Phishing Attacks: Real-World Examples and How to Protect Yourself

/in , , , , /by

At Connect4 Consulting, we’ve seen phishing attacks evolve from obvious Nigerian prince scams to sophisticated deceptions that can fool even the most tech-savvy professionals.

Phishing attacks work because they exploit human nature – our trust, our curiosity, our desire to help. The best defense is a combination of skepticism, knowledge, and good security habits.

Let’s break down the most common types of attacks we’re seeing today and show you how to protect your business.

The Classic Email Phish: Still Swimming Strong

Remember when even tech giants Google and Facebook fell victim to a sophisticated email scam? That’s right – if it can happen to them, it can happen to anyone. Today’s email phishing attempts are increasingly sophisticated, using clever domain spoofing and social engineering to appear legitimate.

Spear Phishing: When Attackers Take Aim

Think of spear phishing as the sniper rifle of cyber attacks. Instead of casting a wide net, attackers carefully research their targets. The Colonial Pipeline attack is a perfect example – attackers specifically targeted key employees with messages so convincing, they appeared to come from trusted sources.

The Colonial Pipeline Attack: A Case Study

The Colonial Pipeline attack, which occurred in May 2021, serves as a prime example of spear phishing in action. Attackers targeted key employees within the organization, sending emails that appeared to come from trusted sources. These messages were designed to look legitimate and often included urgent requests or critical information that prompted the recipients to act quickly.

Key Elements of the Attack:

  1. Targeted Research: Attackers conducted thorough research on the Colonial Pipeline employees, identifying key personnel and understanding their roles within the company.
  2. Convincing Communication: The emails sent to the employees were crafted to mimic trusted communications, often using familiar language and references that would resonate with the recipients.
  3. Exploitation of Trust: By appearing to come from a trusted source, the attackers exploited the natural tendency of individuals to trust communications from known contacts, leading to a higher likelihood of engagement.
  4. Consequences: The successful spear phishing attack led to a ransomware incident that disrupted fuel supply across the Eastern United States, highlighting the severe implications of such targeted attacks.

Spear phishing is a sophisticated and dangerous cyber threat that requires vigilance and awareness. The Colonial Pipeline attack exemplifies how attackers can leverage detailed research and psychological manipulation to achieve their goals. Organizations must implement robust security measures, including employee training and awareness programs, to defend against these targeted attacks. By understanding the tactics used in spear phishing, individuals can better protect themselves and their organizations from becoming victims of this sniper rifle of cyber attacks.

Smishing: When Texts Turn Toxic

That “urgent” text about your package delivery? It is likely a trap. We’ve seen a surge in SMS-based phishing (smishing) attacks, with criminals impersonating everything from delivery services to banks. The USPS impersonation campaign was particularly clever, using our natural curiosity about packages to steal Google credentials.

How Smishing Works

  1. Deceptive Messages: Attackers craft messages that mimic legitimate communications. For example, a message may claim that there is an issue with your bank account and urge you to verify your information immediately.
  2. Malicious Links: The text often includes a link that directs users to a fake website designed to look like a legitimate one. Once on this site, users may be prompted to enter sensitive information.
  3. Data Harvesting: If the victim falls for the scam and provides their information, the attacker can use it for identity theft, financial fraud, or sell it on the dark web.

Recognizing Smishing Attempts

To protect yourself from smishing, it’s essential to recognize the signs of a potential attack:

  • Unexpected Messages: Be cautious of unsolicited messages, especially those that ask for personal information or prompt you to click on links.

  • Urgency and Threats: Smishing messages often create a sense of urgency, claiming that immediate action is required to avoid negative consequences.

  • Poor Grammar and Spelling: Many smishing attempts contain grammatical errors or awkward phrasing, which can be a red flag.

