IT Technology Services New Orleans

New Orleans Technology Services

Category

Security

Don’t Get Hooked by a Phishing Scam

By | IT Blog, Security | No Comments

 

Username and password written on a paper note in the shape of a fish attached to a hook - Phishing and internet security concept

Email, texts, and other forms of digital communication are an integral part of your daily life. Cybercriminals know this and are lurking on nearly every platform, counting on you to fall for phishing scams hook, line, and sinker.

Phishing is when scammers masquerade as reputable companies or individuals and use phone calls, email, direct message, or text message to lure you into sharing your sensitive personal information, like usernames, passwords, and bank account or credit card details. They might also use email attachments to secretly invade your computer via software or malware and steal confidential information directly.

As technology becomes more advanced, so do phishing attacks — both in their level of sophistication and in number. According to the Anti-Phishing Working Group, an international coalition focused on fighting cyber crime, the number of phishing schemes discovered during the first quarter of 2018 increased 46 percent over the fourth quarter of 2017.

Many businesses, from e-commerce retailers to financial institutions to email providers, use the latest technology to fight back against fraudsters. You can be part of the battle as well — by using low-tech surveillance to sniff out the scam.

To protect yourself against a phishing attack, always be on the lookout these red flags in any messages you receive:

  • A sense of urgency
  • An unknown sender
  • Request for action
  • An unsolicited offer

Now it’s time to test your knowledge.

Can you catch a phisher in the act? Take a look at the following potential red flags. Which ones sound (or smell) phishy? The answers are revealed at the end.

1. You receive an email with the subject line, “Banking Alert: Need to Transfer Funds Immediately or Be Subject to Fee.” And the message itself is written in the same alarmist tone.

2. The sender’s name is the top executive of your bank and their email address is YourCEO@mycommunitybank.com.

3. Someone calls with the offer to increase your credit limit. To receive the boost, you’re asked to provide your account number.

4. An email informs you that an unauthorized person tried to access your account and you must click on the included link to reset your password.

5. An email from an ecommerce site you frequent about a problem with your payment has numerous misspellings.

6. Your bank sends you a text asking you to confirm your checking account number.

7. A financial planner emails from the company where your 401(k) is invested, but there’s no contact information or email signature.

8. A text informs you that your account has been suspended and to reinstate it, you must reply with your account login credentials.

9. You receive an email from someone you don’t know requesting you to download an attachment.

10. An email from an online payment service informs you of a discrepancy with your account. To rectify the situation, you need to click the included link and login to your account.

11. A bank sends you an email informing you of an inheritance from a deceased relative and that you must contact them to claim it.

12. A message invites you to download a shared document from Dropbox or to view one on Google Docs.

If you answered “phishy” to each one of these, you’re correct. We’re not out to trick you, so we wanted to provide you clear examples of what you might experience when being targeted by a phishing scam.

Curious to know more about each scam? Here’s a bit more about how these schemes work, how to spot the warning signs and ways that you can maintain your privacy.

1. Scammers bet that a sense of urgency and alarmist tone will cause you to freak out and do what’s asked of you immediately.

2. An email or voice message has more credibility when someone in a powerful position sends it. That’s why fraudsters imitate authoritative figures. The wonky email address, however, is a dead giveaway.

3. If a legit financial institution is offering you a credit limit increase, they have access to your account. You don’t need to provide them the details.

4. You should always be wary when asked to click on a link in an email. To determine whether a URL is real or fake, hover over the link with your mouse. If the URL differs from what you know it to be or what appears in the email — any slight misspelling or tiny change matters — don’t click.

5. Businesses always put their best foot forward. So bad grammar and misspellings are dead giveaways that an email is fake.

6. Think about it: Your bank created your account number. It never needs you to confirm it.

7. Legitimate businesses always provide contact information, so a lack of details should make you suspicious.

8. Reputable businesses never suspend customer accounts out of the blue or ask customers to share their login credentials.

9. Scammers use attachments to transfer dangerous viruses and malware to your computer. Malware can unknowingly spy on you or steal your passwords. To keep your personal information private, only open attachments you are expecting — even if they’re sent by someone you know.

10. It’s unlikely that a legitimate payment service or financial institution is going to ask you to click a link to login. Before clicking, test any link by hovering your mouse over it. If it looks strange, don’t click. Or type the address directly into a new window and look for its secure certificate.

11. This one is pretty easy to see through. If a family member has died, you’re probably going to know about it already. (Why would your bank know before you?)

12. Sharing documents via an external storage or cloud system is more common than ever, making it an appealing target for scammers. If you frequently use one of these storage systems, protect your account with two-step verification.

Phishing poses a significant threat to your personal information and knowing how to ID a phishing attack is often the best defense.

After all, if you fail to take the bait, the phisher will swim on.

 

We Left the Internet Vulnerable to Hackers. Now We’re Paying the Price.

By | IT Blog, news, Security | No Comments

On the day (perhaps not long from now) when the entire internet crashes, no one will be able to say that we didn’t see it coming. The denial-of-service attack on the morning of Oct. 21—which shut down Twitter, Spotify, Netflix, and a dozen other websites—offers a preview, in miniature and against relatively trivial targets, of how the day of doom might unfold.
Fred Kaplan Fred Kaplan

Fred Kaplan is the author of Dark Territory: The Secret History of Cyber War.

In the attack, someone (identity as yet unknown) flooded Dyn DNS—a New Hampshire–based firm that operates as the internet’s switchboard—with so many online messages that its circuits overloaded, shutting down not only its own services but those of the other sites as well, at least for several hours.

The weapons amassed for this attack were, literally, toys—baby monitors, music servers, web cameras, and other home devices that connect to one another, automatically sending and receiving data through the internet. Hence the name of this emerging network—the Internet of Things. The saboteur had hacked into hundreds of thousands of these devices and infected them with malware, so that, at a designated moment, all them sent messages to the real target—in this case, Dyn DNS—and shut it down.

The malware was simple: a program called Mirai, which, in the words of an alert sent out by the Department of Homeland Security, “uses a short list of 62 common default usernames and passwords to scan for vulnerable devices.”
Get Slate in your inbox.

This is what few consumers have understood about the Internet of Things: All of these nifty devices are computers with, in some cases, quite powerful data processors. And, like all computers, their operating systems are preprogrammed with usernames and passwords. The default usernames and passwords tend to be obvious: 12345, username, password—more than covered by the 62 words on Mirai’s scan-list.

However, unlike most computers, the Internet of Things devices are on all the time, and there’s no user interface for even tech-savvy consumers to monitor the machines’ activities. As one Silicon Valley technologist (who requested anonymity because he works for a firm that makes some of these devices) put it, “My TiVo needs an internet link only to download TV guide metadata every fortnight, but as far as I know it’s also working overtime serving viruses or DNS attacks.”

The technologist went on: “Who’s to know what’s running on your interlinked Nest thermostat or your refrigerator? Borderline impossible. And all that stuff is interconnected to websites and accounts with credit cards and other attractive targets for hackers. Given the radical increase in traffic that these devices generate, it will get easier to hide malicious streams of network traffic in the noise.”

There are now about 10 billion IoT devices in the world. (The estimates range from 6.4 billion to 17.6 billion, depending how the term is defined.) Some estimate that, by 2020, the figure will climb to 50 billion. That’s a lot of bots that a hacker can enslave for an attack.

Back in 1996, Matt Devost, Brian Houghton, and Neal Pollard wrote an eerily prescient paper called “Information Terrorism: Can You Trust Your Toaster?” They foresaw an era when household appliances would all be wired to the internet. Life would be more convenient, time would be saved—and everything you own would be vulnerable to hacking.

Devost, who went on to run Red Team operations in NATO war games and is now managing director of Accenture Security, says that, if anything, he understated the threat. He saw the phenomenon—and people today continue to see the Internet of Things—as posing “microthreats”: hackers messing with our personal stuff, turning our lives upside down, possibly even killing us. See, for instance, the experiment, just last year, when a former National Security Agency employee named Charlie Miller hacked into the onboard networks of a Jeep Cherokee and commandeered its steering wheel, accelerator, brakes—everything in the vehicle.

But in their paper of 20 years ago, Devost and his co-authors did not foresee “macrothreats”: hackers aggregating “smart” devices to mess with society. “Imagine it’s one of those mid-August days,” Devost said, “100 degrees with roaming brown-outs. What if a hacker ordered the IoT devices in a few large commercial buildings to turn up their air conditioners to max level? He could do real damage to the power grid.” And even this scenario is minor compared to the sort of attack presaged in last week’s incident—a hacker enslaving hundreds of thousands (or even millions or billions) of IoT devices to launch a massive denial-of-services attack that shut down, say, a whole city’s power generators or some other facility in the nation’s critical infrastructure.

That phrase “critical infrastructure” came into vogue in the late 1990s—to refer to power grids, banking and finance, oil and gas, transportation, water, emergency services, and other sectors on which a modern society depends—when a presidentially appointed panel, known as the Marsh Commission, discovered that all of those sectors were vulnerable to hackers.

Over the previous decade, the private corporations controlling these sectors all started to realize the enormous savings involved in hooking up their control systems to this new thing called the internet. Money transfers, energy flows, train switches, dam controls—they could all be monitored and managed swiftly, automatically, efficiently. No one considered the possibility that bad guys could hack into those networks and route the money, energy, trains, or water for criminal or destructive purposes.

The dangers should have been clear even then. As far back as 1967, at the very dawn of the internet, when its military precursor known as the ARPANET was about to roll out, a man named Willis Ware—head of the Rand Corporation’s computer science department and member of the NSA’s scientific advisory board—wrote a paper warning of its implications. Once you put information on a network—once you make it accessible online from multiple, unsecure locations—you create inherent vulnerabilities, Ware concluded. You won’t be able to keep secrets anymore.

When I was researching my book Dark Territory: The Secret History of Cyber War, I asked Stephen Lukasik, the person running the ARPANET program at the Pentagon’s Advanced Research Projects Agency, whether he’d read Ware’s paper. Sure, Lukasik told me. He told me that he took the paper to his team members, who also read it and begged him not to saddle them with a security requirement. It would be like telling the Wright brothers that their first plane at Kitty Hawk had to fly 50 miles while carrying 20 passengers. Let’s do this step by step, they said. It had been hard enough to get the system to work. Besides, the Russians wouldn’t be able to build something like this for decades.

It did take decades—about three decades—but, by then, vast systems and networks had sprouted up in the United States and much of the world with no provision for security. This was the bitten apple in the digital Garden of Eden. The sin was built into the system from its conception.

Corrections could have been made, security provisions could have been built in, once the utilities started hooking up the nation’s critical infrastructure to the internet—or, if they’d known of the risks, they might have decided not to get wired in the first place. And now, with the Internet of Things, we’ve begun to extend the mistake into our homes, into the stuff of our everyday lives.

Some remedies have been taken even since this past Friday. The Chinese firm Hangzhou Xiongmai Technology Co., Ltd., which makes components for some of the surveillance cameras hacked in last week’s denial-of-service attack, announced that it was recalling products from the United States. Dahua Technology, another Chinese company, offered firmware updates on its websites for customers who had bought its cameras and video recorders. But these are small measures, not likely to have much effect even on these specific products, much less those made in the past several years or in the years to come.

In the late 1990s, when the utilities’ vulnerabilities first came to light, Richard Clarke, then the White House counterterrorism chief, proposed imposing mandatory cybersecurity requirements on all industries connected to critical infrastructure. The companies lobbied against his plan, as did President Bill Clinton’s economic advisers, who warned that the measures would cripple these companies’ competitiveness in the global market. Clarke also suggested putting the government and critical-infrastructure

industries on a parallel internet, which would be wired to certain agencies that could detect intrusions. This plan was leaked and denounced as “Orwellian.”

“If we could go back 30 years, we would probably do things differently,” Matt Devost reflected. We shouldn’t wait till it’s too late, he added, to put some limits on the Internet of Things. For instance, he suggested, the United States should impose regulations requiring all IoT devices to come with locks, so that consumers can’t activate them without first changing the default password—and maybe requiring the new password to be sufficiently long and complex to make it resist simple password-scanning malware, like Mirai.

When companies started putting power grids on the internet, the net itself was new and the art of hacking hadn’t spread. Maybe a few hundred people in the world knew how to exploit its vulnerabilities; now a few million do.

It’s important to understand that much more is at stake than a brief shutdown of Twitter. As Bruce Schneier, a prominent cybersecurity analyst, put it in a blog post that he published in September, a month before this recent attack, “Someone is learning how to take down the Internet.”

He noted that several attacks of precisely this sort—but smaller, the kind of incidents that specialists see but that elude mainstream notice—have been occurring in the past couple years. This probably isn’t the work of criminals or mischievous researchers; they wouldn’t be interested in the targets or capable of mounting attacks of such scope. Rather, Scheier wrote, the whole trend “feels like a nation’s military cyber-command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the U.S.’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on,” so the U.S. Air Force could map the capabilities of Soviet radars and figure out how to elude them.

Is that what’s happening now? Is some nation-state figuring out how many IoT devices it takes to shut down larger chunks of the internet, and thus our society, as a whole? It sounds like paranoid science fiction from the 1960s, but the writers of that stuff were trying to scan the future as an extension of what was happening at the time, and in this case, they might have been on target.