Security Round Up: Email, Voicemail & Paycheck Phishing
We are barely a month into 2019 but attacks on our data are as prevalent as ever. Threats can come in many forms, including but not limited to:
- Company data breaches (which you have no control over)
- Hacked user accounts often stemming from weak or commonly used passwords (which we can control)
- Phishing attacks via email, phone calls and more
- Email attacks
- Malware embedded images
- Unsecured wireless networks
- Unencrypted online forms
- Man-in-the-middle attacks
This post covers what we need to know and what we can do to protect our data in relation to some of the most recent threats.
Security Round Up: Email, Voicemail & Paycheck Phishing
Email
Over the past few months many people have been the recipient of a vast email campaign that included a sextortion email or a bomb threat hoax. This attack was widespread and used a scare tactic by sending recipients an email claiming to have caught you doing something lascivious in front of your webcam. Furthermore, the sender claims to have video proof and threatens to share this if you do not pay them a fee.
Why it works: What makes this particular attack convincing is that the email often comes with a password the recipient has used at some point. These passwords are speculated to have been gathered during other previous hacks and can be startling when attached to an email from someone who is threatening you. These scare tactics are often successful because when we are fearful, we don't make the best decisions.
How to protect yourself: Most importantly, delete the email. If you do not open it, you protect yourself from any potential malware and prevent yourself from being tempted by their trap. The best defense we have against the criminals who orchestrate these kinds of attacks as well as Ransomware attacks etc., is to refuse to pay. When these kinds of attacks stop making criminals money, we will see less of them.
Voicemail
A recent voicemail phishing campaign sends emails to potential victims on the pretense that a voicemail is in those emails. The emails make them appear to work much like RingCentral and other applications, with one big difference. RingCentral includes the audio file in the email without a need for credentials or to go to a different site. Instead, you simply download the audio file and play it directly within the email. This scam prompts users with a link hoping they will click thinking it will give them access to the voicemail. Instead the link goes to an external fake Microsoft login page where they are prompted to enter their credentials.
In this particular scam, even when the correct user account and password is entered, victims are prompted to enter their credentials a second time to increase the probability that the criminals have collected the correct credentials from you. Once credentials are entered twice a page with a voicemail is displayed but the damage has already been done. NOTE: Most software and applications that forward voicemails to emails do so by attaching an mp3 file to the email so there is no need to follow links.
Why it works: This attack is only successful if you click the link and enter your credentials at the fake site.
How to protect yourself: The best protection against this kind of attack is not clicking on the links. Be cautious anytime an email directs you to a site to enter credentials, even if the site looks legitimate! Instead, go directly to the site or contact the company first. Additionally, try checking the voicemail other ways - using a phone, via an app, etc.
Paycheck Phishing
At least three employees at Wichita State University were tricked by an email phishing scam that ended with them losing their paychecks. The university has implied they will cover the lost paychecks this time, but will not be able to cover employees if this happens again. As bad as they might feel for their employees, covering expenses of this nature could be extremely costly and have major repercussions over time.
Why it works: This scam was effective because criminals spoofed the payroll system of the university to send emails that seemed legitimate to employees. Unfortunately for the employees, they provided their university ID's and passwords which allowed hackers to gain control of their profile, change their banking information and receive their paychecks instead.
How to protect yourself: This is another perfect example of why you should never enter your credentials into a link delivered in a email. Stop and ask questions before doing anything. Contact the company/department/representative or whomever you can and find out if this is a legitimate request. Most companies will never ask for this kind of information in email.
Other important stories:
Data Breach
In one of the largest data breaches ever, 773 million records were recently posted to a hacking forum. This breach appears to be data aggregated from several other large breaches and included over a billion unique email addresses and passwords. In total, this breach included 772,904,991 email addresses and over 21 million unique passwords.
What we know: While the origination of this attack is unknown, it appears to be an aggregate of over 2,000 leaked databases.
How to protect yourself: Unfortunately, this is the kind of attack where there is little you can do to protect yourself. However, this is also why using different combinations of user id's and passwords is absolutely critical. If an account is hacked and those credentials are used with a single account, you are far safer than if it is used with 20 accounts.
Malware infected ads targeting Mac users
Mac users were targeted by malware in ad-based images in a recent campaign. These attacks have been running since January 11th and 191,970 bad ads were found by researchers at Confiant and Malwarebytes. Currently, the estimated number of Mac users that could be affected is nearly 1 million.
How it works: This attack is triggered by clicking on a malicious ad image which in turn installs a Trojan in the background.
How to protect yourself: The best protection against this attack is to be very cautious when clicking on ads. Try going to the site directly or contacting the company about an ad's offer.
There will always be attempts to gain unauthorized access to our data. New threats will continue to be developed. Existing threats will be morphed into new ways to attack our devices. Sometimes new threats come about due to updates that inadvertently introduced security risks. Regardless of the way the threats are introduced, there are ways we can reduce our potential risk. Most of the time the key to this is slowing down, reading everything before we click, and proceeding with caution!
As always, taking a few extra minutes to reduce exposure or unauthorized access to your data can save an exponential amount of time in the long run.