How to Protect Yourself from Smishing

  1. Do Not Click Links: Avoid clicking on links in unsolicited text messages. Instead, visit the official website of the organization directly by typing the URL into your browser.
  2. Verify the Source: If you receive a suspicious message, contact the organization directly using a known phone number or email address to verify its legitimacy.
  3. Report Smishing Attempts: If you receive a smishing message, report it to your mobile carrier and the relevant authorities. In the US, you can forward the message to 7726 (SPAM).
  4. Use Security Software: Consider using mobile security applications that can help detect and block potential smishing attempts.

Smishing is a growing threat in the realm of cybercrime, leveraging the convenience of mobile communication to exploit unsuspecting individuals. By understanding what smishing is, recognizing its signs, and taking proactive measures to protect yourself, you can reduce the risk of falling victim to these deceptive attacks. Stay informed and vigilant to safeguard your personal information in an increasingly digital world.

Vishing: The Voice You Can’t Trust

Phone scams have gone high-tech. Modern vishing attacks use sophisticated social engineering and often spoof legitimate phone numbers. We’ve seen cases where attackers pose as bank security teams, complete with background call center noise and professional scripts.

Common Techniques Used in Vishing

  1. Caller ID Spoofing: Attackers can manipulate caller ID information to make it appear as though they are calling from a legitimate source. This tactic increases the likelihood that the victim will answer the call and engage with the scammer.
  2. Urgency and Fear Tactics: Vishing attacks often create a sense of urgency or fear. For example, the caller may claim that there is a problem with the victim’s bank account that requires immediate attention, prompting the victim to act quickly without thinking.
  3. Pretexting: Attackers may create a fabricated scenario or pretext to justify their request for information. For instance, they might pose as a bank representative conducting a security check and ask for personal details to “verify” the victim’s identity.
  4. Social Engineering: Vishing relies heavily on social engineering techniques, where attackers exploit human psychology to manipulate victims. They may build rapport or use flattery to gain the victim’s trust before asking for sensitive information.

How to Protect Yourself from Vishing

  1. Be Skeptical: Always be cautious when receiving unsolicited calls, especially if the caller requests personal information. Verify the caller’s identity by hanging up and calling back using official contact numbers.
  2. Do Not Share Personal Information: Never provide sensitive information over the phone unless you are certain of the caller’s identity. Legitimate organizations will not ask for sensitive information in this manner.
  3. Use Call Blocking Features: Many smartphones and telecom providers offer call blocking features that can help reduce the number of unwanted calls you receive.
  4. Report Suspicious Calls: If you receive a suspicious call, report it to your local authorities or the relevant consumer protection agency. This can help raise awareness and potentially prevent others from falling victim to similar scams.

Vishing is a growing threat in the realm of cybersecurity, leveraging voice communication to deceive individuals into divulging sensitive information. By understanding the tactics used by attackers and implementing protective measures, you can significantly reduce your risk of becoming a victim of vishing. Stay informed and vigilant to safeguard your personal information against these types of scams.

Social Media: The New Phishing Ground

Platforms like Twitter have become hunting grounds for phishers. Remember the fake Domino’s Pizza accounts offering refunds? That’s just the tip of the iceberg. Social media phishing thrives on our trust in branded accounts and our desire for deals.

Techniques Used in Social Media Phishing

  1. Impersonation: Attackers often create fake profiles that mimic legitimate users or organizations. These profiles may use similar names, photos, and information to gain the trust of potential victims.
  2. Malicious Links: Phishing messages frequently contain links that lead to fraudulent websites designed to steal personal information. These links may be disguised as legitimate URLs, making them difficult to identify.
  3. Social Engineering: Cybercriminals exploit social dynamics by crafting messages that appeal to emotions or urgency. For example, they may pose as a friend in distress or a company offering a limited-time promotion.
  4. Direct Messaging: Phishing attempts can occur through direct messages on social media platforms. Attackers may send unsolicited messages that prompt users to click on links or provide sensitive information.
  5. Fake Contests and Giveaways: Scammers often create fake contests or giveaways that require users to provide personal information to enter. These schemes can lure users into sharing sensitive data.

