now browsing by tag
Source: National Cyber Security – Produced By Gregory Evans Another day and another clever PayPal phishing scam tolearn from to better protect yourself and your organization “In this world, nothing can be said to be certain, except death, taxes, and PayPal phishing email scams,” said Benjamin Franklin. Don’t believe me? Google yourself. Okay, okay, he […] View full post on AmIHackerProof.com
As you get ready to welcome 2020, be mindful there will be threats aplenty in the coming year.
Topping the threat list are phishing attacks. Phishing is a cybercrime in which scammers send you a malicious message while impersonating someone you know or trust, such as your colleague, relative, bank or telco.
The post #cyberfraud | #cybercriminals | Beware of phishing bait, Tech News & Top Stories appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Pollies to face phishing tests after Parliament breach – Strategy – Security
Source: National Cyber Security – Produced By Gregory Evans Parliamentarians and their staff will be subject to phishing email simulations in the wake of the state-sponsored cyber attack against Parliament House earlier this year. The Department of Parliamentary Services will conduct the simulations as part of a new program to test the cyber security awareness […] View full post on AmIHackerProof.com
Phishing is still a vector to attack presidential campaigns. Many 2020 candidate organizations still aren’t using best practice by implementing a proper DMARC policy.
It seems they’ve not learned from the hack on Hillary’s campaign. In 2016, John Podesta got tricked by a crude phish—and it easily could happen again.
Things are better now, but there’s still acres of room for improvement. In today’s SB Blogwatch, we dig their DNS records.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: a decade in three minutes.
Can You Spell DMARC?
What’s the craic, Zack? Mister Whittaker reports—“Only a few 2020 US presidential candidates are using a basic email security feature”:
DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails … could prevent a similar attack that hobbled the Democrats during the 2016 election. … Only Elizabeth Warren … Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard and Steve Bullock have … improved their email security.
The remaining candidates, including … Donald Trump, are not rejecting spoofed emails. … That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks.
In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. [It] tricked Podesta into … allowing hackers to steal tens of thousands of private emails.
Or perhaps you prefer a different topical angle? G’day, David Braue—“You may be targeting Black Friday bargains, but cybercriminals are targeting you”:
Security firms are warning shoppers to be careful online as cybercriminals increase their activity in the runup to [the] retail season. … Shoppers need to be particularly wary of online scams and malware propagated through emails spoofing legitimate retailers.
Despite efforts by the Australian Signals Directorate to promote the use of next-generation DMARC email anti-fraud tools … research suggests that just 45 percent of Australia’s biggest online retailers have actually begun implementing DMARC – and just 10 percent have adopted the strictest level of security.
Returning to this hemisphere, Agari’s Armen Najarian claims, “2020 Presidential Candidates Remain Vulnerable”:
The kinds of email attacks that helped derail Hillary Clinton’s candidacy in 2016 are only getting more sophisticated. [But some] campaigns are not taking the threat as seriously as they should.
Meanwhile, we’re seeing new trends in how cybercriminals execute … advanced threats, which are liable to throw an entire candidacy off-course. After all, it only requires one campaign employee or volunteer to click on one link in a malicious email.
It’s likely only a matter of time before the unthinkable happens once again. … The Mueller Report … squarely pointed to spear phishing as the primary attack vector for Russian hackers seeking to gain access.
Unfortunately, candidates must not only be concerned about email directed to them and their campaign staff. … Imagine the damage that can be done by emails that appear to come from the legitimate domain of the candidate, but actually come from a malicious criminal who uses that domain to spread false information to potential … donors, voters, and the media.
This is entirely possible, and likely even probable, unless candidates take the steps they need to protect against it by implementing DMARC with a p=reject policy.
DMARC: HOWTO? Chad Calease obliges—“A Definitive Guide”:
This is the time of year we’re all too aware how much phishing really sucks. … While technology isn’t able to catch all of it 100% of the time, DMARC is one of these important layers of defense that helps to dramatically minimize the amount of phishing emails that get through to our inboxes.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. [It] is a set of 3 DNS records that work together to ensure email is sent only from authorized … mail servers, thereby helping block fraudulent messages.
DMARC sets a clear policy for what to do if a message hasn’t been sent from an authorized source. … DMARC helps prevent criminals from spoofing the “header from” or “reply-to” address: … First it checks that the DKIM … digital signature is a match. Then it checks the SPF record to ensure the message came from an authorized server. If both DKIM and SPF pass these checks, DMARC delivers the message.
But if one or more of these tests fails, DMARC behaves according to a policy we set:
‘none’ [which] doesn’t impose any actions …
‘quarantine’ [which] Flags messages … to be directed to the recipients’ spam or junk folders …
‘reject’ [which] outright refuses messages that fail … (this is the end goal of a good DMARC configuration).
OK, so why aren’t all the candidates on board? Here’s lostphilosopher:
I see this as a reflection of the candidates ability to find and listen to experts. I don’t expect a candidate to understand how to do tech “right” – I’m in the industry and still get half of it wrong! However, when you’re running a multi million dollar campaign you can afford to bring in experts to set this stuff up and audit your practices.
I assume these candidates are already doing this and that if they are still not following some basic best practices it’s because they are actively ignoring the experts. … That’s what worries me: If they can’t find or listen to these people now, what makes me think they’ll be able to in office?
And this Anonymous commentator agrees:
Think about this for a second! If the … candidates don’t care enough about their own email traffic, why would anyone vote for them to secure this nation? If your own private info is easily up for grabs, what do you honestly think national security would be like under any of them?
But gl4ss spots an oint in the flyment:
If you rely on DMARC … and just trust it blindly then you know what? You’re gonna get ****ed by someone on whthouse.org.co.uk.acva.com.
Sure the email is sent from that domain, but so what? The domain isn’t right.
It was ever thus. Ryan Dunbar—@ryandunbar2—looks back:
In 1980 we knew internet email was not secure.
2003 get email SPF
2007 get email DKIM
2012 get DMARC
2019 get ARC, BIMI
2025 get QUIC, yet email will still not be secure.
2050 get internet3
Why does it look like the ones running the internet don’t want a secure internet?
Meanwhile, El Duderino knows who to blame:
This is Al Gore’s fault because he invented the internet.
10 Years; 100 songs; 3 minutes
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Tia Dufour (public domain)
View full post on National Cyber Security
Hackers use familiar brands like Dropbox to steal login
credentials and spread malware
It’s funny how hackers, phishers, and scamsters can be blatantly obvious and inexplicably unpredictable at the same time. I’m saying obvious because they target the most widely used services/platforms and lots of users know what they’re up to — not just security professionals, but many ordinary users know about these phishing scams and what to look for. Phishers might be predictable in going after big names but it’s the unpredictability in their approaches that makes them tick. Time after time, they come up with new ways that help them achieve exactly what they want and make them “successful.” The Dropbox phishing scam is a perfect illustration of this.
The Dropbox phishing scam surfaced around a
year ago and made headlines in many popular publications. It hasn’t gotten as
much attention recently, but even after a year, attackers are still targeting
users using this same-old trick. And therefore, you need to know about it.
Let’s hash it out.
Dropbox Phishing: It All Starts
with a Simple Email
This is how it all starts: You receive an
email (either text or HTML-based) from a person saying they have shared an
important document with you. The email looks a lot like an official Dropbox
email and has a link to access the document. To make it look authentic, some of
these emails include actual links to Dropbox in the footer of the email. These
Here’s a pretty simple example:
Check the “From” Details Carefully
As you can see in the screenshot above,
this phish email has “Dropbox” as its sender’s name. It’s easy to fall prey to
this as the sender name and the email style make it look like an actual Dropbox
However, if you look closely, you’ll see
that the from email address and the embedded link are clearly not Dropbox.
However, if you’re skimming through your
email (as many of us do), it’s easy to fall for this Dropbox phishing scam.
Once you click the link, the URL takes you to a web page that looks almost
exactly like an actual Dropbox login page.
