Tag: phishing scams

Business-email compromise phishing now affects consumers

Article

House in Toorak

The sale of a property is an area where consumers can easily be caught up in a business-email compromise scam

Email crooks swindle woman out of $150K from home sale | Naked Security blog

An email scam has caused $200,000 in losses to real estate agents and home buyers in Victoria | Smart Company

My Comments

Ordinary householders can be at risk of a “business email compromise“ phish attempt in the same way as those in large business.

The business email compromise scam

This scam typically has the trickster research as much as they can about their victim and his or her employer or business partners. The victim that is usually targeted is someone who is likely to facilitate business-sensitive transactions or handles business-sensitive data like the payroll. They will find out whom they report to within the organisation such as the chief financial officer, or beyond the organisation like their accountant, lawyer or the tax department.

Then they place an urgent request to the victim to wire funds to a particular account as part of a wire fraud. Or they could be asked to reply to the email with organisationally-sensitive data like employee data typically presented as a “wages and tax-witholding” statement like a W2 (USA), P60 (UK and Ireland) or Group Certificate (Australia) to facilitate identity theft against the business’s staff.

How can ordinary people get caught up in these scams?

Apartment block in Elwood

as can having that rental apartment managed by someone else

But this kind of email scam can similarly happen with personal transactions, especially those that are high-stakes in nature, typically requiring the engagement of legal counsel. A key example of these transactions would be the sale of real-estate, businesses or investments.

Similarly, the probate settlement of a deceased estate or a property settlement after a divorce or separation could be at risk because these can involve a collection of items including high-value goods like real-estate or collectables. In that case, you are dealing with a real-estate transaction along with the valuation and sale of items.

It can also extend to transactions where you are delegating an agent to manage assets. Examples of these include trust funds typically for minor children, powers of attorney, or rental properties managed by a property manager or estate agent.

These transactions typically involve the frequent exchange of documents during the closure or settlement period where the transaction is in the process of being realised. They also involve dealing with different entities like conveyancers, law firms, estate agents and the like to facilitate the transactions. In addition, due to electronic transaction technologies like online document signing, there will be many emails between the parties that will have links to various resources like document repositories including document-signing platforms or results pages. They are also vulnerable towards the end of the settlement period where a last-minute change could be rushed in “under the radar”.

What can happen, for example, is that a fraudulent email could be used to “steer” the proceeds of a house sale away from the vendor’s account towards a fishy-sounding account.  Or funds due to an estate’s beneficiary could be steered away to an account not under the control of that person.

What can you do?

Compose Email or New Email form

Protect yourself against this scam by practising safe email habits

To protect yourself, make sure everything about the transaction is properly “cut and dried” as it evolves. This includes identifying and documenting sources, currencies and destinations of any funds along with procedures affecting the high-stakes transaction at the start of the transaction. Especially be careful of last-minute changes that crop up towards the end of the settlement.

Protect email accounts that are party to the transaction such as implementing security measures that the email service or client software would provide. With Webmail services,using multi-factor authentication may work as a secure measure, as will verifying that you log in to the service at its known proper address.

Carefully examine emails associated with the transaction to be sure they come from the proper email addresses. As far as links to online resources are concerned, make sure you know the proper domain name for these resources and that the links point to resources at that domain name. Attachments should also come through as proper representations of their filetype and you may have to use your endpoint security software to scan for document-laden malware.

Similarly, you may have to make sure Word documents or Excel spreadsheets are viewed in “Protected View” where macros cannot be run or the document can’t be edited. You would need to exit this mode if you are editing the document such as filling in a form or amending a spreadsheet, or printing it out.

In some cases, a regular personal computer running desktop applications and Web browsers may become a better device to use for verification than a mobile-platform device like a smartphone or tablet. This is because the desktop operating system and software tends to offer a more detailed user experience than their mobile equivalents.

If someone changes their email or other communications details, confirm these details through another communications means that you and them trust. You may have to use one of the prior or alternate communications details as a tool for confirmation if a significant number of details is changed such as through a change of employment.

You may have to double-check invoices, account numbers and the like directly with the other party especially if these details are changed. It is best to do this in person or on the phone using independently-verified phone numbers such as numbers you already have for them.