Implications for Users and Organizations

The use of social media for phishing poses significant risks, including:

  • Data Breaches: Successful phishing attacks can lead to unauthorized access to personal and organizational data, resulting in data breaches and financial losses.

  • Reputation Damage: Organizations that fall victim to phishing attacks may suffer reputational harm, leading to a loss of customer trust and loyalty.

  • Increased Security Costs: Organizations may need to invest in enhanced security measures and employee training to combat phishing threats, incurring additional costs.

As social media continues to grow in popularity, so too does the risk of phishing attacks. Users and organizations must remain vigilant and educate themselves about the tactics employed by cybercriminals. By fostering a culture of awareness and implementing robust security practices, individuals can protect themselves from the dangers of social media phishing.

HTTPS Doesn’t Mean “Totally Safe”

Here’s something that surprises many of our clients: that little padlock icon doesn’t guarantee a safe site. The Scarlet Widow group proved this by creating convincing HTTPS-enabled fake sites. Remember: HTTPS only means your connection is encrypted – not that the site is legitimate.

Limitations of HTTPS

  • Not a Complete Security Solution

HTTPS only secures the data in transit. It does not protect against vulnerabilities on the server side or in the application itself. If a website has poor security practices, such as outdated software or weak passwords, HTTPS cannot prevent data breaches.

  • Phishing Attacks

Cybercriminals can create fraudulent websites that use HTTPS to appear legitimate. Users may mistakenly trust these sites, believing that the presence of HTTPS means they are safe. This can lead to phishing attacks where sensitive information is stolen.

  • Malware and Exploits

HTTPS does not protect users from malware or exploits that can occur after they have accessed a secure site. If a user downloads malicious software from a secure site, their device can still be compromised.

  • Certificate Authorities

HTTPS relies on Certificate Authorities (CAs) to issue SSL certificates. If a CA is compromised or issues a certificate to a malicious actor, HTTPS can be rendered ineffective. Users may not be aware that they are communicating with an untrustworthy site.

  • User Behavior

Even with HTTPS, user behavior plays a significant role in security. For example, if users reuse passwords across multiple sites or fail to recognize suspicious links, they can still fall victim to attacks.

While HTTPS is an essential aspect of online security, it is not a foolproof solution. Users must remain vigilant and adopt a multi-layered approach to security that includes strong passwords, regular software updates, and awareness of phishing tactics. Understanding the limitations of HTTPS is crucial for navigating the digital landscape safely.

Phishing Protection Toolkit

Here is what we recommend:

  • Trust But Verify: Urgent request from your CEO? Pick up the phone and confirm.
  • Check Those Details: Look closely at sender addresses – “paypal.secure.com” isn’t the same as “paypal.com”
  • Guard Those Links: Hover before you click. Better yet, manually type known URLs.
  • Enable MFA: Yes, it takes an extra few seconds. No, that’s not too much time to protect your accounts.
  • Stay Updated: Both your software and your knowledge need regular updates.
  • Train Your Team: Security awareness isn’t a one-time thing – it’s an ongoing process.

Conclusion

Remember: if something feels off, it probably is. Take the extra minute to verify before you click, share, or respond. That minute could save your business from becoming another phishing statistic.

Website Security: Steps to Protect Your Site From Being Hacked

/in , , /by

Recently a client of mine contacted me because his site looked like this:

Screenshot of a Hacked Website

Screenshot of a Hacked Website

78% of malware cases are attributed to outdated core applications, plugins or modules. That means an outdated version of WordPress, an outdated version of a theme, or an outdated version of a plugin.

