The audio from the October 14 meeting of the Senior Statesman of Virginia, focusing on Internet Security, is now available through the Charlottesville Podcast Network. 10 Don’ts author Eric Rzeszut was one of two featured speakers.
As we point out in the very first chapter of 10 Don’ts, “Don’t Get Phished,” criminals are getting more sophisticated when they craft phishing scams. They’ll use real terminology, correct English, and proper company/organizational logos to increase the number of people fooled by these malicious emails.
Today, Virginia’s Attorney General Mark Herring (@AGMarkHerring) released a warning about a phishing scam being perpetuated via email, phone, and even social media:
Attorney General Mark R. Herring today warned Virginians to be vigilant for a major, ongoing “phishing” scam involving emails, phone calls, and social media messages purporting to be from the Attorney General and his office. The emails claim to be a “Final Legal Notification” from Attorney General Herring or his staff regarding debt owed to “Cash Advance, Inc,” or some variation thereof, or claim that an “arrest warrant” has been taken out on the recipient. The emails demand payment from the recipient to resolve the issues. In some cases, recipients may receive follow-up phone calls from the scammers perpetuating the fraud. The Attorney General’s Office does not operate in such a manner and the recipient should not respond to the emails or phone calls.
“Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.
The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.”
“Anthem, the US’ second-largest health insurer, announced today that it was the victim of a cyber-attack last week, in which its database of about 80 million records — including names, birthdays and social security numbers — was compromised.
Anthem reports that other personal member data like addresses, phone numbers, email addresses and employment information was also stolen. However, the company says that it has no evidence to show that credit card numbers, medical history, diagnosis or treatment data were exposed.”
Too early to know the source of this hack, of course. But as we point out in 10 Don’ts, many of these attacks are made possible by human error — someone being phished or otherwise social engineered out of a password, someone storing private data in a public location, someone performing sensitive tasks over an open wireless connection, etc.
“Underground cybercrime shops that sell credit and debit card accounts stolen from retailers are slashing prices and promoting their own Black Friday and Cyber Monday sales as fraudsters gear up for the busy holiday shopping season.”
Humans are the weakest link in just about any security program:
“When people think about cyber and information security they often think about anti-virus software and firewalls; however, according to an information security expert from the University of Adelaide, organisations would become a lot more secure if employers invested in more security-related training for staff.”
Thats why everyone should read 10 Dont’s!!
Full story: phys.org
In chapter 9 of 10 Don’ts, we discuss various forms of “ransomware,” where an attacker compromises an individual or organization’s servers/network/workstations, and then demands payment to restore these items to normal. The most prevalent form of ransomware throughout 2013 and 2014 has been “Cryptolocker,” and its variants, including “Cryptowall.”
Network World relates the story of a US firm that learned their lesson about phishing links, malware and backups the hard way after a recent Cryptowall infection:
“An admin had clicked on a phishing link which was bad enough. Unfortunately, the infected workstation had mapped drives and permissions to all seven servers and so CryptoWall had quickly jumped on to them to hand the anonymous professional a work day to forget.
The organization, a US-based non-profit with a headcount running into the hundreds, had backups but discovered to their shock that reinstating them would consume days, leaving the entire enterprise twiddling its thumbs. Admins were also unsettled by the possibility that some of those backups had not been verified and might not even work.”
As a 10-day countdown to the October 20 launch of 10 Don’ts on Your Digital Devices, each day an excerpt from a different chapter will be published here.
Chapter 9 of 10 Don’ts is entitled “Don’t Trust Anyone Over…Anything.” This advice, while a bit tongue-in-cheek, is meant to warn the reader of the dangers of social engineering. Digital criminals will attempt to trick you out of your user name, your password, your social security number — anything they can get out of you. An unfortunate financial analyst named Darren falls victim to one of these attacks.
Darren is a newly hired financial analyst for a major e-retailing company with a background in database management, software integration, and big-data modeling. He was hired as part of a broadscale company reorganization following several recent acquisitions. Darren’s group is part of a brand new unit within the parent company, with incompletely established functional boundaries. Four weeks into his new position, Darren is still learning the proper procedures, reporting relationships, colleagues’ names, and general operating system parameters. Everything feels very up in the air for Darren—a very common feeling. He receives a phone call at work, which is purportedly from the IT help desk affiliated with his group. Although the caller ID on his desk phone may have indicated an external call, in the midst of a hectic moment Darren didn’t notice.
The caller identifies herself to Darren as “Charlotte from the internal help desk,” a reasonable call to expect given the circumstances. She tells Darren that IT staff are still working on provisioning his access to multiple internal systems that have not yet been completely configured for his new work group. This part of what the caller tells him is true. Each week Darren is gaining more access to new systems and databases necessary for his core work activities. The caller “confirms” Darren’s username/login ID, job title, and e-mail address and asks for his current password. Assuming the caller is legitimate (because she had all these other pieces of information), Darren provides her with his password without question—this is a mistake. It turns out that the caller was a spearphisher using social engineering as a first step in an APT (Advanced Persistent Threat) attack.
The attacker was aware of some changes and reorganization at Darren’s company and the presence of new employees, more likely than not through intercepted e-mail traffic or information publicly available on social media. The attacker was able to leverage this partial information and intuition to trick Darren into providing her with critical additional information, such as systems passwords and logon credentials. Within a few days, Darren’s genuine IT administrators notice multiple logins using his credentials from several sites worldwide. In response they disable his system access until the issue can be resolved, with the hope that no core infrastructure or company resources have been compromised in the interim—a slim hope at best.