Avoid the use of untrusted networks like insecure public-access networks to do your sensitive business. Here, you may find that using a mobile-broadband connection and/or a VPN may work with this kind of business if you are away from home or office networks you can trust.

Be especially careful about creditors where the payment-destination account number, the payment method or currency changes during the course of your business. There may be a legitimate reasons such as a creditor changing banks or accounts for something that suits their needs better. But an impostor could be steering money that you owe them to an account under the control of the grifter who is impersonnating them.

If the high-stakes transaction has any international dimension about it, don’t be afraid to seek consular help regarding any aspect of that transaction. It may mean talking with your country’s foreign-affairs government department or the embassy or consulate associated with the foreign country. This is now important with people relocating overseas while maintaining assets like homes in their own or other countries, or goods being purchased via the Internet from foreign sellers.

For example, participants of a transaction conducted across international borders can use consular help to verify each others’ identities. Similarly, they can organise official translation of any official documents that are part of the transaction and are in a language that one of the parties doesn’t understand. Or you simply may need to confirm the legitimacy of that transaction in the foreign country including any steps you need to take.

Conclusion

We as consumers can become vulnerable to the business-email compromise scam when we are dealing with high-stakes transactions like real-estate purchases. To protect yourself, it’s about secure computing and email practices along with making sure everything in the transaction is “cut and dried” including verifying changes through another communications path you trust.

Amnesty International reports on recent email phishing attacks

Article

How Hackers Bypass Gmail 2FA at Scale | Motherboard

Hacker spoofing bypasses 2FA security in Gmail, targets secure email services | ZDNet

My Comments

Recently, it has been revealed that hackers were attacking users of secure email sites by compromising the two-factor authentication that these sites implement.

This has been found to be an attack perpetrated by nation-states against journalists, human-rights defenders, non-government organisations and their allies in the Middle East and North Africa over 2017 and 2018. Here, this user base were using GMail and Yahoo Mail Webmail services and Protonmail and Tutanota secure Webmail services that were compromised. This is because the Webmail setup typically allowed for a client-independent portable email front.

What was going on was that a phishing page was asking for the users’ email and password but this would trigger the software’s two-factor authentication routine. But the user interface was “steered” via a fake page asking for the one-time password that the user would transcribe from their mobile phone which would receive this value via text messaging. It then led to the creation of an app password, typically used for third-party apps to use the service, but was used by the hacker to sustain control of the user’s email account.

Oh yeah, there was the SSL authentication which would show a “green padlock” icon on the user’s Web browser, making the user think that they were safe. But the phishing that took place was facilitated using fake domain names that sounded and looked like the real domain names.

This loophole exploited the use of the “intact key” or “green padlock” symbol in a Web browser’s user-interface to indicate that the SSL certificate was intact and that the interaction with the Website is safe thanks to HTTPS. But users may not know they are with the wrong Website, which is the breeding ground for phishing attempts.

The other weakness that was called out was the requirement for end-users to transcribe the one-time password from an SMS message, software token app or hardware token in order to phish the account. This was aggravated through the use of an app password to allow third-party app access to the service. What is being preferred as a secure 2FA solution was a security key kept in the possession of the end-user that connects to the user’s host device via USB, Bluetooth or NFC.

Most of us can easily relate this process to using an ATM to take cash out of our account or a payment terminal to pay for goods or services using our plastic cards. Here, to facilitate the transaction, you have to present your card by inserting it in or touching it on an identified spot on the ATM or payment terminal then enter your PIN number in to the same machine.

Extended Validation SSL site as identified on Microsoft Edge address bar -

Extended Validation SSL site as identified on Microsoft Edge – notice the organisation’s legal name appearing in green text

The Websites that high-risk end-users rely on can use Extended Validation SSL or Organisation-based SSL certificates and other authentication measures to verify the Website they are visiting is the correct one. Extended Validation SSL has a stronger certificate that verifies the organisation it is associated with and implements the strongest encryption available for HTTPS. The user experience here will have a green bar in the browser’s address bar along with the typical padlock icon while the organisation’s legal name is written in the address bar before the URL. The Organisation-based SSL certificate doesn’t have the green bar or text on the user interface but lists the organisation’s legal name in the address bar. But some browsers like recent Chrome versions don’t implement the green highlighting of the legal name for EV SSL certificates.

This also includes the organisations keeping tabs on their Internet “real estate” of domain names to identify typosquatting risks and, perhaps, make further “land grabs” of domain names if they can afford it.  This is in conjunction with efforts like what Amnesty International were doing with Protonmail and Tutamota where they are made aware of fake sites and are given legal assistance to take them down.

Then browsers and similar user agents could highlight domain names in a more distinct manner so users can know where they are at. This would be more important with email clients or browsers implemented on “reduced-user-interface” platforms like mobile operating systems. As well, end-users in high-security-risk user groups could be trained to be aware of the domains associated with Websites they are visiting. Mobile browsers pitched to smartphones can also implement a way to show the organisation’s legal name on the user interface such as a caret-identified drop-down interface that comes alive with Organisational Validated or Extended Validated SSL certificates.

Webmail-based user interfaces and similar high-risk online services could move towards use of “transcription-free” two-factor authentication like FIDO-U2F-compliant security keys including software keys run on mobile platforms to provide a secure login user experience.

Similarly, token-based authentication could be the way to go for app-to-service authentication especially as we use native-client software to interact with online services. This avoids the creation of persistent “app passwords” to facilitate native client access to online services. Here I would see this as being important as something to be investigated as part working towards secure client-based email setups, especially as the client-based email provides a platform-native user interface for your email.

Each of these approaches has to be looked at in a manner to work with small and medium organisations who don’t have their own IT staff. This is more so as this class of organisation sees itself as “grown up” when it uses cloud-based line-of-business software. The issue here is to assure that authorised users have secure access to the proper service they are authorised to use.

This situation that Amnesty International raised could also bring forward the idea of non-profit entities that underscore data security for independent media and civil society. Here, it could be about extending and bolstering the Electronic Frontier Foundation’s efforts or building up legal-action funds and lawyer teams to provide legal remedies against cyber-attacks.

What is now being realised is data security has now become a human-rights issue rather than an economic necessity.

Spear-phishing doesn’t necessarily involve links or attachments

Article

Snapchat, Seagate among companies duped in tax-fraud scam | Mashable

My Comments

Compose Email or New Email form

Spear-phishing email doesn’t necessarily have to have links or attachments

An issue that has come to highlight lately is spear-phishing where an email is sent to particular departments within a business to extort critical financial or other information from that business.

This recently happened to a number of American businesses including Snapchat and Seagate where the human-resources departments were told in an “official manner purporting to be from the CEO” to turn out W-2 tax forms about their employees.

For those of you in countries other than the USA, this is a statement provided by your employer which states what you earned including the taxes that are withheld and would be known as a P60 in the UK and Ireland or a Group Certificate in Australia. When in the wrong hands, these statements can be a goldmine of data that can be useful for identity theft and tax fraud.

But this may be different from a garden-variety spear-phish attack because there isn’t a requirement to visit a Website via a link or open an attachment that comes with the email. Rather this is to prepare the information in a specified computer-file format to be sent as an attachment with the email’s reply.

What was highlighted was that the spear-phish email used the look of official company correspondence such as use of the company’s trade dress (logos, colour scheme, typography) and disclaimers associated with such correspondence. As well, such emails appear to come from someone high up in the business. The spear-phishers were able to identify “who’s the boss” by performing Google or LinkedIn searches and this data could simply be found on “About Us”, shareholder-information or similar pages on a company’s public-facing Website. Such correspondence also can surface at certain seasons like holiday seasons, tax-filing seasons or special events.

This is a classic form of social engineering in the business and the staff were caving in to human error and weren’t vigilant. Here, if they see an email with an important request coming from their boss, they would follow up on this request forthwith as expected for business life. This is similar to the classic distraction-burglary or burglary-artifice scam where a householder is under pressure to let people who look like officials in to their home and these bogus officials commit crimes against the household. It can also affect small businesses as well as larger businesses and organisations, because such a request could also come from the business’s owner, a franchisor (in the case of franchised businesses) or someone who is higher up in the business’s food chain.

A similar scam which is known as “whaling”, targets business owners, managers and other known organisational figureheads with email purporting to come from partners, suppliers / service-providers like your landlord or officials such as the taxman or the Trading-Standards officials. It has the same effect as spear-phishing where you are subject to trickery to divulge sensitive information. This situation can affect businesses and organisations of all sizes from the small pizza shop on the corner to the large business in town.