Seven Steps to Prevent Your Website From Being Hacked

  1. Backup your site regularly to a location that is different from your website host.
  2. Update plugins, theme, and WordPress version whenever there is an update. Do not let versions lapse. Updates frequently exist because someone has discovered a security vulnerability.
  3. Remove themes and plugins that are not in use. Inactive themes and plugins can be used to access your website. Remove anything that is not pertinent to your site.
  4. Replace plugins that are more than 2 years old and have never been updated.
  5. Use strong usernames and passwords – a non English word with uppercase, lowercase letters, numbers and special characters.
  6. Change your nickname so it’s not your username. Otherwise you are giving hackers half the puzzle.
  7. Use a malware/security service like Sucuri or Wordfence to protect your site.

What to do if your site is hacked?

  1. Keep a deep watch – hackers usually don’t hurry to mess with your site. They do everything slowly. If you think your site has been hacked, watch everything very closely.
  2. Hope that you have that backup in hand.
  3. Contact your web host – try to contact your web host immediately regarding the unnatural activity. Maybe they can help you or maybe they know something about it.
  4. Change your FTP/SSH login passwords – immediately change the FTP and SSH login passwords. And this time, choose completely different and stronger passwords.
  5. Change “admin” username. Do not use “admin” as your username. 99% of attacks take place with this username.
  6. Change password. The hackers know your password. So – change the passwords of all the admin accounts asap. Change the database password as well.
  7. Forced Logout. All users (and hackers) stay logged in until the cookies are expired. Because cookies will be valid even after the password is changed, you need to force everyone to logout. Go to – https://api.wordpress.org/secret-key/1.1/salt/ generate a new secrete key. Add the whole code in your wp-config.php file. If similar code already exists there, just replace it. This will invalidate all the set login cookies.
  8. Update WordPress version. If you’re using an older version of WordPress you really need to update it. This might be how hackers hacked you in the first place.
  9. If the above things don’t fix the situation, there is only one option and that is to create a fresh WordPress installation.

The real lesson here is relatively simple and goes back to that old Boy Scout mantra –

Be Prepared. Have a recent backup of your site. Know how to restore it or who to call in an emergency. Keep your website, content management system, and plugins up to date. Keep all of your username and login information someplace secure because you will need this for your website host and your domain name in an emergency.

What to do if your website home page now say’s ‘The Site Ahead Contains Malware’

/in , , , , /by

If you get to a website and you see the warning “Site Ahead Contains Malware”, you need to act fast.

If it’s not your site, you need to turn around because there could be malware on the website you are trying to access.

If the site ahead happens to be your own site, you need to act fast to fix the situation. This message indicates that your website is either infected with malware and/or has been hacked. Google crawls websites regularly to add new or updated content to the search index. These crawlers also can detect if your site has a malware infection.

If Google or other search crawlers find malware on your site, they immediately flag your site and display this warning to protect users from accessing the web site. This warning has detrimental effects on SEO, site traffic, and your credibility. It can also lead to your web host suspending your hosting account.

Why did your WordPress website get hacked?

Websites get hacked for the following reasons:

  • economic gain
  • drive-by downloads – malware injections
  • black hat SEO
  • system resources
  • hacktivism

How did your WordPress website get hacked?

Malware can infect your site in a number of ways:

  1. Plugins – An infection could have come through the plugins installed on your website. This can happen for several different reasons – a) old plugins without recent updates are prone to vulnerabilities; b) pirate software is free but often contains malware; c) you may have installed a plugin from an untrusted source.
  2. Your Computer Might Have Malware – Often when a computer is infected with malware, uploading a file to a website can lead to a website infected with malware.
  3. Brute-force attacks by hackers – Hackers can use a brute-force attack to guess your username and password and break into your website.

What do you do if your site now say’s “The Site Ahead Contains Malware”?

It’s important that you act fast. You will have to remove the malware from the website and then submit your website to Google for review. Google’s safe browsing policies that you need to follow before you submit your site for review are:

  • You need to log into Google Search Console and prove you are the owner of your website.
  • You need to make sure that your website is clean and free of any malware infections or backdoors.
  • You need to fix the vulnerability that led to the hack. We recommend installing the premium version of Wordfence.
  • If your host has suspended you for malware, you need to contact them and request they remove the suspension. Your website needs to be back online prior to submitting it to Google for review.
  • Call Connect4 Consulting at 202-236-2968 so we can help you with these steps.

How do you prevent “The Site Ahead Contains Malware” from happening again in the future?

If you’ve ever had the misfortune of finding yourself in this situation, it is imperative that you do everything possible to prevent it from happening again. To do that, implement the following procedures:

  • Make sure someone is actively managing the hosting of your website. That means you need to make sure that all plugins and WordPress are updated as soon as updates are available. You can’t just rely on hosting alone.
  • Install Wordfence or Wordfence Premium to protect your website.
  • Update WordPress regularly.
  • Only use trusted themes and plugins – stay away from free plugins or themes – particularly if there have been no updates in the last 3 months or more.
  • Remove inactive themes and plugins – the more elements you have on your website, the greater the opportunities a hacker has to break into your website.
  • Update website passwords, remove inactive users, limit login attempts, install an SSL Certificate.

 

 

 

What should we be using for virus protection?

/in , /by

This is a complicated question and the answer depends on how you use your computer. Personally, I haven’t used Norton or McAfee in years. Both of those anti-virus programs are extremely resource-intensive and make day-to-day use of the computer challenging.

I recommend the following:

  • Always update your devices. If there’s an update available, run it. Most updates exist because a security loophole has been identified. The bad guys look for the weakest defenses. Follow this for all of your devices – PCs, Macs, iPhones, Androids, etc.
  • Set up your computer so that you are not the administrator. Most programs – even the bad ones – need administrator-privileges in order to run. If you accidentally download something, it will prompt you for an administrator password.
  • Do not download programs that are free. There’s always a hidden catch. Nothing is free. You might be installing a malware toolbar (this is common) along with your free program.
  • Use Windows Defender if you have Windows 7 or Windows 10. Just use the built-in anti-virus software and uninstall your other programs if you have a newer computer running one of these two operating systems.
  • Back-up and prepare for the worst. Visit carbonite.com and use code TWIT.. Set up an online backup for your most critical documents and make sure you have copies of your operating system and other software.
  • Use common sense. If something looks fishy it probably is phishy. Don’t click links in emails that look strange or come from people you don’t know.

Why Websites Get Hacked

/in , , , , /by

I spend a fair amount of time working on new websites as well as fixing websites that have been hacked and this question always comes up:

Why would anyone ever hack my website? I’m just a small business owner.

Depending on who you are, websites get hacked for different reasons, but there are a few specific explanations.

Automation is key

Websites attacks that target small businesses and smaller websites are fully automated. The benefits of automated attacks provide hackers the following benefits:

  • Mass exposure
  • Reduction in overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success (for the hacker)

The majority of these attacks are automated and follow a specific sequence:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

While thinking about how these attacks occur, it’s important to address the two types of attacks: attacks of opportunity and targeted attacks.

Attack of Opportunity

Almost all small business website attacks are attacks of opportunity. This means that it’s not one individual or group that is trying to hack into your specific website, but rather a coincidence. Something about your site was caught in the trailing net as they crawl the internet looking for hacking opportunities. It could have been something simple like having a known plugin installed, or maybe displaying the version of a platform (displaying the fact that you’re using an outdated version of WordPress, for example).

According to Sucuri, a website security company, it takes about 40 days for a new website with no content or audience to be identified and added to a bot crawler. Once added, the attacks can begin immediately without any real rhyme or reason. It can be any website; the only commonality is that they are all connected to the internet.

These web crawlers then begin to look for identifying markers. Is the website running WordPress, Joomla, Drupal? If so, is the website running any software with known vulnerabilities or bugs in the code? If the answer is yes, the site will be marked for the next phase of attack, exploitation.

The sequence of events can happen in a matter of minutes, days, or months. It’s not a singular event; it’s ongoing and occurs continuously as the bot crawlers are scanning for vulnerabilities. Once your website is on the list, it will just keep on trying until it succeeds. This is why it is so critical to have someone actively managing your website and – at a bare minimum – updating software.

Targeted Attack

Targeted attacks are often reserved for big businesses, but not always. Think of the NBC hack in 2013 or the Forbes hack in 2014. There are many examples of these attacks lately but it’s obvious why there’s an uptick in this trend. Even though it requires much greater hacking skill, the payoff to the hacker can be huge. A very common type of targeted attack is called a Denial of Service attack in which the attacker works to bring down the availability of your site by overloading it with traffic.

Hacking Motivations & Drivers

Now that you have a better understanding of how these attacks happen, let me unpack some reasons why websites get hacked.

Economic Gains

The most obvious reason why websites get hacked is for economic gain. These are attempts to make money by your audience, either by getting them to click on something or download something.

Drive-by Downloads

A drive-by download is the act of injecting your website with malware and hoping to infect as many website visitors as possible. Think of someone visiting your website and then calling you because they installed a fake piece of software that you supposedly recommended on your website. Then their bank accounts were drained. Scary and very real and devastating.

Black Hat SEO

The other type of strategy are black hat SEO campaigns. These are not as devastating, but can be more lucrative for the hackers. This is the game of abusing your audience by redirecting them to pages that generate affiliate revenue.

System Resources

The business of farming system resources is a huge motivator for hacking groups. Botnets are nothing more than interconnected systems across the internet; these can be desktops, tablets, and even servers and they can be tethered together to perform tasks like Denial of Service attacks simultaneously. These attacks that target your system resources are dangerous because they can happen completely behind the scenes without you knowing what’s going on until you get a notice from your host – or worse, a huge bill – exceeding bandwidth.

Hacktivism

The point of these website attacks often comes down to awareness and frequently consists of a hacker defacing your homepage. This form of attack can be combined with others, but more often than not they are somewhat benign and create more embarrassment to the site owner rather than affecting their site visitors.

Pure Boredom

Unfortunately boredom seems to come into play and often there is no real reason why websites get hacked.

Conclusion – Your Best Defense is Knowledge

It is easy to be overwhelmed by all of this, but we believe that your best defense is knowledge and if there’s any real take-away here, it is that you should

  1. hire someone to manage and maintain your website
  2. update whenever updates are available

Remember, security is not about the elimination of risk. Security is risk reduction. Take what you know and use it to lower your chances of getting hacked.

Computer Viruses to Watch Out for: Cryptolocker and Ransomcrypt

/in , , /by

Cryptolocker and Ransomcrypt – New, Serious Threats

While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.

Recently, a new threat detected by Symantec as Trojan.Ransomcrypt.F (AKA Cryptolocker) has been growing in the wild. Trojan.Ransomcrypt.F encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key.

What is particularly scary about this new threat is that it is working. People whose data is being held ransom are paying up and there is a legitimate concern for copycats since this has proven to be a successful scam.

The screenshot below is what pops up if your computer is infected.

 

How to avoid the cryptolocker and ransomcrypt virus

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. Shaw said he created the tool to mimic the actions of the CryptoLocker Prevention Kit, but for home users. So far, he said, the CryptoPrevent installer and its portable version have seen tens of thousands of downloads.

CryptoLocker might be the best advertisement yet for cloud data storage systems. 

For further reading on cryptolocker see:

BleepingComputer discussion thread.

Malwarebytes: Cryptolocker Ransomware: What you need to know.

Naked Security (Sophos): Destructive malware Cryptolocker on the loose.

http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

Reddit thread: Proper care and feeding of your Cryptolocker

Makeuseof.com: Cryptolocker is the nastiest malware ever and here’s what you can do

Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins