now browsing by tag
#cybersecurity | #hackerspace | Less than 10% of enterprise email domains are protected from spoofing — is yours?
Source: National Cyber Security – Produced By Gregory Evans Flaws in email security are among the leading causes of cybersecurity incidents for many organizations. Whether it’s ransomware, business email compromise (BEC) attacks, or a spear-phishing email that leads to cyber criminals gaining access to sensitive data, email is the common denominator. While there are many […] View full post on AmIHackerProof.com
Knowing how to check if an email is valid is key to helping you avoid
becoming a phishing victim
Although the term “email spoofing” doesn’t sound particularly scary, the results of it can be terrifying. One 2017 study shows an average of nearly 30,000 spoofing attacks take place each day.
But what is email spoofing? In a nutshell, it’s a tactic that’s integral to virtually all types of email phishing scams. If you’ve ever received a phone call from “yourself” (either with your caller ID showing your phone number and/or your name), or if you’ve ever received an email from “yourself” (with the “from” field of the email header displaying your name and/or email address), then I’m sorry to break the news to you, but you’ve been spoofed.
Cybercriminals use this tactic to impersonate someone else
to accomplish their goals. Anyone can be the victim of email spoofing — either
as the recipient or as the person/organization/institution whose email is
But there’s more to know about spoofing than just what it is
and what it does. So, do you want to get answers to those other burning
questions you have about email spoofing?
Let’s hash it out.
What You Need to Know About Email Phishing (and Email Spoofing)
Originally, when I set out to write this article, my focus
was just to talk about what email spoofing is and what it does. But as I
started to research and work on writing the content, I thought it might be best
to approach this topic in terms of answering some of the top questions on the
1. What is Phishing and Email Spoofing?
To put it simply, phishing refers to deceptive
tactics that criminals use to trick victims into taking some action the hoodlum
wants them to. Email spoofing (one of many phishing tactics criminals use)
refers to sending an email that looks like it’s sent from someone it’s not. For
example, a cybercriminal might send you an email that looks like it’s from your
boss, your email service provider, or other trusted source.
But why would someone want to do
something like this?
With phishing, the goal could be to get their targeted
- provide personal or financial information;
- turn over intellectual property and other
proprietary information or data;
- perform a wire transfer or another electronic
transfer of funds;
- provide login information or other user
- download a file from an email that contains
malicious software; and/or
- click on a malicious link.
By sending a spoofed email that’s crafted to look like it
came from someone you trust, cybercriminals know you’re more likely to engage
with the content of the email and any links or attachments it contains. You’re
also more likely to trust what the person says in the message. And gaining your
trust is crucial to pulling off a successful scam.
2. How Does Email Spoofing Work?
Contrary to what some non-tech users may believe, email
spoofing isn’t black magic. It’s not some hugely complicated task. It’s
actually a very simple process that involves making email headers look like
they’re coming from one person or organization when they’re really coming from
another. I’m not going to provide directions for how to do it (hey, I may be a
bit crazy at times, but I’m not stupid), but just know that it basically
involves the use of an SMTP server and email software. Just going to leave it
Proofpoint makes a salient point about spoofing in email fraud: The act of email spoofing isn’t just about spoofing the sender’s display name. It also includes other tactics such as email address spoofing, domain spoofing, and the use of look-alike domains, although display name spoofing is the most common. The company reports that in Q2 2017, “90.27% of the email fraud attacks that Proofpoint analyzed and blocked employed this tactic.”
Another tactic cybercriminals use is to research specific
individuals within an organization they wish to target. They can find
information about that individual, their department, and the organization’s
hierarchy through the use of the company website and social media platforms
such as LinkedIn.
3. Why Is a Spoof Email Such a Big Deal?
So, if you receive a spoof email — or, if someone receives
an email that appears to come from you (but didn’t) — it may not seem like a
big deal. But as you recently read, it’s a very big deal. Let’s say
someone is pretending to be you. They change their caller ID to your name,
create email addresses with your name, and identify themselves in all
communications with your friends, family, colleagues, and customers. You’d be
pretty worried, right? They could do nearly anything they want, and they’d be
doing it in your name!