The red flags to be aware of with spear-phishing or whaling are: is the request out of the ordinary whether for your business or for normal business practice; whether the domains for “reply” or “origin” email addresses match the known domains for the business;  or whether the writing style reflects the purported sender’s style or the accepted norms for business correspondence in the locale.

But most importantly, verify the facts from the horse’s mouth. This means sending a separate email to the proper source at the address you know them to be at or, preferably, making a phone call to check those facts. It is more important if the request happens to come “out of the blue”.

As well, be wary of out-of-the-ordinary correspondence you receive by email around the critical occasions like tax time.

Once you know what is in the norm for your organisation and industry, you should then rely on your “sixth sense” to identify if something is suspicious and report it straightaway.

A timely reminder to beware of suspicious emails in your inbox

Windows Live Mail client-based email interface

Slow down when you check those emails so you are safe

Increasingly people are receiving emails that are becoming very dangerous to their personal or business security.

This happens during November and December, especially between when the American community celebrates Thanksgiving (last Thursday in November) to Epiphany / Twelfth Night (January 5), where there is a lot of Christmas-driven communications and most, if not all, of us are thinking about Christmas. This includes responding to the shopping offers that are being made available through this time. Here, these emails are being sent in a manner as to “get at” the user and take control of their computing equipment or data..

Over this past weekend, some friends of mine from church had approached me about email issues and I had found out that the husband fell victim to a phishing attack against his Outlook.com Webmail account with it ending up being used to send spam messages. Here, I visited these friends on Monday night for dinner and to help him change his account’s password and report it as being compromised. Then a close friend of his rang him about receiving the Australia Post phishing emails and I suggested to that friend to delete that email immediately.

One example is to supply  malware as an attachment typically obfuscated as a compressed “file of files” or a malformed document file; or direct users to pick up the questionable software at a Web link. The idea is to get users to install this software of questionable provenance on their computer so that it makes it become part of a large botnet that is intended to wreak havoc on other computer users, steal your personal or business information, or extort money from you.

Another example is a link that send users to a forged login or other customer-interaction page for a Webmail, banking, Social Web or similar online service to steal their personal details. This is typically to steal the user’s money or identity, create a bank account or similar financial account for laundering ill-gotten gains, or use an email mailbox and contact list to send further spam to computer users.

The email is suspicious if

It is out-of-character with the sender

This may be reflecting a situation that you know the sender is not in, such as them or their business being in financial dire straits. It may also simply be an email of a kind the don’t normally send.

Contains nothing but enticing “click-bait” text

You may find some enticing text written in the Subject line or in the body of the message that gets you to either open the attachment or click on that link.

Implores on you to open it or click on the link under pain of losing service continuity or something similar

Looks very official and has copy that threatens you that you will lose access to your funds or continuity of a service you use, or something similar; and requires you to click on a link in that message to take action to remedy the situation. This may also be about the pending arrival of a parcel or some funds and you have to click on a link or open an attachment to print out a “claim form”.

What to do?

Do not click on the links in that email or open the attachment

Under no circumstances should you click on any links in the suspicions email or open any attachment that is part of that email.

Check the email out

In the case of a personal email, check the email address that purports to be in the name of your contact to see if it is one that you and your contact regularly use. Here, some people may operate a business email address alongside a personal email address and you need to confirm these addresses through conversation, business collateral that they supply, amongst other things.

In the case of a business email, check to see if the email looks as though it genuinely represents that organisation. If the email is requiring you to do something to assure “continuity of service”, access to funds, etc. contact that business directly using their customer-service number or email.

One obvious red herring would be if you receive a contact from a bank or other business you don’t do any business with. Another red herring is an email that isn’t addressed to you personally, rather it uses a generic “all-call” salutation like “Dear Customer”. Yet another red herring is the quality of the document. Here, you look out for whether the email represents the company’s current “trade dress” such as current logos, colour schemes and the like. As well, you look for the quality of the document to see that it reflects what is expected for a business document coming from the company’s location of business, such as spelling, grammar, punctuation, etc.

Sometines, what may appear in the “To” list may be contacts, including “virtual contacts” which represent a cluster of email address, whom you don’t have anything to do with. This is also a sign of a suspicious email.

Check with the sender

If you receive an email from a contact of yours which appears to be out-of-character with them, contact them about that email. You must do this not by replying to that email but by either calling them on the phone, sending an SMS or instant-messaging message to them or sending a separate email to them.

If it is business-related like correspondence from your bank or other organisation, log in to the business’s Website yourself using its commonly-publsihed or commonly-known Web address. Here, you type the address in to your Web browser’s address bar or, if you do regular business with the site, go to the bookmark or favourite link you have created for it. As well, it may also be of value to contact the organisation on their published phone number to check the veracity of that email. Here, you may find this in the regular business correspondence that you have for them or use the common telephone directory or the organisation’s Web page to find that number.

Report the email then delete it

If you are using your Webmail provider’s Web-based user interface, you may have an option to report that email as spam, hacking, fraud or something similar. If you are using a client-based email setup, forward the email as an attachment to your ISP’s or email provider’s email address that has been set up for reporting email abuse or fraud.

Business users who work for a company that has an in-house or contracted IT team should let that IT team know about the suspicious email. This will also apply to those of us who study at a school or university which has its own IT team.

As well, if the email appeared to be in the name of the bank or other organisation, look on the organisation’s Website for a “report fraud” link or email and use that to report the fraudulent emails that you received. Here, they can engage local or national law enforcement to take further action especially if the behaviour is consistent.

Then delete the fraudulent email immediately.

Security tips

  • Keep the computer’s operating system and application software up-to-date with the latest patches
  • Make sure you are running a good anti-malware utility and that it is updated frequently and regularly. It may also be a good practice to run a full scan with this software
  • Make sure that you have strong and preferably unique passwords on your online services
  • Make sure that your home network hardware is on the latest firmware and has strong non-default passwords.
  • Consider using a password manager program or service. As well, it may be worth it to implement a two-factor authentication setup on your online services with your smartphone showing a key number as a “second factor”.
  • As well, you may find that if you have an account with a major online service like a Microsoft service or one of the popular social networks, you may have the opportunity to implement a single sign-on. This may be worth using especially with games, forums, comment functionality, online music or similar services so you don’t have to work out extra passwords.
  • Back up the data you created yourself using your computer to a NAS and/or USB hard disk and preferably make a separate copy of this backup in a separate location
  • Only visit Websites and online services that are known to be reputable

Malaysia Airlines air disaster–another event bringing out the online scams

Article

Fake Malaysia Airlines links spread malware | CNET News

My Comments

Every time there is a major event that affects many people or brings out mass intrigue, a computer-security situation climbs on to that event’s tail.

What happens is that Websites with a questionable motive pop up like nobody’s business and links to these sites appear in spam emails or on the Social Web. The “link-bait” text draws people to these sites are laden with malware or set up to harvest Web-surfers’ personal or financial information for questionable purposes. The Malaysian Airlines air disaster drew out its own link-bait in the form of fake news links that purport to lead to video footage of the plane being discovered or survivors being found.

A proper practice is to keep the software on personal and other computer equipment “lock-step” with the latest software updates and patches and simply to “think before you click”. This is more so with anything that appears “too good to be true” or “out of the norm” for that situation.

Facebook users also have to be careful about the “fake events” which are being used as a spam-distribution vector. Here, as I previously covered, this causes notifications to appear in the user’s Facebook Notification list with your computer or mobile device popping up messages and sounding an audible alert to these notifications if a Facebook client is running. As well, if a user accepts these events, information appears on their Timeline about that event.

Computer security is about trusting your instincts

Article

Festive season security myth: "If there are no links in an email, it can’t be a phish." | NakedSecurity Blog

My Comments

I have seen this happen as part of educating people about computer security is to think before you click. Here, it is about being careful about responding to emails and Websites of doubtful provenance so you don’t become a victim of a scam or find your computer full of malware.

For example, phishing scams initially used links in the email as a hook to get people to “verify” their accounts or take similar action. But they are now using “loaded” attachments with the copy of the email not having any links or HTML to avoid being rejected by security tools that are part of email clients or the populace not taking to the bait due to the public education about phishing scams.  The hook in these situations are the attachments that are crafted to take advantage of weaknesses in the software or carry links to Web resources as mentioned below.

PDF files represent their own dangers because they can either be crafted maliciously or contain links to Web resources. This is compounded by the problem that not all PDF reader software handles Web links in a manner similar to a Web browser. For example, a lot of these programs don’t show the URL when you hover over or dwell on the link before you click.

I would personally like to see PDF and similar document viewers support the ability to link with “website-reputation” engines like what Symantec and other security-software vendors offer and show graphics that indicate if a link you are hovering on is safe or not. Similarly, search engines, website reputation agents, security scanners and similar tools could also examine PDF files for abnormal construction and questionable links.

Instead, we have to do a “reality check” regarding these emails. For example, are the emails from a company whom you have had business with or part of ongoing business with that company? Are you expecting an email to come through with attachments? Do they contain a lot of poor spelling or grammar or aren’t commensurate to the language they are meant to be written in? Do they reflect the tone of what the business and its industry is about? Simply, does the context sound too “out of this world” to be real?

This also applies to any offers provided through instant-messaging or social-network channels including the Facebook “fake-event” scams that are popping up as I have mentioned before.

But for the moment, are you sure that the link or attachment you are to click on is kosher before you click on it?

Mobile Users Becoming More Susceptible to Phishing Scams

Article

Mobile Users More Susceptible to Phishing Scams – www.enterprisemobiletoday.com

My comments

Why are mobile (smartphone and tablet-computer) users more susceptible to phishing scams?

The main reason is that the operating interface on the mobile computing devices is totally different to the operating environment on a desktop or laptop computer.

One main reason is that most of these devices don’t have a large display area in their Web browsers or email clients due to them having smaller display screens. This leads to the software designers designing a “clean and simple” user-interface for software pitched at these devices with minimal controls on the interface; which eliminates such concepts as fully-qualified email addresses and URLs. A lot of these devices even conceal the address bar where the user enters the URL of the page to be visited unless the user directly enters a URL that they intend to visit. Similarly, the email client only shows the display name for the incoming email, especially in the commonly-used “list-view”.

It is also augmented by the lack of a “B-option” interface in a mobile operating system. This is compared to what is accepted in a desktop operating environment with functions like right-clicking with a multi-button mouse or using Ctrl-Click on a single-button-mouse-equipped Macintosh to gain access to a context-sensitive secondary menu. Similarly, all scientific calculators used an [F] key and / or an [INV] key to modify the function of formula buttons either to gain access to the inverse of a formula or obtain another formula.

Such an option would allow the user to select a “function” button before selecting the option or displayed item in order to open a context-sensitive secondary-function menu or select a secondary function.

This discourages users from checking the URL they intend to click on in an email or the fully-qualified email address for an incoming email.

What could be done?

The Web browser and email client could support “phish detection” which could provide a highly-visible warning that one is heading to a “phishy” Web site or receiving a suspicious email. This function is just about provided in every desktop email client that most of us use but could be implemented in a mobile email client. Similarly, an email service could integrate filtering for phishy emails as part of its value-added spam-filter service.

There could even be the ability to have a “magnifying glass” touch button on the browser or email-client user interface which, when selected before you select an email address or URL, would show the fully-qualified email address or URL as a “pop-up”. This would have the domain name emphasised or written in a distinct colour so you know where you are going. This same interface could also be in place if one enters a URL directly in to their Web browser.

The mobile browsers could also support the Enhanced Validation SSL functionality through the use of a distinct graphic for the fully-validated sites. As well, a wireless-broadband provider or Wi-Fi hotspot could offer a “phish-verify” proxy service so that users can see a “red flag” if they attempt to visit a phishy Website similar to what happens in Internet Explorer when a user visits a suspicious Website.  This is similar to how some mobile providers warn that you are heading to a website that isn’t part of their “free-use” Website list and they could integrate this logic in to these proxy servers.

Conclusion

In general, the industry needs to look at the various user scenarios that are or are likely to be in place to improve secure Web browsing and email. Then they have to enable user-experience measure that can allow the user to verify the authenticity of Websites and emails.

This is more so as the small screens end handheld devices end up as the principal Web user interface for people who are on the move. It will also become more so as the “10-foot” TV interface, with its large screen with large text and graphics, D-pad navigation technique and use by relaxed and mostly-tired viewers relaxing on comfortable furniture becomes a mainstream “lounge-room” interface for the Web.