We’re happy to report that none of our clients were affected by the much-publicized and devastating WannaCry Ransomware infection that brought many companies and organizations to its knees last week. This is largely due to how our Managed Service Plan protects and prevents the very weakness exploited by this attack. Using a combination of multi-vendor/multi-point threat management, system updates, network security best practice and training of our customer’s staff on how not to fall victim to cyber crime and phishing emails, we can prevent disruptions and expensive downtime. If you want to know more about how this plan can help you, please don’t hesitate to contact us!
Cyber criminals have stolen $3.1 billion from businesses since January 2015 — not with high-tech ransomware or stealthy spyware, but rather with low-tech emails. The U.S. Federal Bureau of Investigation (FBI) refers to these attacks as Business Email Compromise (BEC) scams. Since January 2015, more than 22,000 businesses worldwide (including businesses in all 50 U.S. states) have reported falling victim to a BEC scam. There are likely many more businesses that were swindled but did not report it.
Although using emails is a low-tech approach to stealing money, these emails are well crafted. Each BEC email is polished and specific to the business being victimized. The cybercriminals spend a good deal of time creating each email in the hope that its legitimacy will not be questioned.
How Cyber criminals Create the BEC Emails
The cyber criminals behind the BEC scams are digital con-artists. Like regular con-artists, they first study their victims. They identify the individuals and information necessary to carry out the scams. As part of this research, the digital con-artists sometimes send out phishing emails that request details about the businesses or individuals being targeted. Alternatively, the phishing emails might install malware that obtains sensitive business information, such as financial account records. The cyber criminals also use social engineering techniques to get information. For instance, they might visit social media websites (e.g., LinkedIn, Facebook) or call the company.
After the digital con-artists have the information they need to scam a business, they create the BEC email. They try to get both the wording and graphical elements to look like a legitimate email from that business (or from an organization it does business with, such as a supplier). They know that the closer the match, the harder it will be to spot the scam.
The Five Variations of the BEC Scam
When the FBI analyzed the reports of the 22,000+ BEC victims, it discovered that there were five main variations of the BEC scam:
- Posing as a business executive, the digital con-artist requests a wire transfer. A cyber criminal hacks or spoofs the email account of a business executive and then uses that account to send an email requesting a wire transfer. Typically, the email is sent to the employee responsible for processing these requests. On occasion, the email is sent directly to the financial institution. The FBI found that the digital con-artists often send these emails when the executives are on business trips.
- Pretending to be a business executive, the cyber criminal requests employees’ personal information. Using a spoofed or hacked email account of a business executive, the digital con-artist sends an email to the staff member responsible for maintaining employees’ personal information (e.g., human resources or accounting staff). In the United States, this variation of the scam was used to get employees’ W-2 tax information.
- Posing as a supplier, the cyber criminal requests an invoice payment. The digital con-artist usually selects a supplier that the targeted business has used for a long time. After learning who is responsible for processing supplier payment requests at the targeted business, the cyber criminal will send that person a legitimate-looking payment request. The email tells the employee to wire the invoice payment to an alternate, fraudulent account. Occasionally, the invoice payment request is made by fax or phone instead of email.
- Pretending to be an employee, the digital con-artist requests invoice payments from vendors. After identifying who works with vendors at the targeted business, the cyber criminal hacks that employee’s personal email account, using it to request invoice payments from vendors. This scam is most successful when employees use their personal email accounts for business and they have the vendors listed in their contact list.
- Posing as a lawyer or law firm representative, the cyber criminal requests a fund transfer. The digital con-artist emails or calls an executive or another employee in the targeted business, claiming to be handling confidential or time-sensitive legal matters. The cyber criminal tries to pressure the person into transferring funds quickly or secretively.
How to Avoid Falling Victim to a BEC Scam
Knowing about the five BEC scam variations is one of the best ways to avoid falling victim to them. Thus, you need to educate employees at all levels about the scam scenarios so they can spot BEC emails. In addition, employees should be taught how to spot phishing emails since cyber criminals will use them to gather information prior to creating the BEC emails.
Besides training employees, you should take the following measures to avoid being swindled by a BEC scam:
- Do not use free web-based email accounts (e.g., Hotmail, Gmail) for your business.The FBI found that digital con-artists often target businesses using these email accounts.
- Consider using two-step verification for business email accounts. If you set up two-step verification (also known as two-factor authentication) for these accounts, they will be much more difficult to hack.
- Be careful about what you post on your business’s website. For example, do not post job descriptions or hierarchal information, as this information might prove helpful in determining the best person to target in a BEC scam.
- Ask employees not to post too many details about their jobs on social media websites. Digital con-artists scour these sites for information about businesses and their employees.
- Use anti-malware software and regularly update the operating systems and applications on your business’s computers. Some cyber criminals use phishing emails that install malware to get information for BEC scams. This malware often relies on known vulnerabilities of the operating system or applications to get onto a computer system.
Please share this with your co-workers so that everyone in your organization can be aware of these scams!
Jeff Lorenzen, Computer Superheroes, 720-205-5250, firstname.lastname@example.org
Tele-scams take on a new tact
Microsoft will never call you to tell you your computer is infected. Most of you know to hang up on a call like this. Just like the IRS will never call you to tell you owe back taxes that can only be paid with iTunes Gift Cards (no joke – this was real scam call). However, the criminals are still at it, busily crafting new ways to get you to part with your money. The latest craze is Malvertizing or malicious advertisements.
Everyone has seen advertisements on news sites and Facebook tucked to the side of the screen, sometimes disturbingly targeting some of the things you have recently been visiting on the internet. Well, if you don’t know, these ads are actually not being served from the site your visiting, but are pushed into the advertised space by ad services to which the owner of the site subscribes. These are massive services with millions of advertisers looking to peddle their goods to the audience of these often famous places.
However, there are very carefully crafted advertisements are being posted to these advertising services and they can take over your computer, regardless if you’ve a PC or a MAC. We have seen some very crafty engineering with some of these. They will often claim to be from Microsoft or Apple. They can fill the entire screen, and not give you a title bar where you can close the window. Some of them will play a very loud and annoying alarm sound to really scare you. The crooks are actually not only fooling you, but the advertisement services to which they’re posting. This is because the advertisement image looks completely normal to the systems accepting it. However, the image has special code within it that will cause your internet browser to open a new tab and browse to a target site where the malicious advertisement is displayed.
Be not fooled!
This is their point. They are using a very old confidence scam and social engineering to get you to react without thinking. Because the number is toll free, people think it’s legitimate and call. The criminal on the other end will, of course, confirm that you are horribly infected and needs to gain access to your computer immediately to prevent your files from being destroyed. They will then show you a bunch of fake screen shots of things they “found” on your computer and ask for payment. We have seen these agencies bill for removal of these fake infections between $60 and $400. Some of them will charge you every month for service they’re simply not providing. As long as you think they’re legit and you don’t do anything, they are walking away with your money.
How to save yourself
So, the a-typical tech support answer always works. Reboot. Because this isn’t actually an infection at all, rebooting will close all open items on your computer and get you back to working. However, there could be times when this may be destructive to unsaved work that may be open in the background in another application. In this case, use Task Manager (CTRL+SHIFT+ESC for Windows, CMD+OPT+ESC for Mac) to select your internet browser (Chrome, FireFox, Internet Explorer, Safari, etc) and end it.
- Keep your computer updated. These attacks take advantage of the fact that you are annoyed by the prompts to update your computer (Operating system, Java, Flash, Reader, etc) and they take advantages of known vulnerabilities on your system. Our Guardian Managed Service subscribers get their systems updated automatically by us with weekly regularity and are rarely disturbed by updates needed on their computers.
- Have a decent antivirus solution and know what it looks like when it warns you about malicious activity on your computer. All of our clients – regardless of service plan – have the option to have free, professional anti-virus software for their computers – and we take all the alerts for you!
- Network-wide security or threat management at the internet router. Customers that need more thorough network security and want to block malicious software before it reaches the desktop, have the option for software and devices that are more advanced that can provide much more control over internet content and the blocking of malicious attacks.
- Install AdBlock Plus. This free product (donations accepted) plugs right into your browser and will not only prevent this type of malicious attack, but many annoying advertisements as well. Just note that some sites are getting aware of software like this and will refuse to display content until you turn it off.
- Spread the word. As computers get more and more secure, social engineering scams are on the rise. Humans have been, and always will be, the weakest link in computer security. Share information like this with your friends. At work, make sure there is a clearly defined computer policy that includes incident reporting to your boss when something unusual happens to your computer. Staff should also be regularly trained and tested on computer and internet security skills. There are dozens of excellent resources available. We can help with training your staff, too!
If you have any questions whatsoever about your computers, networks, servers or security, we are here to help. Do not hesitate to email or call us!
Passwords. You just can’t avoid them. With all the advances in technology, this is the one thing that we can arguably say has gotten worse over time. There are few places you can go online where the exchange of information or use of an application or site will not require you to create a username and password. Is it any wonder that in the majority of people will – for the sake of simplicity and the ability to recall it easily – use and reuse the same password or variation of that password everywhere? I call this the “life password.” You’ve used it forever, and you use it everywhere. However, if one account gets compromised and there is a human (as opposed to a software robot) paying attention to that, then all your accounts are effectively compromised. A couple of years ago, the Heartbleed bug and it’s media attention made this apparent for most people. Sadly, few have done more than just come up with a new life password and they miss the point of keeping passwords unique. Worse yet, the continued use of weak passwords is the leading cause of security breaches.
For years, we have been telling clients that this is a bad practice, but we have also been telling them that secure passwords are a cryptic combination of letters, numbers and symbols. And while this still has some truth, the technology being used by criminals today can crack an 8 character password, regardless of its complexity, in a matter of hours. You’ve probably seen the result when one of your old associates sends you an email enticing you to click a strange looking link, or a fake story about being in a foreign land and suddenly needing money. By the time your contact becomes aware of the hack, the criminal has not only changed the account password, but the security questions and recovery email account used to reset it. Your associate is now almost certainly locked out of the account for good.
We now recommend that one comes up with a passphrase comprised of several words and to use a unique phrase for all your logins. Simply going to a 10 or 15 character password increases the time it takes to crack your password from hours to months or even years. While this may seem daunting, it’s easier than you think. Start by picking three words that mean something for you and using this as a “base” phrase that you’ll use to create a tough-to-crack password. When choosing words, we recommend going outside of your biosphere, like family and pet names, and choosing something from your favorite works of literature, music or art. Your base words could be something like Ringo Abbey Submarine. This way, you will have the convenience of the “life password” which will be easy to remember, but we’re going to mix it up a little. The next step is to step up the security by separating the words with numbers and/or symbols. It can be a date that means something to you or any symbol you like. We’ll use 1!65 in this example. Your next step is to create uniqueness. One really easy way to do this is to add an additional word that represents something about the service or site that you’re using. So using all these methods, your Facebook account password could be Ringo1Social!Abbey6Submarine5. You now have something easy to remember, super long, unique password. You simply change that one word that is unique to the site, and perhaps it’s position in the phrase, for your other logins. Google could be Ringo1Search!Abbey6Submarine5. In substitution for the word-based password, you could take any long phrase like “one ring to rule them all, one ring to find them!” and use the first letters of each word and some creative letter substitution to come up with “oR2RtA,oR2fT!”.
You can also group passwords together based on complexity. Some sites require you to “create an account” to use them, but you keep no information on the site and you’re not concerned about your digital identity if the account were to be compromised, so you can have a throw-way short life password for sites like these, if you like. You can have a base word phrase for sites that are not financial in nature, and then a completely different phrase for those that are. Use a third phrase for passwords you use at work.
Of course, you will have outliers – sites that limit you to 15 characters, or don’t like the use of that one symbol you’ve decided to use. With these, try to stick to the rule and do something like using two words instead of three, or substitute it with an abbreviation. These sites will likely be few enough that you should be able to recall them with ease.
Why not use a password manager? Although this is a graceful solution and can even give you the beauty of creating completely random passwords for your accounts, you risk a couple of things. First, if you use an online service like LastPass, Dashlane, or Roboform, that sync your passwords to the cloud, all of your stored passwords can now be unlocked with a single password from any computer with an internet connection. So, if you use a site/service like this, make sure that it employs two-factor authentication (where you have to type in a code sent to your phone as a text message in order to unlock your master key on the device you are using or an additional challenge question when you’re using a computer you haven’t previously authorized). Second, and this is a little personal for me, password managers will prevent you from remembering anything but your master passkey. I really don’t like not knowing my passwords. If I’m in a situation where I’m away from the computer that has the password software, and I need to log into my bank to make a transfer so I don’t get overdrawn, it can be pretty damaging if I can’t do it quickly.
There are instances, however, where Password Management or Identity and Access Management (IAM) can actually be a desired thing. Not too long ago, most company data was located on internal network servers that had managed access through a single sign on at the user’s computer screen. If a worker was terminated, one only had to change that one password to lock the user out. Now, with the wide adoption of the cloud servers and services – many of which can be accessed from any internet connection, not just at the office – these disparate systems require their own set of credentials. Managers are now faced with the daunting task of changing the passwords on possibly dozens of systems to lock out a terminated user. Forget to change just one, and the results could be devastating to corporate security. Fortunately, there are enterprise-class IAM systems that are affordable for even the small business. They allow managers to not only change passwords quickly, but to never have to divulge passwords to users in the first place, further securing the unauthorized use of cloud systems outside of the workplace. IAM systems can create a single sign-on environment with a two-factor authentication scheme that can make any business locked down like Fort Knox.
The “Toothbrush Rule.” Never share them. Change them frequently. With your phrase-based passwords, just change one of your three keywords and you will be successful at remembering both the old and new password!
For further reading, you can read the story from Wired magazine: How Apple and Amazon Security Flaws Led to My Epic Hacking which is a great lesson in how social engineering can lead an attacker to gain access to a lot of things. Fortunately, since this article, these two companies have tightened things up, but there are many others out there that will readily give up information to the wrong party.
By taking some simple steps, you can create your own secure and easily remembered passwords that will make your digital world a safer one.
If you have questions or would like to know more about IAM, please don’t hesitate to contact us.
Everyone is asking about it. So, we hope to answer everyone’s questions here.
Should I install it? In short: Wait. We’re not recommending broad deployment of Windows 10 at this time. As with any new major software release – an especially with regard to an operating system – we recommend waiting 6 months after the product release before implementing into a production environment. A “production environment” is any system or group of systems that is responsible for the core operations of a business. In other words, if you make money or save lives with your computer, it wouldn’t be a wise choice.
But it’s free “for a limited time” don’t I have to act now? No. Systems that are getting the prompt to reserve the Windows 10 Free upgrade have until June 2016 respond and install.
It’s better/faster, right? That depends. The upgrade represents a significant change to how Windows functions and operates from Windows 7. Although we have seen people upgrade without any issues at all, we have seen it cause older computers to loose key hardware drivers (like networking or printing), which makes them an instant brick. We have seen newer systems – even those certified by their manufacturer as being Windows 10 ready – behave in unpredictable ways after being upgraded. This can cause undue downtime having to restore functionality (like reinstalling or upgrading Office or other programs) or even having to restore systems back to Windows 7. Older systems can actually run slower on 10 then they did on 7. Each system’s lifecycle should be taken into consideration before performing the upgrade. If it is near end-of-life (3 years old), the upgrade should be avoided. We also have seen some very strong privacy concerns with the OS and its embedded relationship with Microsoft. Although it’s possible to opt out of the sharing of information with MS and its advertising partners (among other entities with which they “partner”), doing so limits many of the features that make the OS attractive to some people, like voice recognition and application purchase (MS Store).
Other considerations: Our customer’s productivity is paramount. We’d rather not subject our customers to such unknowns the come with a new OS and let the issues get discovered and resolved by others first. If it works, don’t fix it. This is especially true when you environment contains software that is custom or non-standard. Until we have the blessing from your software vendors that the versions of their products you’re using are 100% compatible, supported, and fully vetted for Windows 10, we do not recommend that you proceed with an upgrade.
If you’re still interested in proceeding with Windows 10 after January, I suggest we take a quick assessment of your computers before doing so.
As always, should you have any questions, please do not hesitate to contact us!
It’s been a lovely day, thanks largely in part to Microsoft Patch Tuesday. As you may know, Microsoft releases Operating System and Software patches for installation on Tuesday and many computers automatically apply these patches to computers early Wednesday morning. As this is generally a common practice and will keep your computer safe from malicious software, every once in a while, we see a patch that tends to make things worse than better. It’s been a long time, but today was an banner day for Microsoft.
The release of the Update KB3097877 yesterday has caused numerous computers using Microsoft Outlook 2007 and higher to crash when one opens or views an email with HTML graphics. These kinds of emails are usually the ones you get as newsletters that look more like a web page than an email. However, even someone with a graphic in their email signature can cause the anomaly to occur. As soon as one of these emails is opened, Outlook will go into “Not Responding” mode and will often crash with a small dialog box saying the program caused a problem and was closed.
Reports have also shown this update will cause some business computers to not be able to sign in to their desktop at all, giving them a black screen after they try to log in. Other odd results are symptoms like Windows Gadgets not working.
The only fix is to remove the update. Here’s how:
Open up Control Panel
Go to Programs and Features (or Uninstall a Program)
Click on “View Installed Updates” in the navigation panel on the upper left
Look for the update with KB3097877
For our managed customers, we have preemptively removed this update from any installed computer and have prevented its further installation until Microsoft releases a version of this update that doesn’t hurt their own products.
Don’t hesitate to contact us if you have need help.