This is essentially what happens when someone uses email
At its core, a spoof email is a method of deception. It’s a
way for someone to accomplish something while hiding behind a disguise. They often
use the identity of a real person, organization, or business to trick users
into performing some type of action. And, as you can imagine, it’s usually bad
news for both sides — the email recipients they’re trying to fool, and the
people or organizations whose identities they’re using to do so.
Examples of Email Spoofing
At The SSL Store, we’re no strangers to spoofed emails. In
fact, as the largest global provider of SSL/TLS certificates, we
receive these types of messages all the time from malicious actors around the
world. Thankfully, we understand the importance of cyber security awareness
training for our employees and they know how to identify and respond to
phishing and spoofed emails.
But what does a email spoofing actually look like? Some
spoofed emails are well crafted and appear to come from an authentic source on
first glance due to the display name spoofing. Most, however, aren’t that well designed
(thankfully). Here are a few real-world spoofed email examples we’ve received
over the past few months:
In all of the above examples, the sender used display name
spoofing rather than email spoofing. That’s because display name spoofing is
easier to pull off because all the cybercriminal needs to do is sign up for an
email address from a free email service provider (such as Gmail, Yahoo Mail,
etc.) using the name they wish to display.
4. How to Stop Email Spoofing from Affecting Your Organization.
We often receive questions from people who want to know how
to prevent email spoofing attacks — both as the organization the sender is
impersonating and as the potential recipient. Maybe you’re one of them. If
you’ve suddenly received an influx of “undeliverable” notices in your email
inbox, it’s likely that your email address is being spoofed.
So, how do you prevent your email address or domain from
being spoofed in the future? And how do you help your employees recognize
spoofed emails for what they are? We’ll answer both of those questions by
discussing the following:
- SPF, DKIM, and DMARC email security standards
- email signing certificates
- cyber security awareness training
- email header data
Let’s start by answering your question of “how do I stop
email spoofing from my domain?”
Implement SFP, DKIM, and DMARC to Stop Spoofers from Using Your Domain
Sigh. Yeah, the cybersec industry certainly loves its
acronyms. This particular bowl of alphabet soup — with acronyms that stand for sender policy
framework (SPF), domain
keys identified mail (DKIM), and domain-based
message authentication, reporting and conformance (DMARC) — is a useful
combination of tools that enable you protect your email and your domain
reputation. Still now sure what all of this means?
Of course, you’re welcome to read all three of the linked
articles in this section for more info, but we’ll still break it all down for
you here. In a nutshell:
- SPF outlines valid IP addresses that are
approved to send emails for a specific domain.
- DKIM allows you to establish greater
trust by preventing spoofing emails from being sent as outgoing messages on
your domain. It does this by updating the DNS entry of an email domain to add a
digital signature to the message header and to ensure that the email remains
unaltered from when it was sent.
- DMARC is an email authentication,
reporting and policy protocol that uses both SPF and DKIM to provide
information about the email domain’s (its alignment, compliance, failures, etc.).
Essentially, these things together help you to prevent
third-party threats from tarnishing your good name. While they’re not
foolproof, they’re at least another method of security — and as we all know,
you never want to be dependent on just one method.
Which brings us to our next point…
Use Email Signing Certificates to Protect Your Outgoing Emails
signing certificate — sometimes referred to as an S/MIME
certificate or a personal authentication certificate — is something that
you can use to help email recipients verify whether an email is coming from
you. These certificates do two things:
- assert identity through the use of unique
digital signatures, and
- use public key encryption to provide secure,
end-to-end encryption for your emails. And considering that most email servers
nowadays also use SSL/TLS encryption, it means that you can enjoy both data at
rest and data in transit protection.
When you assert
your identity, not only are you affirming that you are who you claim to be,
but you’re also instilling trust and confidence in your email recipients.
They’ll be more likely to click on your links or engage with your emails if they
know you’re you.
This is how it looks when you receive an email from someone
using an email signing certificate:
Now, let’s address what you can do to protect your business
from the perspective of being an email recipient of a spoofed email.
Provide Cyber Awareness Training for Your Employees to Help Them Identify
It’s no secret that your employees are often both your
biggest strength and weakness in the battle against cyber security threats. Proofpoint
reports that 83% of surveyed global information security professionals reported experienced phishing attacks in 2018.