More advanced Dropbox phishers take the
scam to the next level…
Check URLs Carefully — Even If They Include “Dropbox”
Some Dropbox scammers are carefully picking
URLs that look official at first glance.
For example, they will include common keywords such as “Microsoftonline” or “Dropbox” in the domain or subdomain to make it look like a genuine domain:
HTTPS URLs Aren’t Always Safe
And the cherry on the top is how phishers
use fake HTTPS URLs. So, the link that you’re being redirected to isn’t an
HTTPS link. It has HTTPS in the link text, but not as the protocol. If an SSL
certificate protects a website, it will look like this: https://www.(website name).com/. The
fake Dropbox URL looks like www.https-(fake website
name).com. See the difference?
Another trick that phishers have recently adopted is using an HTTPS website. No, the previous sentence doesn’t contain any technical error; it’s a fact that most phishing websites feature HTTPS now. In such cases, users are more likely to fall for it as they’re trained to look for that secure padlock.
Phishers are a Poor Man’s Magicians: Here’s How to Catch Them
What do magicians and phishers have in common? Well, they both take advantage of our psychological limitations to distract us and make us look where they want us to.
However, the silver lining here is that the
phishers are far from good magicians. A great magician can take their secrets
with them to the grave. But with a bit of concentration and training, you can
catch almost every phisher.
So, here’s how you can CATCH the PHISHers
(Got it ?).
Check the Email Address
First of all, you should always check the email address of the sender. Is the email sent by someone you know? Is the email coming from Dropbox’s (or any service provider’s) list of official domains? This is the first thing you must check, and you should not proceed further if the email is not familiar and/or it’s been sent from a domain that’s not been mentioned in Dropbox’s list of its official domains.
experience, doing this one check will protect you from most email phishing
attacks as hackers shouldn’t have access to Dropbox’s official domains.
However, you should be cautious even if the email appears to be from an
official Dropbox domain as some email servers are not configured to check
SPF/DKIM records, so spoofed emails will be let through.
Check the Link URLs
If the email
passes the first security check, then you should check the links in the email:
- View the web page in your
browser and check for “https” at the start of the URL. It should look like https://www.(website name).com/. (Note: Google Chrome
hides the https:// until you double click in the address bar.)
- Once this check is done, you
should again go back to Dropbox’s list of official domains and then check if this
domain is on the list.
- To double-check the
authenticity of the website, you should also check the SSL certificate Dropbox
uses. As you can see in the screenshot, Dropbox.com is protected by a DigiCert
EV (extended validation) SSL certificate and this certificate has been issued
to Dropbox, Inc.
means that the certificate authority (DigiCert, in this case) did an extensive
verification of Dropbox, Inc before issuing the certificate. This way, you can
be sure that the website you’re on actually belongs to Dropbox.
What Could Happen If You Fall Victim to the Dropbox Phishing
the data of more than 500 million users and 200,000 businesses, and it’s the
most significant cloud sharing and storage company in the world. Putting a
malicious file in just one employee account could be a brutal blow to the
privacy of an entire organization. And it’s not just the privacy, but the
existence of a business could be at stake—that’s a good enough reason to take
your Dropbox security pretty seriously, don’t you think?
Unfortunately, that’s not where it stops. A phisher who has taken complete control over your account and associated data using malware could demand a significant ransom if you want your account back. In technical terms, this is called ransomware.
The consequences of Dropbox phishing could be even more brutal if you’re one of those persons who uses the same password pretty much everywhere. Every bit of information you have on the internet could be in the hands of the attackers. Just think about it!
Hackers may also
scan your account to automatically find valuable data in your saved documents.
This could include customer data, payment details, login credentials for other
platforms, or anything else you might have that’s sensitive.
Last Word on Dropbox Phishing
All scammers — whether in the real world or online — take advantage of our human limitations. Either they make us see and feel something that isn’t there, or maybe they give us some lucrative incentive to distract us (we’ve all heard of the Nigerian Prince scam, haven’t we?). With a little bit of awareness and concentration, you can be a step ahead of all the phishers.
Tip of the day: Remember to look where you want to, not where they want you to.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/dropbox-phishing-scam-dont-get-fooled-by-fake-shared-documents/
View full post on National Cyber Security
Phishing attacks and campaigns have always been a hot topic in online security. With many posts tagged as “phishing” on our blog — the first one being over nine years old now — we’ve seen our fair share of phishing attempts.
In this post, we’ll cover the signs of a phishing attacks so you can recognize and avoid falling for them.
What is a Phishing Attack?
A phishing attack happens when a malicious actor pretends to be someone else to gain privileged access or information. This can be in the form of a website, phone number, email, or even in person. If you’re not familiar with the concept of phishing, we have a post covering what is phishing.
Signs of a Phishing Attack
Phishing attacks come in all shapes and forms, and methods attackers use are always evolving. There are many common characteristics which are easy to recognize once you know what to look for.
Genuine-Looking but Odd Requests
Many phishing campaigns will use a recognizable company or branding that the victim is familiar with. This can be a financial institution, coworker, or website you know.
To do this, they will try spoofing their email or phone number, or use one which contains genuine-looking keywords via public emails.
Both of these emails use public email registrars, which can create emails with any names for free.
These emails use a similar domain name to the actual company, such as securi.info instead of sucuri.net. This is why it’s important to always double-check the domain to ensure it’s genuine.
Fast Action Required
To make the victims skip over details they would usually notice, the phishing attempt will add a sense of urgency to the message. Due to the severity or urgency of the request, you are more likely to immediately follow the links or open the attachment the attacker wants you to.
- This offers expire in 1 hour!
- [Urgent] Malware on your website
- Your account is compromised
- Suspicious charges on your account
This one will vary greatly depending on the goal of the attacker and knowledge they have about the victim, but the contact method will likely seem different from your usual communication.
When an attacker pretends to be your boss or coworker, they will most likely use a different writing style than your usual message:
- More or less typos
- More or less formal
- Missing or different signature
These are all signs that you should double-check with your contact to see if they sent the message, preferably with a communication channel you know is safe.
No Signs at All
The most important thing to keep in mind when thinking about phishing is that all attempts are different — and many targeted attacks are very advanced. They can hack or spoof your boss’s email, and then use the correct data to mislead you into thinking they are your target. If they request you visit a link or open an attachment, your best bet is to double-check via a different communication channel to make sure the request is genuine.
Phishing Campaign Examples
Here are some examples of phishing campaigns we have seen lately:
Google Drive Phishing Campaign
Notice how odd it is to be able to use any email provider to login to Google Drive:
Bank Phishing Campaign in Brazil
Notice how the phishing campaign asks for credit card information in the last image.
Now that you’re familiar with the concept of phishing campaigns, you can recognize the attacks and avoid falling for them! If you are looking to be up to date on the latest website attacks trends, subscribe to receive email updates.
The post #cybersecurity | #hackerspace |<p> How to Recognize a Phishing Campaign <p> appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Do You Know How To Protect Yourself Against Phishing Emails? – University Times
Source: National Cyber Security – Produced By Gregory Evans Close Illustration by Lauren Dahncke Illustration by Lauren Dahncke Illustration by Lauren Dahncke National Cybersecurity Awareness month recently came to an end, but phishing emails never seem to. According to Cal State LA’s Information Technology Security, phishing emails are sent to the recipient with the purpose […] View full post on AmIHackerProof.com
The United Nations and other non-government organizations have been undergoing spear phishing attacks since at least March of this year with the goal of obtaining staffers’ login credentials.
The attackers are using compromised Office 365 credentials garnered through phishing attacks to enter the NGOs’ systems, enabling them to install phishing websites that mimic each organization’s sign-on page. The campaign was uncovered by the security firm Lookout, which noted that the as-yet-unknown attackers were utilizing a couple of unusual techniques.
First, the sites have a unique keylogging capability that directly takes the login information directly from the input field as it is being typed and sends it to a command and control server. This means even if the person does not complete the login process the username and password is stolen, Lookout said.
Next, the malware used can also detect if a mobile device is accessing the phishing site, and then deliver mobile-centric content. An additional benefit of using a mobile URL is they are normally shortened, which helps hide the fact that they are not genuine, Lookout said.
step taken to make the sites appear legitimate is the use of SSL certificates with
the phishing websites.
vice president of security strategy and threat intelligence at Venafi, said
companies need to check for fake certificates.
“In order to
protect businesses and users, security teams must identify all the legitimate
TLS certificates on their own networks. They also need to identify fraudulent
certificates issued by attackers that are being used to impersonate their
organization,” he said.
Lookout does not know who is responsible for the campaign, it has pinned down
where the malware is hosted.
have been hosting phishing content, session-services[.]com and service-ssl-check[.]com,
which resolved to two IPs over the course of this campaign: 184.108.40.206 and
220.127.116.11. The associated IP network block and ASN (Autonomous System
Number) is understood by Lookout to be of low reputation and is known to have
hosted malware in the past,” Lookout wrote.
that have been targeted include the UN, the UN World Food Programme, UN
Development Programme, Heritage Foundation and the International Federation of
the Red Cross and Red Crescent Societies.
The post #cybersecurity | hacker | UN, NGOs targeted by ongoing phishing attack appeared first on National Cyber Security.
View full post on National Cyber Security
A staggering 96% of organisations say that e-mail phishing scams pose the biggest security risk facing their businesses over the next year.
A further three quarters (76%) say the greatest and most persistent threat is the careless insider who unthinkingly clicks on malicious links, placing their companies at higher risk of falling victim to phishing, ransomware, CEO fraud scams, and other types of malware.
Social engineering was identified as a major concern by 70% of respondents.
These were some of the findings of the annual ‘2019 Security Threats and Trends Survey’ by KnowBe4, a security awareness training provider,
The survey polled 600 organisations around the world in mid-2019 on the major security issues they will face in the next 12 to 18 months.
A relatively new term in the malware vocabulary, ‘CEO fraud’ is a scam in which attackers spoof company e-mail accounts and impersonate executives in an attempt to trick an employee in accounting or HR into executing unauthorised wire transfers, or sending out confidential tax information.
“One-third or 30% of respondents don’t have a separate security budget and another 13% say the organisation’s security budget is less than $25,000 annually.”
When it comes to adversaries, it was acknowledged that the hacking community is growing increasingly sophisticated, with nearly half or 46% of respondents saying they feared their organisations may fall victim to a targeted attack.
Most enterprises (86%) claimed they have proactively amplified security initiatives over the last year to combat the increase in cyber attacks, and 89% say they’re currently better equipped to deal with security threats than they were the previous year.
Encouragingly, only 6% believed their firms were less prepared to deal with security issues in 2019 than they were the same time a year ago.
Highlights of the 2019 Security Threats and Trends Survey by KnowBe4
96% of organisations say that e-mail phishing scams pose the biggest security risk facing their businesses over the next year.
76% say the greatest and most persistent threat is the careless insider.
Only 14% of those surveyed are concerned about insider attacks from existing employees.
30% of respondents don’t have a separate security budget
- Half of participating companies report their security and IT staff are overworked and 40% say their organisations will face a shortage of skilled security professionals within the next 12 months.
- 82% of respondents say proactive security maintenance, such as installing upgrades and patches, is a top priority over the next 12 months.
- Some 27% of respondents raised a concern about their organisations’ inability to identify, quickly respond to and shut down hacks.
- Only 18% of those surveyed calculate the hourly cost of downtime related to security hacks.
- A 53% majority allow employees to access the corporate network and data using BYOD. However, only 39% of respondents currently have a plan to respond if a BYOD such as a laptop, tablet or smartphone is hacked, stolen or lost.
The post #cyberfraud | #cybercriminals | Phishing scams top the threat list appeared first on National Cyber Security.
View full post on National Cyber Security