, Google+, YouTube, Blogger) in a coordinated, long-term cyber espionage campaign.  At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas.

This campaign, working undetected since 2011, targets senior U.S. military and diplomatic personnel, congressional personnel, Washington D.C. area journalists, U.S. think tanks, defense contractors in the U.S. and Israel, as well as others who are vocal supporters of Israel to covertly obtain log-in credentials to the email systems of their victims. Additional victims in the U.K. as well as Saudi Arabia and Iraq were targeted.

The targeting, operational schedule, and infrastructure used in this campaign is consistent with Iranian origins.

HOW DOES IT WORK?

The fake personas claim to work in journalism, government, and defense contracting.  These accounts are elaborate and have created credibility using, among other tactics, a fictitious journalism website, newsonair.org, that plagiarizes news content from other legitimate media outlets.

These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content.

Accounts were then targeted with “spear-phishing” messages.  Links which appeared to be legitimate asked recipients to log-in to false pages, thus capturing credential information. It is not clear at this time how many credentials the attack has captured to date.

Additionally, this campaign is linked to malware. While the malware is not particularly sophisticated it includes capability that can be used for data exfiltration.

WHAT DOES THIS MEAN?

The discovery and investigation of the attack reveals three critical insights:

  1. Social media offers a powerful and covert pathway for targeting key government and industry leadership through a third-party platform potentially outside of existing security measures.
  2. Given targeting associated with this campaign, Iranian actors may have used accesses gained through this activity to support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S.  Furthermore, it is possible that any access or knowledge could be used as reconnaissance-for-attack in advance of disruptive or destructive activity.
  3. Adversaries such as these are increasingly adept at finding and exploiting opportunities to carry out cyber espionage, even when lacking sophisticated capability.  NEWSCASTER’s success is largely due to its patience, brazen nature, and innovative use of multiple social media platforms.

WHAT KIND OF DATA WAS TAKEN?

We are unable to say with complete visibility.  However, it is reasonable to assume that a vast amount of social content was compromised in addition to some number of log-in credentials that can be used to access additional systems and information.

As users often maintain the same credentials for multiple sites, it is impossible to determine the scope, scale, and duration of data loss.

WHO SHOULD BE WORRIED ABOUT THIS THREAT?

Given the covert nature of cyber espionage, its impacts are often difficult to forecast or measure; however, in this instance, we expect any access obtained by the NEWSCASTER network will be ultimately exploited for intelligence value.

We infer, from our limited knowledge of NEWSCASTER targeting, that such intelligence could ultimately support the development of weapon systems, provide insight into the disposition of the U.S. military or the U.S. alliance with Israel, or impart an advantage in negotiations between Iran and the U.S., especially with regards to sanctions and proliferation issues.

It is also possible that the compromise of such high-ranking and influential people could be used to access the senior levels of as-of-yet unidentified organizations in the U.S., Israel, and elsewhere.  Furthermore, we surmise that access could be leveraged as reconnaissance-for-attack, supporting eventual disruptive or destructive attacks against targeted entities.  Though there is no evidence indicating the NEWSCASTER network was created to support such activity, previous incidents publicly attributed to Iran, such as Operation Ababil and the attacks on Saudi Aramco underscore this possibility.

The NEWSCASTER network appears to be primarily focused on targeting senior military and policymakers, firms associated with defense technology, and the U.S.-Israel lobby, however, we found victims in the financial and energy sectors, as well as elsewhere, and we recognize that we could only see a portion of the accounts connected to this network.  Organizations involved in critical infrastructure, or who have information that may be of strategic or tactical interest to a nation-state adversary should be concerned about a threat such as this.

WHY DOES ISIGHT PARTNERS THINK THIS ORIGINATES IN IRAN?

Though the timing of the social network attack may seem irregular at first, over multiple years the schedule behind the activity becomes apparent.  They maintained a regular schedule, including what appears to be a lengthy lunch break followed by the remainder of the work day.  These hours conform to work hours in Tehran.  Furthermore, the operators work half the day on Thursday and rarely work on Friday, the Iranian weekend.  Other clues, such as the targets on which the operators have chosen to focus and additional technical indicators, lead us to believe NEWSCASTER originates in Iran.

WHAT IS THE NEWSCASTER NETWORK AFTER?

Without seeing how the information stolen by the NEWSCASTER network is used, it is difficult to make a definitive assessment of their ultimate motivation.  However, the actors have intimated their interest in specific defense technology as well as military and diplomatic information by their targeting.  This type of targeting is inconsistent with cyber-criminal behavior.

It remains possible that the actors could selectively reveal information gained through this campaign to embarrass those who were targeted, or already have, but we have seen no evidence of this at this time.  Ultimately, we believe the sponsors of the activity are seeking information advantage over rival military forces, defense industries, diplomats, and others.

IS THIS TYPE OF ACTIVITY COMMON ON SOCIAL NETWORKS?

We have previously identified cyber espionage campaigns which originate from China using social network accounts to propagate, but never a campaign of such complexity working across so many platforms.  NEWSCASTER is unprecedented in complexity, scale, and longevity.

HOW DID ISIGHT PARTNERS UNCOVER THIS ACTIVITY?

We are protective of sources and methods, but we can confirm that these actors did not go unnoticed by some targeted entities and they left significant evidence of their activity throughout the Internet.  As with many other threats, iSIGHT Partners combined malware analysis, open source research, and research from our global collection network to create our assessment of the NEWSCASTER network.

IS NEWSONAIR.COM ALSO PART OF THE FAKE NEWS RUSE?

Newsonair.COM, a legitimate Indian news operation, is not the same as newsonair.ORG. We have no indication that newsonair.COM was in anyway linked to faux newsonair.ORG site that was part of this campaign.

IS THIS THE GOVERNMENT OF IRAN?

We can’t be certain.  We have no information implicating the ultimate sponsor.  In the past we’ve seen cyber espionage operations carried out by government organizations, corporate intermediaries, and other third parties.

WHAT STEP CAN AN ENTERPRISE TAKE TO PROTECT ITSELF?

In addition to blocking known NEWSCASTER infrastructure, an enterprise can protect itself by taking steps to mitigate the human elements of the NEWSCASTER threat.  Though the actors took pains to create a complex social engineering capability, they made many mistakes and were detected by potential victims.  Personnel can learn from these mistakes to better recognize similar incidents.

NEWSCASTER was brazen, complex multi-year cyber-espionage that used a low-tech approach to avoid traditional security defenses­–exploiting social media and people who are often the “weakest link” in the security chain.  This underscores the importance of cyber threat intelligence that enables enterprises to proactively tune defenses to combat a determined and persistent adversary utilizing constantly evolving tactics.

WHAT DOES THIS MEAN FOR THE GENERAL PUBLIC?

Don’t be worried, but do be vigilant.  As always, do not create trusted connections with unknown organizations and/or individuals.  Never provide login credentials with any site or person who contacts to you (rather than you contacting it), use strong passwords and regularly change them.

HAVE YOU COORDINATED WITH THE FBI ON THIS REPORT?

The intelligence development and analysis was completed independently by iSIGHT Partners.

iSIGHT Partners did coordinate with the FBI to:

  • Brief government agencies and our commercial clients
  • Coordinate on the release of the report
  • Identify the relevance/possible impact of the threat to critical infrastructure entities and agencies

 

read more

The Social Engineering Infographic

The outstanding team at Social-Engineer, Inc. have produced a new infographic to highlight social engineering techniques and responses. These are the same people that run the Social Engineering Capture the Flag event at the Defcon event (which immediately follows the Black Hat conference) every year. Check it out:

Social Engineering phishing vishing

 

 

read more

Digital Identities: I Have One For Sale

Via RSA:

The term digital identity is so suiting to who we really are online.  Think about the accounts you log in to on a regular basis, the activities you perform each day, the way you communicate with others…most of our lives are digital.  In a research study by Harris Polls (commissioned by RSA) on digital identities, the most popular online accounts for consumers are email, financial and banking, and entertainment/shopping.  And on average, they access these online accounts from two different digital devices.  But what does a digital identity really mean?

I like to think of myself as an average consumer/online user so let’s take a look at what I consider to be my digital identity – and perhaps make you think a little more about yours.

My financial identity.  My financial identity is the one I treasure most.  I mean seriously, if a hacker takes over my bank account and steals the money in it, I’d be lost.  While my bank would ultimately reimburse me for fraudulent transactions, that could take days or weeks.  How would I pay my bills, buy food or gas – and my daily iced coffee?  But your financial identity goes well beyond just your bank account or credit cards.  We attribute our financial identity just to those two areas because we use or access them almost every day.  However, what about your stock account, 401k, payroll information?  Or if you’re like me, you have a flexible spending or healthcare savings account you use to submit claims for childcare and medical expenses.  As you can see, your financial identity extends well beyond just your bank account.

My personal identity.  The two things I associate most with my personal identity are my personal email and social networking accounts.  I hardly use personal email much anymore, but for most things you sign up for, you have to submit an email address.  That’s probably the reason I maintain one as I can’t have my credit card statements or utility e-bills coming to my work email.  Then we share our personal lives and moments with friends and family on social networking sites such as Facebook and Twitter.   Most don’t realize the value these simple accounts hold to a criminal or hacker, but they do.  For example, many online service providers notify you via email of changes on your account so if a hacker had access to your email, they could go in and delete the notifications so you wouldn’t be suspicious.  Trust me, this happens all the time!

My entertainment/shopping identity.  I do a majority of my holiday shopping online. The deals are usually better and frankly, I just can’t stand the holiday crowds.  Then I have my kids who always seem to want the craziest or rarest things that you just can’t find in a regular store (One word to parents of little boys and you will understand: Minecraft).  I also book a lot of activities online, purchase tickets to shows, and plan my travel among other things.  So I probably have at least two dozen various entertainment/shopping online identities that I use or have used in the past (and that list keeps growing because of Groupon).

My online gaming identity.  Well, this one could have gone under my entertainment identity, but I decided to make it its own category as a reminder to myself that I need to get a life and stop playing Candy Crush Saga.  I’m on Level 270 – and there is no end in sight.  Yes, this is my “You need a life” alert.

My online dating identity.  Now this is the one for sale.  While identity theft is hardly a laughing matter, I will gladly let any data thief steal this one.  I never thought I could hate one of my own digital identities, but this one has got to go. Data thief steals online dating identity and handsome, emotionally available man steals my heart.  Oops, I think I fell into daydream mode for a brief moment there.

Back to reality now.  What made me ultimately realize the depth of my own digital identity occurred the other day when I went online to order my son’s pre-K pictures.  I had to create an account with a username and password, and it made me ask myself, “How many times have I ever done this in my life for an ‘account’ I will probably only ever use once?”  According to the Harris research, the average adult creates about two new online accounts every year, but I think it’s many more than that.  We just don’t realize it because many are “one-time use” accounts – like the one I had to create to order my son’s school pictures.  The problem is that we are likely using the same usernames, email address, and passwords that we use to log in to our everyday accounts like our online banking account.  The reality and the risk: most small merchants don’t have the same security in place to protect your personal information that Amazon does.  And with small merchants such a high value target for cybercrime, just one small breach could translate into your digital identity being compromised across multiple sites you access every day.

Be mindful every time you are asked to create an online account.  If it is one that will be used only once or rarely, give yourself a very unique username and password.  And then just for general online hygiene, also make sure you change the passwords to your major online accounts on a regular basis (about every 90 days).

read more

Don’t be fooled by these common social engineering attacks

Via RhinoSecurityLabs:

Ever wonder how hackers get a foothold in big corporations who spend millions of dollars on security? Instead of attacking the technology, they often target employees, tricking them into providing access.

Some of these techniques are advanced and require a lot of skill and practice. But the most common social engineering attacks are simpler to pull off than you might think.

“This is the helpdesk…”

An oldie but a goodie, attackers masquerading as helpdesk employees remains one of the most common social engineering attacks.

An example of this kind of attack might sound a bit like this:

“Hello, this is the Kenny with the helpdesk. We’re going to be doing some PC maintenance tonight and I needed to get your password to make sure everything is ready to go for you when you get back in the office tomorrow.”

It’s surprising how often this technique works. As a matter of convenience, some IT helpdesks place legitimate phone calls like this and lull users into it being a common, acceptable procedure.

A well-run, security-conscious helpdesk will never ask users for their passwords. Establishing this as a policy and providing end users with training on how they should handle their passwords will go a long way towards preventing this type of social engineering attack.

Ransomware

Have you ever received a pop-up in the corner of your screen that said something like “Your computer is infected. Click here to begin removal.”?

Once you clicked on the message you were taken to a screen that outlined some details of the “infection” and how you could solve the problem by paying a fee. Maybe you even followed through and provided your credit card information.

Ransomware is normally targeted at individual consumers, but often takes the form of blackmail when targeted at a business’ employees. More targeted ransomware might claim “We’ve found illegal pornography on your computer.” or something similarly embarrassing.

In addition to credit card information, these attacks might also capture username’s and passwords or pull the employee into a one-on-one conversation with an attacker who forces them to take some action under the threat of blackmail.

While solid anti-malware controls can help prevent ransomware infections, the best defense is to train employees on how to differentiate between legitimate and illegitimate system messages, noting that whenever they are unsure of what they’re seeing, they should contact the helpdesk.

Social media

Facebook and other social media platforms provide a great avenue for social engineers to collect information about their corporate target and plan out their attack.

Maybe you get an invitation to connect on LinkedIn that looks a little like this:

“Hey, I just started working at Trask in the executive office and am trying to connect with other people who work here. Would you mind adding me?”

Once you connect with this person they are able to see all of your professional connections and any details you’ve added to your social media profile. This information can be used to build out an organizational chart they will use in their attack or might provide a direct avenue to attack.

The attacker may start a longer conversation with you over social media that turns into a friendly relationship. Once that relationship matures a bit, you might get a message like:

“OMG! My login won’t work and the helpdesk isn’t answering. I’m supposed to finish this report for Dave (the CEO) but need to be on the network to get the info I need. Can I borrow your VPN login? It would really save my butt.”

It might sound silly, but this technique works time and time again. It’s become especially effective as younger generations, who are more comfortable developing relationships with people they might never meet in the physical world, enter the work force.

Again, training is key to making sure employees know how they might be exploited to attack their employer.

read more