That’s why cyber
awareness training is so important. This type of training is beneficial to
all of your employees, and no one — not even the CEO — should be excluded from
this training. When you regularly train your employees, you can help them
increase their knowledge and understanding of the very real threats they and
your business face. And when you test them through phishing simulations, you
can identify any gaps in their knowledge and tailor future trainings to meet
Teach your employees to look for some common warning signs
of phishing emails:
- use of poor language, grammar, and punctuation.
- use of language that conveys a sense of urgency
(to spur users to action).
- mismatching or inaccurate information in the
“from” field. (For example, does the sender’s name match their email address?)
Teach Employees to Check Their Email Header Information
To identify email spoofing, what you’ll want to do is take a
close look at the email header information of a suspicious message. Why? Because
an email header contains a significant amount of data pertaining to the
transmission of an email. In addition to email subject line information and the
basic “from” and “to” sender/recipient info, other email metadata you can find
in the header properties include:
- the type of content,
- browser information,
- delivery date information,
- suspicious flag or spam flags,
- language used in the email, and
- Microsoft Exchange threat scan results.
Taking the time to check email address validity sounds like
a boring and unnecessary task. However, in cyber security, it’s generally
considered a best practice to verify who an email is from so you know whether
the sender is who they say they are. You wouldn’t just open your front door in
the middle of the night if someone knocked, would you? You’d probably look
through the peep hole or call out, “who is it?” if you don’t have a peep hole
(at least, I’d hope you would!) to inquire as to who you’re going to yell at
momentarily for waking you up.
It’s the same way with email spoofing. Before you open the
door to your network (by clicking on a link, downloading an attachment, or
otherwise engaging with an email), you should at least check to make sure the
sender is authentic.
5. How to Check If an Email Is Valid.
So, you want to check email address validity. Good! As my gruff
grandfather used to say, “now you’re cooking with gas!”
Knowing how to check whether an email is valid is an
important piece of knowledge that can help keep you and your business safe in
the digital world. As mentioned only moments ago, email headers provide a lot
of useful information — the “who,” “what,” “when,” “where,” and “how” of an
email. The only thing it doesn’t communicate is the “why.”
But, in reality, it doesn’t take a genius (evil or
otherwise) to figure out why someone would want to use email spoofing. Cybercriminals
just want to be able to do something and either don’t want to get caught, or
they want to gain your trust by using the name or organization name of someone
you know and/or trust. Either way, email spoofing is a useful way of doing what
they want to do.
So, how do you check if an email is valid in Outlook 2016 or
Outlook 2019? Well, you can do it one of two ways — by opening the email in a
new window or by simply clicking on the email in your inbox.
Method One: From the Email Window
Step One: Open the Email in Its Own Window
You’re going to find yourself staring, confused, at another
set of menu options if you don’t follow this critical first step.
Step Two: Access the Properties Menu
Select File and navigate to Properties at the bottom of the list (as shown below).
Step Three: View Your Email Property Information.
Once that window is open, you can view the message header
details in the Internet headers field at the bottom of the window.
Method Two: From Your Inbox
This method is one that you can do from the comfort of your
Step One: Add a New Command Quick Access Toolbar (QAT).
At the top of your Outlook window, you’ll likely notice a
few lonesome icons in the blue application bar above the main tabs. It may include
icons for functions like “undo,” “redo,” and “save.” To the right, you’ll
notice an arrow pointing down with a dash above it labeled Customize Quick
Action Toolbar when you mouse over it. Select that and drop-down to click More
Step Two: Navigate to the All Commands Window.
In the new Outlook Options window that pops up, select All
Commands from the drop-down menu labeled “Choose commands from.”
Step Three: Select Message Options from the List.
In the long column below that menu, you’ll find a long list
of commands. Scroll down and select Message Options. Click Add in
the center between the two list columns and select the Okay button.
Step Four: Select the Email and Press the Message Options button.
In your inbox, select the email that you wish to view the
email header information for and then press the Message Options button in the
QAT at the top of your Outlook window.
Not much to it, right? Yes, it’s really that simple.
Note: You can only view the email header information for
emails you receive, not the ones you send.
6. Is It Illegal to Spoof an Email Address?
The CAN-SPAM Act, which spells out specific requirements for commercial messages as well as penalties for violations, prohibits spoofed headers. Not really sure whether phishing emails would fall under “commercial emails,” but still, it’s important to note.
The National Conference of State Legislatures shares that only 23 states and Guam have laws that specifically address phishing, although all states have laws that prohibit the fraudulent acquisition of another person’s personal information, computer crimes, and identity theft.
For example, here in Florida, we have Fla. Stat. §§ 668.701-.705. Under 668.703:
(1) A person with an intent to engage in conduct involving the fraudulent use or possession of another person’s identifying information may not represent oneself, directly or by implication, to be another person without the authority or approval of such other person through the use of a web page or Internet domain name and use that web page, Internet domain name, or a link to that web page or domain name or another site on the Internet to induce, request, or solicit a resident of this state to provide identifying information.”
This means that a person who fraudulently obtains a victims’
personal information may not use it to impersonate that individual.
Section 668.704 also indicates that while there’s an opportunity to bring a civil suit against the perpetrator, any civil action “must be brought within 3 years after the violation occurred.” The following individuals and groups would be able to bring a civil suit:
(a) A person engaged in the business of providing Internet access service to the public who is adversely affected by the violation.
(b) A financial institution as defined in s. 655.005(1) that is adversely affected by the violation.
(c) An owner of a web page, trademark, or service mark who is adversely affected by the violation.
(d) The Attorney General.”
7. How Do I Report a Suspicious Email?
Unfortunately, many users don’t realize they’ve been spoofed
until after the fact. This realization may occur immediately for someone after they
click on a malicious link, or it may not be until a few weeks (or months) down
the road when they realize their information is compromised and their
information is being used fraudulently to commit crimes. However, for those of
you who recognize a spoofed email for what it is, there are a few things you
can do to try to prevent future email spoofing.
The U.S. Federal Trade Commission (FTC) asks users to forward phishing emails to its Anti-Phishing Working Group (APWG) at firstname.lastname@example.org. What you can also do is report suspicious emails or spam to:
- your employer’s IT team. You should only do this if you receive the suspicious email on your work email address. Forward the questionable email to your IT admin or cyber security team — of course, warn them about your suspicions at the top of the email so they know to not engage with any links in the email.
- the sender’s email provider. If you can tell who their email service provider is, you can inform them about any users you think may be abusing their systems. Forward the entire email in question and specify that you think it’s spam. However, cybercriminals often use free email service providers and will simply close the email accounts after a brief period of use. Then they go and open another. It’s a seemingly never-ending cycle of abuse.
- the organization/domain the sender is spoofing. If you think that someone is pretending to be a specific company, take a moment to reach out to the company to make them aware of the situation. For example, if someone is spoofing PayPal, you can forward the entire email to PayPal to let them know about the spoof.
Email Spoofing Isn’t Going Anywhere
Unfortunately, as much as I’d like to say that email
spoofing is set to become a thing of the past, it’s not. Cybercriminals are
always coming out with new ways to scam people and businesses into providing
money and the most valuable currency of all: information. Whether it’s your
personal or financial information — or that of your customers — it’s imperative
to do everything within your power to keep it out of the hands of
cybercriminals. But at least there are things that you can do to protect
yourself and your business from the dangers of spoofed emails.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/email-spoofing-101-how-to-avoid-becoming-a-victim/
The post #cybersecurity | #hackerspace |<p> Email Spoofing 101: How to Avoid Becoming a Victim <p> appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Another day and another clever PayPal phishing scam tolearn from to better protect yourself and your organization “In this world, nothing can be said to be certain, except death, taxes, and PayPal phishing email scams,” said Benjamin Franklin. Don’t believe me? Google yourself. Okay, okay, he […] View full post on AmIHackerProof.com
#cyberfraud | #cybercriminals | Netflix email scam tells victims to ‘update your payment information’, news update
Source: National Cyber Security – Produced By Gregory Evans If you receive an email from Netflix telling you to update your payment information immediately, you could be the victim of sophisticated new scam. The streaming giant has once again been embroiled in a phishing email scam, which uses the same branding and username seen with […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Over the past three years, the “business email compromise” has become one of the most common, vexing, and financially injurious forms of cybercrime. On any given day, companies around the world and across industry sectors are finding themselves the victim, the pawn or both in cybercrime […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Decentralized threat intel sharing, more public-private collaboration, and greater use of automated incident response are what’s needed to combat phishing As organizations begin to plan their cybersecurity strategy for 2020 and beyond, email security will certainly be high on leadership’s agenda. That’s because phishing attacks continue […] View full post on AmIHackerProof.com
Email addresses and phone numbers might have been misused
No personal data was shared externally by Twitter
No reports on the number of people impacted have come out yet
In a recent incident of a data breach, Twitter has confirmed that user data like email addresses and phone numbers provided by users for security purposes may have been unintentionally used for advertising purposes.
According to a news report, currently, Twitter is unable to share with certainty the number of people impacted by the breach. However, the US-based company also asserted that no personal data was ever shared externally with their partners or any other third parties.
In a statement, Twitter highlighted that the personal data, which were provided for safety or security purposes (for example, two-factor authentication) may have been inadvertently used for advertising purposes, specifically in their Tailored Audiences and Partner Audiences advertising system, which helps in creating relevant remarketing campaigns.
While explaining how the breach occurred, Twitter is a statement said, “When an advertiser uploaded their marketing list, it may have matched people on our platform to that list based on the email or phone number that the user had provided for safety and security purposes.”
As of September 17, Twitter has acknowledged the problem and claimed that it has stopped using numbers or email addresses collected for safety or security purposes, for advertising.
Although Twitter apologised for this error, it also shared that they have no idea how many people were impacted by this. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” the microblogging site added in the statement.
Twitter’s average monetisable daily active usage (mDAU) has grown from 122 million in 2018 June quarter to 139 million (29 Mn in the US and 110 Mn from international markets) in 2019 June quarter. Even in the previous quarter, it had a mDAU of 134 million.
Data Breach On Rise: How Is India Protecting Itself?
Indian Prime Minister Narendra Modi has touted data as the new oil and new gold and rightly so as it has become very lucrative for hackers to steal and sell the same. Earlier, online food delivery startups Zomato, and FreshMenu, fintech startup EarlySalary, McDonald’s India, Oyo, Ashley Madison, Sony, and many others have been the victims of data breaches.
Social media sites like Instagram and Facebook have also been affected by a data breach by advertisers. Recently, Instagram Ad partner was banned for scraping user data without consent. Even Facebook-linked phone numbers of over 419 Mn users were found on unsecured servers.
Whatsapp, which was planning to introduce its payments feature WhatsApp Payments by the end of this year, is also facing difficulties because of the government’s concerns over the messaging platform’s data localisation compliance. In September, National Payments Corporation of India (NPCI) had asked WhatsApp to make changes in its policy to get the final approval for the launch of payments in India. NPCI had asked the instant messaging app to make changes in its data-compliance framework that prohibits storing payment data outside of India.
In May, India was reported as the second most cyberattacks affected country between the years 2016 to 2018. With the average cost for a data breach in India increased to 7.9% since 2017, the average cost per breached record has mounted to INR 4,552 ($64).
The Reserve Bank of India too recorded a total of 2,059 cases of cyber fraud in 2017-18 as compared to 1,372 cyber fraud cases in 2016-17.
The post #cyberfraud | #cybercriminals | Twitter Admits User Phone Numbers, Email Data Used For Ads appeared first on National Cyber Security.
View full post on National Cyber Security
Nearly all of the top million most popular domains are inadequately protected from “weaponized” email impersonation by hackers, formerly known as spear phishing, according to a new study released today by San Francisco-based email authentication service provider ValiMail.
One out of every five emails today appears to come from a suspicious sender who’s not authorized to use the sending domain, according to ValiMail’s 2017 Email Fraud Landscape Report. The study also found that only 0.5 percent of the top million domains use adequate authentication strategies to protect against email impersonation, even though most systems support stronger defenses.
Better email authentication defenses could help the typical company save $8.1 million each year in costs related to cybercrime, ValiMail reported.
ValiMail’s findings come on the heels of a report released last week from Google and the University of California-Berkeley that identified phishing as the greatest threat to people’s online identities.
‘Vast Majority’ of Businesses are Vulnerable
DMARC (domain-based message authentication, reporting, and conformance) is an email security system designed to protect against malicious actors sending unauthorized emails that appear to come from legitimate domains. The DMARC system enables administrators to set policies that validate the “From:” content in email headers comes from legitimate senders at those domains.
