Phishing

Do you know how to spot a phishing email? Phishing emails are not only a nuisance, but can also lead to theft. Our guide will show you how to spot them.

The term “phishing” is likened to the word fishing, which sounds almost the same and is used with the same notion to reel in some information such as a username/password or to hook you into taking some action via an unsolicited email. The aim of a phishing email is to “phish” a user by having them fall for the bait without initially realizing it.

Convincing phishing emails work well for the originator without raising too much suspicion to the end user.  So how does one avoid this? First, let’s understand the damage a phishing email can generate before we delve into how to spot one.

What harm can phishing emails cause?

There are two major risks that can result from opening up links or attachments from phishing emails.

  1. Many email authors aim to trick users into believing that they’ve been contacted by a legitimate company that may prompt them to visit a link which can lead to a fake website. This site may be a copy-cat site of a legitimate one, for instance a banking site, complete with a login screen. The spoof site then captures and records login credentials which can be used again by the originator of the dummy site.
  2. The email itself may pretend to pose as the legitimate company, such as a bank, prompting their targets to take action through their link. Usual email wording triggers the user to prompt some action such as “your account is suspended”, “update your information”, or even that an account has had “unauthorized access”. Anything which triggers panic or confusion is enough to get a user to follow through the phishing email’s instruction.

Such scams can lead users to give away their credentials, passwords, and private information, which can be used to steal their identity and money.

Many phishing emails also attempt to infect systems with malware. This is a common entry point for a large majority of infections at companies leading to infecting one’s computer system and network with nasty malware. The worst case scenario includes the malware holding a user’s data hostage in exchange for a ransom.

How to spot phishing scams

Below are usual signs of phishing email to watch out for.

  • Unrecognized sender. This is usually a big giveaway. If you don’t recognize the sender, treat it with suspicion. Even if the recipient appears with the same domain, always question this as clever phishing attacks can use the same company domain to trick users.
  • Unexpected emails. Unless you’re expecting an email from a company i.e. a delivery shipment notification, or a lottery win, treat this with suspicion. If unsure about a delivery shipment, contact the official company – acquiring their contact details through their official website.
  • Prompts to open up attachments. Avoid clicking any links or opening attachments.
  • Odd looking website addresses. Another clue to phishing emails are links in the email having suspicious website addresses, which can redirect you to a dodgy website.
  • Odd looking or out of place emails. If you’re able to look at the sender’s details, see what email address it displays. Most of the time their email domains will not match the company they claim to be from. For instance, an email claiming to be from your bank could have @yahoo.com domain. This is an obvious giveaway!
  • Impersonating institutions and companies. As mentioned earlier, be suspicious of so-called emails posing to be Banks, the IRS, Social Security Office and so forth. They rarely contact users through email. If in doubt, contact them directly and not through any telephone numbers given in the message.
  • Poorly written English and grammar. Many phishing emails contain poorly structured sentences and grammatical mistakes which sound like they’ve been written by a ten year old or a non-native English speaker.

Anatomy of Phishing-1

If ever you’re in doubt, don’t hesitate to notify your IT administrator who can help to block as many phishing emails as possible. Even if some manage to filter through, which does happen, put this guide into practice.

For more ways to secure your business systems and networks, contact your local IT professionals.

Read More


teslacrypt1-680x400

A newly discovered ransomware called Teslacrypt is on the loose encrypting victim’s media files. Learn what it is and how to protect against it.

TeslaCrypt will lock up to 185 types of files comprising of data related to the most popular PC games played online. For instance, Assassin’s Creed, BioShock, Call of Duty, Diablo, World of Warcraft and many others are examples of games that have been affected.

The ransom

Once the files have been encrypted, the victims are prompted to pay either $1,000 through PayPal My Cash cards or $500 in Bitcoin to acquire the private encryption key to unlock their files. Criminals will prefer Bitcoin as the preferred method of payment to make them harder to track down. They’ll also use a scarcity tactic by giving those affected three days to pay the ransom.

Risk and vulnerability

According to Vadim Kotov from security firm Bromium, the vulnerability for this attack exists within Opera and Internet Explorer web browsers that visit compromised sites such as WordPress based websites. However it was Fabian Wosar from Emsisoft, an Austrian based security firm, who had discovered TeslaCrypt.

Reports show that a malicious video using Adobe Flash would play on the compromised website, which then redirects the user to a number of dodgy sites until it finally lands into its intended destination- a bundle of malware. This bundle is considered to be an exploit kit, dubbed “Angler”.

Angler plays a part towards helping computers become infected with TeslaCrypt Angler’s mission is to launch a relentless number of attacks whilst the user browses through the malicious sites with the hopes of one of them leading to its goal- to infect the system.

Once Angler gets onto a system it’ll check for two things:

  • One is to verify whether the machine is a physical or a virtual one. Virtual machines are likely to be used by security firms.
  • The second check detects the type of antivirus programs running alongside with the web browser.

adobe flash player hacked

After verifying the two checks, Angler executes attacks based on a recent Adobe Flash vulnerability (that has a patch available since last January) and a slightly older Internet Explorer exploit (security patch released in 2013).  Angler preys on those who do not regularly update and patch their software, therefore it’s crucial to stay on top of updates and patch management.

What files are affected

Teslacrypt will sweep through 185 types of computer files to encrypt them.  Files aren’t only limited to gaming files, it’ll also encrypt all iTunes music in .m4a format, as well as images, video, compressed files and office documents. Once those file are encrypted, they’ll change to  a “.ecc” file extension.

To make things worse for unsuspecting victims, TeslaCrypt then wipes out all of the Windows restore points from the target PC to prevent restoring the files that had just been encrypted from an earlier point in time.

The three most realistic options for victims are:

  • Pay the ransom, although file recovery is not guaranteed
  • Run a full scan with your antivirus to remove it and then restore the locked files from a protected backup drive.
  • A system reformat may be your only choice, counting your losses.

TeslaCrypt can also reach your PC through infected file attachments or a link sent through email. This includes the possibility of unsolicited private messages reaching users from social platforms such as gaming sites, which once executed, can also unravel the attack.

.update

How to stay protected from TeslaCrypt

Zero day vulnerabilities are an ongoing cat and mouse game making it important to have security measures in place. Unaffected backups, staying up to date, and running Anti-Malware can really help save the day with ransomware such as TeslaCrypt.

For more ways to protect your business systems, contact your local IT professionals.

Read More


nsa-malware-hard-drives-570

Security firm Kaspersky reveals malicious National Security Agency (NSA) malware hidden in drivers and firmware around the world. Read the summary here.

Kaspersky exposes NSA malware built into hard drives worldwide

Sitting on millions of hard drives across the globe lays a deep rooted NSA malware designed to spy on computer activity, which has also been noted to have done so for over a decade!  The NSA is responsible for gathering electronic intelligence on behalf of the U.S. government.

The majority of brands such as Seagate, Toshiba, Western Digital and many others, have had the tampered firmware built into their hard drives, according to the security software giant Kaspersky.

As many as 30 countries around the globe have the spyware infection implanted on their personal computers. Prime targets have been found to be military and government bodies, banks, energy companies, telecommunication firms and many others.

Most of the targets are from countries such as Afghanistan, Algeria, China, Mali, Mexico, Pakistan, Russia, Syria and Yemen; however it has been picked up in other western countries such as the UK, and parts of Europe.

The party behind all of this has been branded with the name “The equation Group”, who cleverly gained access to the various different firmware’s source code and cracked complex encryption algorithms. They’ve used their highly skilled ability to infect and access very specific targets.

Kaspersky has not named the firm responsible for all the spying operations. It’s believed to be strongly related to the Stuxnet attack which was led by the NSA. Stuxnet was a campaign designed to attack the uranium enrichment facility in Iran.

The Factors behind the Malware’s success

  • The malware, reported as a  dll file, is able to resist computer reformats and hard disk wipes in a ploy to reinfect the host.
  • Ironically, this has impressed Kaspersky Labs in the sense of a piece of hardware having the ability to cause re-infection to a pc. They described it as “ground-breaking technology”.
  • The malware was coded into the hard drive’s firmware, which is the software that allows it (the hardware) to run. For instance, when a computer is switched on it’ll access the firmware to talk to hard drives and other system hardware.
  • In the case of the dll file, a computer will end up getting re-infected as the firmware is needed to use the hard drives.
  • The spy program could work on any hard disk currently sold on the market.

How did it get there in the first place?

NSA-Listens-Shirtmock

It begs the question as to how such malware could have been embedded into the firmware of so many hard drives and to the majority of hard drive companies in the first place?
According to Kaspersky’s director, Costin Raiu, the makers of the spyware must have been able to have had access to the actual source code of each and every infected hard drive. The source code holds the structure, and when in the hands of a third party programmer, this can permit vulnerabilities to be identified and used to harbor malware within it and used for attack.

Raiu continued to add, that’s there’s little chance for the hard drive firmware to be rewritten by just anyone with the use of public information.

Most hard drive companies would not officially disclose whether or not they’ve allowed any such NSA agency officials to access the source code. However Western Digital, Seagate and Micron spokesmen have stated that they have not allowed their source code to be tampered with and take security very seriously.

Despite this, it is still possible for undercover NSA coders to have been employed by any given hard drive manufacturer over a decade ago or disguised as software developers to acquire the source code. It is also likely for hard disk code evaluations to have been requested on behalf of the Pentagon. All are theories of how social engineering could have been part of “the equation”.

This has now made many corporate giants, like Google and others in the US, rethink who could have attacked them back in 2009, which was originally pinned on China.

Evidence exists of hackers having reached the source code from various large American technology and defense corporations, according to reports from investigators.

For more ways to secure your data and systems, contact your local IT professionals.

Read More


PC On Fire Shoot

Learn how USB thumb drives can potentially destroy laptops / pcs. We’ll explain how this works and what measures can be taken to protect your computers.

If you happen to find an unknown flash drive in any place that you aren’t familiar with, we strongly advise not to plug it into a computer, especially one that is used for work.  It makes sense when there’s a high element of risk involved. Not only does the possibility of being infected by a virus exist, but as of late, a new type of attack has been created which can physically damage your systems. We have recently learned of dangerous USB thumb drives that are capable of frying a computer or laptop. 

How does it work?

Think of a computer’s ports as physical access points for an attack.

USB-Killer-2

  • An attacker would modify or build a USB thumb drive by using an inverting DC-DC converter to draw power off the USB port.
  • The power drawn from the USB port is then used to create a -110VDC charge on a capacitor bank.
  • Once the caps have charged up, this triggers the converter to shut down.
  • This forces a transistor to propel the voltage from the capacitor over to the port’s data pins.
  • This pattern repeats every time the caps recharge, discharging its high voltage through the port.
  • As long as there’s a bus voltage and high current present, the attack will run its course and overrun the small TVS diodes present on bus lines  of the computer or laptop.
  • Inevitably this will lead to a computer’s components, including possibly the CPU, to fry.
  • With fried components, a laptop or computer will be “dead”.

In typical circumstances a USB thumb drive is design to be protected, and a computer is normally able to dissipate manageable amounts of power, which wouldn’t cause this type of damage.

An example of an attack

A thief had stolen a USB flash drive off a commuter on the subway.  When the thief inserted the flash drive into his computer USB port, the least he’d expected was to see some data. Instead, his computer died as its internal components have been fried.  Although one may think that it was good for the thief to get their just desserts, it addresses a more serious problem- trusting unknown peripherals such as flash drives.

Precautionary measures

Now that we have a good overview of how a USB thumb drive can be engineered to take out a computer, let’s discuss how to prevent such an occurrence.

  • Don’t allow strangers to connect a USB thumb drive in to a mission critical computer or laptop.
  • Don’t plug in USB thumb drives found in public.
  • Do only use thumb drives purchased from reliable retailers or officially provided by an IT administrator.
  • Avoid sharing thumb drives, especially if they leave the premises and return to be used on computers.
  • Aim for individuals to carry their own thumb drives which can safely be used within an office environment.
  • Always question any thumb drives which may be presented to your business by an unknown third party. Even if it lands at your office’s reception desk, have an IT admin check it out first.
  • Have a thumb and flash drive policy in place to cover all of the above as part of your IT security policy.

For more ways to safeguard your computers and IT infrastructure, contact your local IT professionals.

Read More


ransomware-161113CryptoWall 3.0, a new variant of the Cryptolocker ransom-ware virus is out causing problems to many businesses. Learn how it works and how to prevent it.

Discovered in late February 2015, CryptoWall 3.0 works very much like the previous versions of this virus, however its strategy to infect systems is somewhat different..

How CryptoWall 3.0 works

  • When the infected file containing CryptoWall 3.0 is opened, the malicious program encrypts all files that it finds mapped over the network.
  • Files become encrypted and unreadable.
  • Only the perpetrator can unlock the code to make it readable again.
  • Once it finishes encrypting all files, it asks for a ransom of around $500USD.
  • This amount is expected to be paid in Bitcoin currency, which is a universal currency used around the world.

Point of entry and identification

CryptoWall 3.0 employs social engineering tactics via phishing emails. These come through with attachments disguised as an “incoming fax report” displaying the same domain as the one the user is on creating a false sense of trust by making them believe it is a legitimate document. Once opened, Cryptowall picks up all mapped drives identified from the host machine it infects and encrypts all of the contents on it as well as the data on the mapped drives.

CryptoWall 3.0 uses .chm attachments, which is a type of compressed file used for user manuals within software applications. Since .chm is an extension of HTML, this allows the files to be very interactive with different types of media such as images, hyperlinked table of contents and so forth. It also uses JavaScript to allow the attack to send users to any website on the Internet, which occurs when a user opens up the malicious .chm file.
Once the file is opened, the attack automatically runs its course.

CryptoWall: More than meets the eye

rouge

Ransom Malware bas been evolving since the first wave of Cryptolocker attacks back in September 2013, which had netted the virus writers over $27,000,000 from claiming ransom money within only a few months of the Cryptolocker operation. Attacks are happening all over the world with detections in Europe, the UK, the US and in Australia.
The sophisticated Cryptolocker and CryptoWall attacks also use botnets, which is a wide network of compromised machines, to be the originators of the attack. Aside from speeding up distribution of the virus, it allows anonymity for the virus writers.

How to prevent CryptoWall 3.0

For more ways to stay protected and safeguard your network, contact your local IT professionals.

Read More