Tag Archives: social engineering

Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Reddit, the immensely popular social news website, has been hacked. Reddit’s CTO Christopher Slowe posted a discussion saying that it discovered the data breach in June, after an attacker compromised a handful of employee accounts.

The employees’ accounts were protected with SMS-based two-factor authentication, meaning that any would-be attacker not only would have to steal a worker’s password but also intercept the authentication verification sent to the employee’s mobile phone. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Slowe shared. Reddit is encouraging users to move to a more secure token-based Two Factor Authentication (2FA).

Compromised Data

After breaking into the employee accounts, the intruder gained access to databases and logs, including usernames and their corresponding email addresses – as well as encrypted passwords dating back to the site’s early days from 2005 through 2007. Continue reading Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

2016: Record Year for Phishing Attacks

Phishing attacks gained a ton of traction through the course of 2016 – just think of all the ransomware and business email compromise attacks reported.

The Anti-Phishing Working Group (APWG) released their phishing trends report to recap the landscape from 2016.

Ransomware is a large driver for the huge spike in attacks throughout the past year. In fact, the FBI reported that 93% of all phishing emails contained ransomware. The total number of phishing attacks in 2016 was a whopping 1.2 million – 65% increase over 2015.

However, the APWG report doesn’t consider spear-phishing attacks. With business email compromise and CEO fraud also making headlines in the cyber world, this puts into perspective the massive uptick in the threats of phishing.

To take a 12-year recap, the 4th quarter of 2004 saw an average of 1,609 phishing attacks per month. The latest numbers for the 4th quarter of 2016… an average of 92,564 attacks per month. That’s a healthy 5,753% increase over the past decade.

RiskIQ Takeaways

RiskIQ – a digital threat management firm – provides insights to assist the APWG report. RiskIQ found that victims are not fooled by the address in the browser bar.

The company noted that a relatively low percentage of phishing websites targeting a specific brand attempt to spoof that brand in the domain name of their fraudulent web address – whether it’s at the second level of in the fully-qualified domain name.

This shows that phishers don’t need to get too creative with their deceptive domain names to trick their victims into visiting the malicious websites.

Instead, tricks that have been proven effective: using hyperlinks, URL shorteners, or brand names inserted in the URL.

IP Filters

IP filters was the other area of interest in the APWG report. The study found some fraud websites make extensive use of IP filters, and the technique was found in 29% of attacks.

This is a technique the allows the fraudsters to block people on IP addresses outside the target country. In other words, only the targeted victims will get to see the fraud sites.

The goal is to make the job more difficult for response teams at hosting providers outside the targeted jurisdiction to detect and prevent the fraudulent activity. It keeps them from noticing and fixing the problems.

Another way this technique is used is to block IPs of the targeted company. This keeps the company’s security team from noticing the fraud, and makes them think the fraud site is taken down.

Employee Training

The best way to prevent phishing attacks from impacting your organization is through employee awareness and training. ePlace Solutions provides a series of training courses on Social Engineering, with specific courses on phishing, spear-phishing, and ransomware.

If you’re reading this, it’s likely your organization has access to these training programs through our cyber insurance policy. Reach out to mailto:cyberteam@eplaceinc.comto find out how to leverage the Social Engineering training courses for your workforce!

New Phishing Tricks to Watch For

A new phishing scam is tricking even the savviest Gmail users into giving up their account credentials. Here are the details:

Gmail Attack

Phishers start with a compromised Gmail account. They skim through recent emails targeting one with an attachment. Once they find an email that fits their criteria, they create a screenshot and include it in a reply email to the sender.

The original sender receives the reply with the same subject line, thinking it’s a normal response. The sender clicks on the image, expecting to get a preview of the attachment.

However, instead of a preview, a new tab opens and the user is prompted to sign into their Gmail account again on the new webpage. This fake page is a well-designed replica of Gmail’s login page.

To make it hard to identify as a phishing webpage, attackers include the accounts.google.com subdomain in the URL. This makes users think it’s a legitimate Google webpage. But looking at the address bar shows that before the https there’s a text string, ‘data:text/html…’ that opens the fake, but functional, Gmail login webpage.

If an attack is successful, and a victim enters their login credentials, attackers sign into the account and start the process over again with the new account and new contacts.

Dropbox Variant

Another twist on this type of phishing attack will direct users to click a link that will allow the document to be viewed through Dropbox. Similar to the fake Gmail login page, users are taken to a webpage that allows them to view the document after they’ve signed in using their email credentials.

Once they enter the email credentials, victims are shown a decoy PDF document to divert any attention away from the phishing attack.

Phishing Dangers

Obviously, this attack can lead to compromised Gmail accounts and provide a gateway to plenty of further attack methods. With the widespread reuse of password across multiple accounts, this type of attack can lead to enterprise emails becoming compromised.

If an attacker gets the login credentials to an executive’s Gmail account, chances are they can use the same password to access the executive’s corporate email account as well. Give the attacker a bit of time to gather information on the executive and their communication methods, and they will be conducting successful business email compromise attacks before you know it!

Email & Password Reuse

PhishLabs reports that phishing volume increased by 33% across the five most-targeted industries. The largest jump was seen in the phishing attacks directed towards cloud storage providers. Attackers are targeting these types of services in order to harvest their troves of email address and password pairs.

This ties back to the account reuse attacks with cyber criminals recycling those stolen credentials in the enterprise arena. Any organization relying on email addresses and passwords to authenticate users could be impacted by these indirect phishing attacks.

The common trend is the reliance on email addresses instead of unique usernames for authentication purposes. And due to the high frequency of password reuse, stolen credentials from a cloud service provider may inadvertently give attackers access to multiple accounts.

Key Takeaway

These types of phishing attacks demonstrate the importance of implementing two-factor authentication with online accounts. While the password is still the top choice for authenticating users online, having that extra layer of defense can be the difference to a compromised account.

Alert: Phishing Attack Preys on Amex Customers’ Online Security Concerns

American Express card members are the latest targets for a group of crafty hackers. A new phishing scam starts with a fake email claiming to come from American Express, encouraging members to enroll in a new cyber security service.

The premise of the scam is to encourage users to boost the security of their accounts by creating an “American Express Personal Safe Key.” Victims who click the phishing link in the email (the latest being used is amexcloudservice.com/login/) are prompted to enter their online account user ID and password.amex-phishing-example-key

Once they have “signed-in,” the fake website sends the user to another page that supposedly walks them through the SafeKey setup process. It is worth noting that victims are sent to the setup page regardless of whether the correct login credentials have been entered.

The SafeKey setup webpage asks for sensitive account holder information: Social Security number, date of birth, mother’s maiden name, mother’s date of birth, email address and Amex card information (number, expiration date, 3-digit security code). This information is easily used to steal people’s identity.

Key Takeaway

American Express users need to be on the lookout for this phishing scam. Always check the validity of email senders and be wary of suspicious emails that include links to unfamiliar websites. If ever in doubt, contact American Express directly with questions.

New Phishing Scam Targets Tax Professionals

Hand writing the text: Phishing Alert

The IRS has issued an alert regarding a very specific phishing scam. The scam targets tax professionals through emails claiming to be from tax software companies.

The phishing email urges the recipient to download and install a critical update for the software. Users are given a link in the email, that when clicked, downloads a fake update file that installs a keylogger onto the user’s computer. Keyloggers track computer key strokes and can be utilized to steal login credentials or other sensitive information.

The IRS is warning all tax professionals to be aware of this phishing scam and is offering some proactive steps to avoid becoming a victim:

  • Use best practices for avoiding phishing emails – do not click on links or open attachments in software update emails – instead use a software provider’s main webpage for software updates.
  • Educate all staff members about these common phishing scams.
  • Review all remote access software used by employees and/or vendors – these types of software are common attack vectors used to gain access to computers.

Tax professionals are also advised to check Preparer Tax Identification Number (PTIN) accounts to confirm that their filed returns align with IRS records. If the number of returns processed is more than the number of tax returns prepared, there is high probability that a breach has occurred.

If a breach is discovered, affected tax professionals should prepare and submit Form 14157 to the IRS.

To access “Returns Filed Per PTIN” information, the IRS recommends that tax professionals follow these steps:

  1. Visit http://www.irs.gov/ptin and log into their PTIN account.
  2. From the Main Menu, find “Additional Activities.”
  3. Under Additional Activities, select “View Returns Filed Per PTIN.”
  4. A chart labeled Returns Per PTIN should be visible.
  5. A count of individual income tax returns filed and processed in the current year will be shown.

Phishing Alert: Earthquake Disaster Email Scams

US-CERT and the FTC have both issued alerts on email scams that cite the recent earthquakes in Ecuador and Japan. The scam emails may contain links or attachments that direct users to phishing or malware-infected websites. Donation requests from fraudulent charitable organizations commonly appear after major natural disasters.

Take the following measures to protect yourself from these scams:

  • Review the FTC alert and their information on Charity Scams.
  • Do not follow unsolicited web links or attachments in email messages.
  • Keep antivirus and other computer software up-to-date.
  • Check this Better Business Bureau (BBB) list for Ecuador Earthquake Relief before making any donations to this cause.

Threat Alert: Tech-Support Scams

There’s a new twist on tech-support scams — you know, the one where crooks try to gain access to your computer or sensitive information by offering to “fix” a computer problem that doesn’t actually exist. Lately, the FTC is receiving reports of people getting calls from scammers claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. The scammers say they’ll have to take legal action against you, unless you let them fix the problem right away.

If you raise questions, the scammers turn up the pressure. They’ve given out phone numbers of actual Federal Trade Commission staff (who have been surprised to get calls). The scammers have also sent people to the actual website for the Global Privacy Enforcement Network. (It’s an actual organization that helps governments work together on cross-border privacy cooperation.)

Quick Tips

Here are few things to remember if you get any kind of tech-support call, no matter who they say they are:

  • Don’t give control of your computer to anyone who calls you offering to “fix” your computer.
  • Never give out or confirm your financial or sensitive information to anyone who contacts you.
  • Getting pressure to act immediately? That’s a sure sign of a scam. Hang up.
  • If you have concerns, contact your security software company directly. Use contact information you know is right, not what the caller gives you.

Read on to learn more about tech-support scams and government imposter scams. And, if you spot a scam, tell the FTC.

Phishing Scam Targets the HR Department

Here at ePlace, we’ve reported on spear-phishing attacks commonly referred to as the CEO Scam here and here. But with tax season in full force, cyber criminals are using that cover to steal personal information from HR departments.

The attack is a twist on the traditional CEO Scam that requests wire transfers from the finance department. Cyber criminals use the same technique of spoofing the CEO’s email to make it seem like the request is coming from the high-ranking executive. The spoofed email is sent to the human resources or payroll department and usually asks for W-2 forms. Too often, employees are getting tricked and sending the information along to the phony CEO.

The IRS issued an alert about the attacks because the companies of all sizes and industries have reported receiving these phishing emails. Snapchat has also publicly announced falling victim to the scam. Criminals are targeting W-2 information for tax refund fraud. They claim a large refund on behalf of the victim and have the funds deposited in an account under their control.

Best Practices

Companies need to warn their HR and payroll departments about this particular attack. Any email request asking for personal information like W-2s needs to be verified through direct contact with the sender.

Examples of requests to keep an eye out for in these phishing emails include:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary for all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees’ wage and tax statements for 2015. I need them in PDF file type. You can send it as an attachment. Kingly prepare the lists and email them to me asap.

Department of Justice Hacked: Government Information Leaked

According to reports, the Department of Justice (DoJ) has been hacked and personal information of 29,000 government employees leaked. The hacker extracted 200GB of data from the DoJ, including names, job titles, email addresses, and phone numbers of over 20,000 FBI employees and over 9,000 Department of Homeland Security employees.

The hacker gave reporters at Motherboard access to the information that was stolen. The reporters called the phone numbers to check if the information was legitimate. In fact, many of the test calls went through to the correct voicemail and matched with the names listed in the database.

Both employee lists from the FBI and DHS have been leaked via a Twitter account. The DoJ hack is yet another in a string of widely publicized breaches of U.S. security.

Along with sharing access to the information taken from the DoJ database, the hacker detailed the attack to Motherboard reporters. He claims to have used social engineering tactics to compromise the email account of a DoJ employee – which was also used to contact the reporters.

Using that account, the hacker attempted to log into the DoJ web portal, but was denied access. He proceeded to call the IT department claiming he was a new employee and needed help accessing the portal. They asked him for his token, but after saying he didn’t have one, they let him use the department’s and gave him access.

The hacker was able to log in and enter the credentials of the hacked email account to access the online virtual machine and subsequently full access to the computer. This gave the hacker access to the user’s contacts, documents, local network, and databases.

Key Takeaways:

This hack is another common example of how human error can lead to a full scale data breach. Once again, it’s imperative to increase staff awareness regarding cyber threats. Educating your workforce on common threats like social engineering and phishing attacks is the best defense you can take.

With the IT department requesting a token, it shows that at the very least security policies and procedures were in place. However, it seems like that isn’t enough anymore. For access to highly sensitive information, using a ‘digital identity’ can prove to be effective against social engineering attacks.

For example, before granting a user access, organizations can check the user’s location, the time of day, the configurations of the computer, and antivirus tools in place. If everything checks out according to the ‘digital identity’ of the user, then access is granted. This is the logical trend of user authentication going forward with highly sensitive and confidential information. 

New Phishing Campaign Targets Amazon Customers with Fake Survey

Amazon customers are new targets of a phishing email offering users money to complete a survey for the company.

The email reads, “As a valued customer we would like to present you with an opportunity to make a quick buck. We are offering $10 each to a selected number of customers in exchange for completing a quick survey relating to our service. Your opinions and thoughts are vital in order for us to provide the best possible service. Please press the link below to get started.”

The link directs users to a fake web page that spoofed Amazon’s login page. After entering their login information, Amazon users are led to another page that requests payment information, address, phone number, credit cards details, bank account number, and security questions.

amazon phishing email

Security professional Chris Boyd who reported the scam, recommends users always double check for the green padlock anytime a website asks for sensitive information.