“Email has been weaponized by hackers as the leading way to infiltrate networks, and the vast majority of businesses are leaving themselves vulnerable by either incorrectly configuring their authentication systems or forgoing protection entirely,” ValiMail co-founder and CEO Alexander García-Tobar said in a statement. “Businesses are asking their employees to complete an impossible task: identifying who is real and who is an impersonator, by closely examining every message in their inboxes. The only sustainable solution is for companies to take control of their email security at the technology level and stop placing the onus on employees to prevent phishing attacks.”
Of organizations that use DMARC to validate their emails, 77 percent have either misconfigured the system or set policies that are too permissive, the ValiMail study found. In fact, only 15 percent to 25 percent of companies in various industries have properly implemented and maintained DMARC protections, the study noted.
‘Alarming Lack of Understanding’
Close to 100,000 phishing email campaigns were reported every month in the early part of this year, according to the Anti-Phishing Working Group, an international coalition of businesses, government organizations, and law-enforcement agencies. Several hundred companies see phishing attacks every few weeks, with businesses in the payment, financial services, and Webmail sectors the most vulnerable, the group said.
The year-long study by Google and the University of California-Berkeley released last week found that phishing poses the top threat against people whose online identities were exposed by Internet data breaches. Google said it has taken several steps in response to boost its authentication systems to defend against phishing.
The new research released today “demonstrates the volume of email fraud threats faced by companies today and highlights the alarming lack of understanding of how to combat these threats,” the Global Cyber Alliance’s Shehzad Mirza said in ValiMail’s statement. “These findings highlight that a lack of email authentication is the most prevalent security vulnerability companies face.”
Late last month, the U.S. Department of Homeland Security issued a directive requiring all federal agencies to begin implementing stronger email security defenses, including DMARC, within 90 days. The move is aimed at preventing federal emails and Web sites from spoofing and impersonation by hackers.
DMARC usage by federal agencies has grown since 2016, although only 38 percent had established adequate record policies as of October, according to the Online Trust Alliance. The ValiMail study noted that DMARC protection is available to most domains.
“Over three-fourths (76 percent) of the world’s email inboxes support DMARC and will enforce domain owners’ authentication policies, if those policies exist,” the report noted.
ValiMail offers its own solution to help enterprises fight the fight to keep email safe. Pricing starts at $30K annually, with the total cost dependent on a number of variables including company size, volume of email, number of domains, and so forth.
The post Email Has Been #Weaponized by #Hackers, Results Can Be #Deadly appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
An extensive, Russian-backed hacking operation targeted the email accounts of thousands of perceived Kremlin adversaries in 2015 and 2016, an Associated Press investigation has learned.
The effort, broadly referred to as “Iron Twilight” by security researchers, sought to compromise 4,700 Gmail accounts worldwide, belonging to everyone from high-profile U.S. politicians ― including Hillary Clinton, John Podesta and Colin Powell, who were all hacked ― to academics, journalists, political activists and military personnel.
Who they targeted
According to information provided by Secureworks, the cybersecurity firm whose data underpins much of the AP report, there’s a clear link between the targeted email accounts and Russia’s targets in the real world.
A spokesperson for the prime minister of Ukraine, for instance ― where Russian forces are currently engaged in a military conflict ― was targeted nine times, Secureworks said.
Other targeted individuals identified by the AP include former Secretary of State John Kerry, former NATO Supreme Commander U.S. Air Force Gen. Philip Breedlove, and Serhiy Leshchenko, a Ukranian politician who helped reveal alleged financial crimes of Paul Manafort, who was indicted Monday.
Experts on Ukrainian and Russian subject matters, as well as aerospace researchers and engineers were also among those targeted.
Military spouses and family members also constituted a surprisingly large portion of those targeted, which Secureworks speculates may be an attempt to learn about broader military issues in the U.S., or to gain information about the target’s spouse.
Of the military and government personnel who were targeted, the vast majority are either in the U.S. or a member of NATO:
Given the specific range of targets, experts said the hacks almost undoubtedly originated from within the Kremlin.
“It’s simply hard to see how any other country would be particularly interested in their activities,” Michael Kofman, a Russian military affairs expert at the Woodrow Wilson International Center who had his email targeted, told the AP.
“If you’re not Russia,” he said, “hacking these people is a colossal waste of time.”
Secureworks told HuffPost other, non-Gmail email providers were also targeted in the effort, though they don’t have data on the particulars of the campaign. While the firm only has data spanning March 2015 through May 2016, there’s no reason to believe Russia has ceased its hacking operations.
