Tag Archives: security alert

Email Scam Personally Targets UK Residents

Internet users are getting savvier … slowly but surely. Phishing emails littered with spelling mistakes and grammar errors are getting flagged more often.

However, phishers are still innovative and relentless. What happens when you’re greeted by an email that knows your name and address? Despite the suspicions, the personalized touch grabs your attention.

Here are the kinds of emails UK residents are noticing in their inboxes recently:

Here’s another…

Phishing Email Details

The sample phishing emails have some curious characteristics to note.

Let’s start with the obvious… terrible grammar. These emails read like they were part of the original Nigerian scams over a decade ago. While they seem like your classic phishing scam at its finest, the personal information sprinkled throughout the email seems to draw people in to the scam. The greeting uses your first name. The referenced file is labeled using your last or family name. Then, to add a shred of credibility, the email notes your home address and postcode.

It’s an interesting play by the phishers. There is suspicion with the phishy-ness of the email, but the personalized references make views wonder how dangerous it could be not to glance at the information in the file.

So What’s in the File?

Spoiler alert: it’s malware!

Victims who open the attachment are prompted for a password which the phishers include in their email. The random passwords really are necessary to open the file.

After entering the given password, the following screen comes up in Microsoft Word:

The thing to notice on this page is the Security Warning. How fitting!

The phishers need you to enable macros in the document for the malware to run. But many computer folk have caught on that macros can be dangerous. So instead of the traditional prompt to enable macros, the phishers have created this page to encourage victims to “Enable Content” and view the data.

This approach appears to be more effective. After all, you’re just agreeing to view the data inside the document. Harmless, right?

When you click on Enable Content, the macros are enabled and the malware starts running. The malware downloads a GIF file (common type of image file).

Once the contents are downloaded (GIF header and scrambled data), everything still looks benign. However,

the macro includes decryption tools that pulls out the malicious code, unscramble it, and write it to the %TEMP% folder.

SophosLabs wrote the blog highlighting the phishing scam. When they tested the attack, they found malware dubbed Troj/Agent AURH. This is a type of bot malware that connects the computer to the phishers’ command-and-control network for future tasks.

Sophos reminded that potential consequences of this type of malware:

  • The malware is flexible and can be changed according to the victim’s time zone, location, language settings, etc.
  • The instructions sent to infected computers (bots) can vary and include downloading additional malware

After all is said and done, the phishers wipe their hands of the scam with the following note to victims:

Key Takeaways

It’s natural to see an email like this and be unsure which parts are legitimate and which are scammy. There’s a sense of fear and urgency when the sender knows your personal information like last name and home address.

Most likely, the phishers obtained the personal information as a result of one or more data breaches. However, pinpointing the source of the breach would prove difficult.

Here are a couple takeaways and best practices from the Sophos team in preventing these types of scams:

Don’t open unsolicited or unexpected attachments. Even if the document claims to e an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you.

Don’t turn off important security settings (i.e. macros!). As noted above, phishers are always trying new tricks to get you to click the bait. The Enable Content part was sneaky, but not impossible to notice. MS Word turned off macros by default a long time ago to improve security. Unless you’re intentionally using them, keep macros disabled.

HR Departments Targeted with Ransomware in Job Applications

Is your organization actively recruiting new employees? If so, alert your HR department about the latest ransomware campaign to hit the streets.

GoldenEye – the new ransomware flavor of the month – is strikingly similar to the traditional variants, but the deliver method has some added twists and turns.

HR Department Targeted

Cyber criminals distributing the GoldenEye ransomware are taking advantage of an HR professional’s tendency to respond to emails from complete strangers.

HR professionals usually have access to a treasure trove of personal and sensitive information, making them ideal targets for ransomware. If they lose access to that information, the company is more likely to pay the ransom demand to reclaim their data.

The GoldenEye ransomware attack takes on a job application theme. Attackers use phishing tactics to send fake emails claiming to be from potential job applicants. The attack starts when someone in the HR department gets an email from a ‘job applicant’ with their cover letter and application attached.

Probably to serve as a decoy, the cover letter is simply a PDF with no malicious content. The other document attached is a malicious Excel file with infected macros – usually with key words like ‘application’ or ‘candidate.’ Once opened, the malicious file appears to be loading and prompts the victim to click “Enable Content” to run the macros and start the encryption process.

After the ransomware is finished encrypting, victims are presented with the typical ransomware screen demanding a ransom in exchange for the decryption key. This particular ransom demand is 1.3 bitcoin.

Best Practices

This is a clever attack method, due to the nature of an HR professional’s job. It’s not uncommon to receive and respond to emails from strangers looking to apply for a job or sending in their resume.

The best bet here is to keep macros disabled on all Microsoft Office documents. Keep reiterating to your workforce the importance of never enabling macros. Workforce awareness and training is key to thwarting these types of attacks. And, as always, employees need to be suspicious of any email that comes from an unknown or unexpected source.

Phishing Alert: Healthcare Entities Targeted With Fake OCR Emails

PHISHING Alert concept - white letters and triangle with exclamation mark

Healthcare entities should be on the lookout for new phishing emails impersonating the Department of Health and Human Services Office for Civil Rights (OCR). The OCR is the government agency that oversees HIPAA regulations for healthcare organizations.

Phishing Email Details

The phishing email is made to look legitimate by incorporating the HHS departmental letterhead along with the signature of OCR Director Jocelyn Samuels.

Email recipients are told they might be included in the HIPAA Audits that are currently in progress. The email instructs users to click a link that takes them to a website promoting cybersecurity services. OCR is not associated with the firm in the fake email in any way.

The email is sent from the email address: OSOCRAudit@hhs-gov.us. The URL in the email directs users to the website: www.hhs-gov.us. Both are slightly different than the actual email address and URL set up for the OCR audits.

Key Takeaway

The main targets for this scam are employees of Covered Entities and Business Associates. If your organization is covered under HIPAA regulations, make sure your workforce is aware of these potential phishing scams.

Security Alert: MICROS Credit Card Payment Systems Breach

Digital security concept with man peeking over secured data flow

Companies using credit card machines from Oracle’s MICROS division should check their devices immediately for malware.

MICROS – a top-three point-of-sale vendor – is used at over 330,000 registers globally. According to reports, device administrators need to check the machines for malware and other unusual network traffic, as well as change the passwords on the devices.

Breach Details

Currently, there aren’t many concrete details available. Oracle has provided limited information. They did release an FAQ and indicated that they have detected and addressed malicious code in MICROS systems.

Cybersecurity blogger Brian Krebs reported hackers compromised servers at Oracle’s retail division and found their way into Oracle’s main online support portal for MICROS customers.

Visa issued an alert to help explain the malware affecting MICROS devices. It appears hackers found a vulnerability in the MICROS system giving them access. From there, they turned their attention toward the retail customers using MIRCOS with their credit card machines. Hackers were able to compromise login credentials and gain remote access to retailers’ MICROS systems which likely hold heaps of payment card information from the merchants’ customers.

Reports are also circulating revealing hacks of several other point-of-sale vendors: Cin7, ECRS, Navy Zebra, PAR Technology, and Uniwell. The breaches of these point-of-sale vendors might be a key factor in the string of cyber attacks on retail and hotel chains.

Indicators of Compromise

Both Visa and Krebs issued several indicators to use as tools to check against Internet traffic. Any presence of these IP addresses indicates the credit card machine is probably compromised.

Key Takeaways

MICROS customers – as well companies using Cin7, ECRS, Navy Zebra, PAR Technology, and Uniwell –  should take the recommended actions to prevent and defend against any attacks on their credit card machines including:

  • Changing passwords for any account used by a MICROS representative to access the MICROS systems, and
  • Scanning for the indicators of compromise to make sure hackers aren’t accessing the network.

Spear-Phishing Attack Targets Lawyers

Have you recently received an email from your state Bar Association claiming that a complaint has been filed against you? A new series of phishing emails is targeting lawyers to trick them into installing ransomware.

The Center for Internet Security posted an alert warning of a malicious email campaign directed at lawyers. The emails are personalized, urgent, and appear to be from the Bar Association.

Phish Details

Attackers have gotten crafty; they disguise the fake emails to look like they’re sent from the Bar Association or the Board of Bar Examiners. The subject line or body of the email poses an urgent situation. They claim that a complaint was filed against you, or that your membership fees are past due. These urgent matters are perfect click bait.

Potential victims are asked to respond by clicking a link in the email that installs ransomware.

The fake emails have been particularly effective because they look like legitimate, personalized requests. Each state’s Supreme Court has public listings of enrolled lawyers that include information such as your full name, bar membership status, bar number, and other professional details.

Savvy attackers are taking advantage of this information to prepare and send these phishing emails.

Best Practices

The best way to thwart this specific phishing campaign is to use caution when clicking on links within emails. Always hover over any links within emails to make sure the URL matches the intended link.

These phishing emails include a link that appears to lead you to the state bar association’s website. However, when you hover over the link, it shows that the link really leads to a different, malicious website.

Many state bars have warned clients that such complaints would not be sent electronically. If you receive an email with an alleged complaint, delete it immediately. If you suspect that a complaint may have been filed against you, call the state bar or Board of Bar Examiners at a known telephone number.

SS7 Vulnerability Allows Hackers to Hijack Online Accounts

What are the chances a hacker can use your mobile number to get into your email, social media, or online banking account? Turns out… pretty good.

Researchers from Positive Technologies found a vulnerability in the SS7 protocol that allows them to intercept one time passcodes (OTP) used to confirm a user’s identification and hack online accounts.

What is SS7?

SS7 – Signaling System 7 – is a protocol that cellular networks use so users can connect to different networks. Examples of SS7 functions:

  • Set up and manage the connection for a call
  • Terminate the connection after a call
  • Manage call forwarding, three-way calling, caller identification
  • Toll-free 800 and 888 calls
  • Short message service (SMS or text message)

Basically, SS7 was developed to patch together several cellular networks so their users could interact with each other. It was never created with security in mind, and the protocol used to connect the networks lacks strong authentication… as shown below.

OTP Attack

This video shows the researchers demonstrating the hack. First, they go to Facebook to login to a user’s account. In order to reset the password, Facebook sends an OTP (usually a six-digit number) through SMS to the mobile number on the account. They take advantage of the flaw discovered in the SS7 protocol to spoof the mobile phone on the network and intercept the code when it’s sent through SMS. This gives them everything they need to get into the Facebook account, change the password, and takeover the account from the user.

Key Takeaway

The video shows the researchers hacking into a Facebook account. But you’re probably thinking of other online services that use this type of additional protection to keep users secure. You might be using this type of authentication method in your business.

That’s where the most danger lies. This same type of attack can be used on any account that allows a password reset using OPTs sent through SMS – i.e. email accounts.

While this vulnerability in SS7 hasn’t been exploited to the same degree as other attack methods, it calls into question the security of using OPTs as the standard way of authenticating users for online accounts. Unfortunately, at this point, there aren’t many alternatives. Users should stay aware of activity on all online accounts and notify the provider if something seems wrong with your account.

Many security experts recommend using SMS OTPs as the “something you have” part of two-factor authentication. But this attack shows that you might not be the only one who has it.

Keystroke Logger Disguised as USB Device Charger

computer with key

The FBI is warning companies about a new keystroke logger known as KeySweeper. It looks like a regular USB device charger, but it has the keystroke hardware hidden inside. Keystroke loggers are designed to read the keystrokes from a keyboard in order to steal credentials and other sensitive information. If KeySweeper is carefully placed in an office, the bad actor could wind up with a plethora of valuable information.

Technical Details

KeySweeper is an Arduino-based device hidden in the shell of a USB phone charger. Its skill is in detecting and decrypting radio frequency signals from Microsoft wireless keyboards manufactured before 2011.

KeySweeper uses a SIM card to send data to the bad actor’s web server over cellular connection. The SIM card also allows the device to send text messages when it reads certain keywords from the keyboard.


The simple way to prevent this specific attack is to ban employees from using wireless keyboards. KeySweeper relies on the radio frequency signals to capture information, so wired keyboards are safe from this attack.

If preventing the use of wireless keyboards in impractical, make sure the keyboards used are safe from the KeySweeper attack. Microsoft Bluetooth-enabled keyboards are protected against this attack, because KeySweeper listens on a different channel than Bluetooth transmissions. Microsoft wireless keyboards produced after 2011 are also protected because they use AES encryption to safeguard keystrokes.

Policies and procedures to address usage of mobile devices and chargers can also play a part in preventing this type of attack. The FBI recommends several provisions to consider in related office policies:

  • Limiting which outlets are available for device charging,
  • Knowing whose chargers are currently being used, and
  • Immediate removal of an unknown charger from the office facility.

Fake DDoS Threats Steal $100,000

Distributed denial-of-service DDoS attack - background with laptop

Cloudflare reported that its customers have started receiving DDoS threats from a cybercriminal group called Armada Collective. The extortion emails sent by the Armada Collective threatened businesses with a full scale DDoS attack if they didn’t pay the bitcoin demands.

Cloudflare checked in with other DDoS mitigation services, and – lo and behold – they were seeing the same threats. But the funny thing is there hasn’t been evidence of a single attack perpetrated by the almighty Armada Collective. Instead, they’ve collected over $100,000 in fake extortion payments. Let’s take a closer look…

Armada Collective Threat

Below is an example of the extortion email being sent out by the Armada Collective:

armada collective fake ddos

The interesting part is the Armada Collective claim they will know who paid, but each message leads the victim to send payment of the same amount to the same Bitcoin address. And they correctly state that Bitcoin is anonymous. So there is no way for them to identify victims that have agreed to pay the “fee.” It makes sense then that whether or not the victim chooses to pay the extortion fee, no attacks are launched.

The original group that called themselves Armada Collective disappeared around November of 2015. They were thought to be a part of the notorious DD4BC group that was very effective in carrying out DDoS threats. It sounds like some scheming cybercriminals are riding the coattails of the original group’s reputation to make a quick buck.

FBI Warning: Incidents of Ransomware on the Rise

Keyboard equipped with a red ransomware dollar button.

(This story is from a recent FBI Threat Alert. Please share with others in your organization and make sure employees are aware of the threats and consequences of ransomware.)

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.

The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.

Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber-attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.

In a ransomware attack, victims will open an e-mail and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached.. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Tips for Dealing with the Ransomware Threat

Prevention Efforts

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data – i.e. Share this alerts with fellow employees.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts – i.e. No users should be assigned administrative access unless absolutely needed.
  • Configure access controls, including file, directory, and network share permissions appropriately – i.e. If users only need read specific information, don’t give write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations – i.e. Temporary folders supporting popular Internet browsers, compression/decompression programs.

Business Continuity Efforts

  • Backups, backups, backups! Back up data regularly and verify the integrity of those backups.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.

Phishing Alert: Earthquake Disaster Email Scams

US-CERT and the FTC have both issued alerts on email scams that cite the recent earthquakes in Ecuador and Japan. The scam emails may contain links or attachments that direct users to phishing or malware-infected websites. Donation requests from fraudulent charitable organizations commonly appear after major natural disasters.

Take the following measures to protect yourself from these scams:

  • Review the FTC alert and their information on Charity Scams.
  • Do not follow unsolicited web links or attachments in email messages.
  • Keep antivirus and other computer software up-to-date.
  • Check this Better Business Bureau (BBB) list for Ecuador Earthquake Relief before making any donations to this cause.