“This type of operation supports an ongoing intelligence objective,” Rafe Pilling, a senior security researcher with Secureworks’ Counter Threat Unit team said. “The activity is still underway via similar methods and likely will continue while the hackers behind this activity continue to be successful.”
“The targeting we saw (of 4,700 Gmail accounts) was just a fragment of a larger campaign from Iron Twilight.”
How they did it
Data provided by Secureworks shows Russian-linked groups operating under the names APT28, Sofacy, Sednit, Fancy Bear, and Pawn Storm sent emails to targets that mimicked authentic login pages from Google Accounts.
Instead of being directed to the real Google Accounts page, however, the emails directed recipients to a highly-convincing fake page, which then recorded the user’s login and password information:
Russian hackers disguised the website address of the fake page via Bitly, a link-shortening and web analytics service, which is ultimately what tipped Secureworks off to the hacking campaign.
By working backward from a compromised login page, Secureworks was able to decipher the publicly-accessible Bitly account associated with it. That account served as a window into all of the group’s other activity, which, the AP found out, was used 95 percent of the time Monday-Friday, during Moscow’s regular business hours.
Bitly representatives told HuffPost they took quick action once they learned of the activity, noting the operation itself involved little in the way of conventional “hacking” ― all the login information was unwittingly supplied by the targets themselves.
“The links and accounts related to this situation were blocked as soon as we were informed,” Bitly CTO Rob Platzer explained in email. “This isn’t really an exploit of Bitly, but it’s an unfortunate exploit of internet users through social engineering.”
“It serves as a reminder that even the savviest, most skeptical users can be vulnerable to opening unsolicited emails. It can’t always be helped, but we advise everyone to be extra cautious about emails and links related to passwords and other sensitive information, and to employ safety measures such as unique passwords and two-factor authentication.”
What to do if you think you’ve been hacked
Unless your information has been published online, there’s a decent chance you wouldn’t know you’ve been hacked.
“If a target was compromised,” said Pilling, “it’s entirely feasible that the compromise could go undetected for an extended period of time.”
Given the wide range of those targeted and Russia’s continued hacking efforts, Secureworks recommends those who suspect they could be a target ― and use Gmail or any other web mail service ― to regularly change their passwords.
Other commonsense steps, like enabling “two-factor” or “two-step” authentication on your email account, can also go a long way, Pilling said.
He also recommended readers check to see what applications and devices they’ve authorized to access their account, information that’s often found under “settings.”
“If there are any apps or devices they don’t recognize, they should disable or delete the access right away,” he said.
And finally, don’t open attachments or click links in an email unless you’re sure the email was actually ― and intentionally ― sent to you by the sender.
The post Kremlin Tried To #Hack At Least 4,700 #Email Accounts Before The #Election appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Hackers have taken over the email account of a Louisiana funeral home and are sending email scams to the company’s customers, asking for money.
The hack took place on late Wednesday when employees of Griffin Funeral Home in West Monroe, Louisiana lost access to the company’s Yahoo account, used as the main communications point with customers and business partners.
Hackers asked customers for money transfers
The hackers sent out emails posing as the funeral home’s owner —Glenda Griffin— asking customers and suppliers for a favor.
If the other party replied, hackers would ask for $2,450 to be paid in a Ukrainian bank account. They justified the request by saying that Glenda was on vacation in Europe and her cousin suffered an accident and needed urgent medical care.
The scam was well put together as hackers had apparently studied the company and its owners before launching the campaign. As usual, they didn’t pay too much attention to detail, as they forgot to copy Glenda’s full email signature.
Employees said they detected something wrong after customers and partners called in to inquire about Glenda’s supposed predicament. They realized they got hacked when they inspected emails in the Sent folder and saw the emails without the full signature, which was also supposed to contain a standard disclaimer.
Hackers wrestle control over the email inbox away from staffers
Funeral home staff changed the account’s password, but hackers kept accessing the system. Employees changed the password four times before being locked out for good.
The company reached out to Yahoo for help, but they have not heard back. They also filed a complaint with local police.
In the meantime, the company also changed its official email address and is now informing customers to ignore the recent emails and update their contact details.
The post Hackers Take Over #Funeral Home’s #Email Account and Run #Online Scams appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures