social engineering Archives

Authentication is crucial when it comes to tackling cybersecurity threats, and this is especially true when it comes to sending and receiving emails.

Many of today’s cybersecurity threats are delivered via email, such as the recent Spica attack. This can make people wary of emails landing in their inbox. But email represents a vital communication channel for businesses. Therefore, if you’re sending an email, you need to make sure that the recipients know it’s trustworthy.

One of the simplest ways to authen ticate your emails is to use methods such as SPF, DKIM, and DMARC. You may not be familiar with these tools, but they can act as a stamp of approval that any emails you send are genuine. And it’s time to learn more about them.

Why Do You Need Email Authentication?

The threat of malware delivery over email is well known, with techniques such as social engineering and malicious links/files being prevalent in the digital landscape. Naturally, the last thing your stakeholders need is the threat of having their IT systems compromised. So, it’s important you can email safely and effectively.

The main benefit, of course, is that your stakeholders are less likely to fall victim to malware attacks. However, there are additional benefits. By implementing email authentication, you are actively building trust with your customers and partners. If you can prove your emails are genuine, the recipients are more likely to open them. Furthermore, email authentication ensures your emails are less likely to be labelled as spam, and this reduces the risk of them being redirected to junk folders.

The Principles of SPF, DKIM, & DMARC

The three main tools for authenticating emails ae SPF, DKIM, and DMARC. Combining these three protocols together delivers a strong level of authentication and ensures your emails are read rather deleted. But what are they?

Sender Policy Framework (SPF): this tool eliminates the likelihood of email spoofing being used to impersonate the sender’s IP address. SPF records are published and can be verified by receiving systems to confirm an email is genuine. Once an email server cross references this SPF record against your IP address, it will deliver the email if it matches.
Domain keys Identified Mail (DKIM): acting as a digital signature to outgoing emails, DKIM provides a further layer of email authentication. This signature comprises an encrypted key pair, one stored publicly in your domain name system (DNS) and one stored privately. With this digital signature attached to an email, a recipient’s server can authenticate the private key against the public one stored in your DNS. This minimizes the risk of spoof emails and maximizes email security.
Domain-based Message Authentication, Reporting & Conformance (DMARC): working alongside SPF and DKIM, DMARC acts not only as a form of email authentication but also as a reporting system. DMARC allows domain owners to dictate how recipients should handle emails which have failed SPF and DKIM checks. This is governed by policies laid out in the DMARC DNS record.

Authenticate Your Emails

SPF, DKIM, and DMARC are all vital for mitigating the risks associated with malicious emails and the resulting impact on IT infrastructures. By implementing these three protocols, you are maximizing the efficiency of your email communications and fostering trust with your key stakeholders.

For more ways to secure and optimize your business technology, contact your local IT professionals.

SmokeLoader Trojan Used to Deliver Phobos Ransomware

anti-malware tools, offline backups, Ophtek, Phobos ransomware, SmokeLoader, social engineering, Trojansanti-malware tools, offline backups, Ophtek, Phobos ransomware, SmokeLoader, social engineering, TrojansOphtek, LLC

Jan 2024

Be aware, your files are under threat from a new variant of the Phobos ransomware. And it’s being distributed by threat actors using the SmokeLoader trojan.

The Phobos ransomware was first detected in 2017 and, since then, has gone on to be used in numerous cyber-attacks. This new variant, however, is slightly different and more sophisticated than previous incarnations. The threat actors behind the new variant are believed to be the same team behind the 8Base ransomware syndicate, a powerful cybercrime operation.

As you know, any form of ransomware is dangerous, but one which is as clever and cunning as Phobos requires special attention. Luckily, Ophtek are here to provide you with all the advice you need.

The SmokeLoader Campaign

The SmokeLoader trojan is typically used to deliver the 8Base team’s variant of Phobos. A trojan is employed as the launchpad as Phobos, on its own, does not have the capability to breach a PC’s defenses. SmokeLoader operates by disguising itself within spam email campaigns and relies on social engineering techniques to unleash its malicious payload. Once SmokeLoader has been activated, it begins loading the Phobos ransomware.

And Phobos presents a very persistent and effective threat. It starts by identifying target files and automatically ends any processes which are accessing the files. From here, Phobos’ next step is to disable the PC’s system recovery tool, which ensures the victim is unable to roll back their PC to a pre-infection stage. Finally, before encrypting any files, Phobos makes a point of deleting any backups and shadow copies. Rest assured that Phobos doesn’t want to give you any chance of retrieving your files without paying a ransom.

What’s notable about this strain of Phobos is its encryption speed. Instead of fully encrypting all files, it only focuses on completing this on files under 1.5MB in size. Anything over this file size is only partially encrypted. Phobos alerts its victims to its encryption activities by issuing a ransom note on the infected system. This ransom note explains that the only way to decrypt the files is by making a payment in Bitcoin. And this payment is dependent on how quickly contact is made.

Staying Safe from SmokeLoader and Phobos

The financial damages arising from ransomware continue to rise and rise, so it’s crucial that you keep one step ahead of these attacks. The best way to stay safe is by following these best practices:

Understand social engineering: the Phobos attack, and many other ransomware attacks, are only able to initiate themselves due to victims falling for social engineering scams. Therefore, it’s vital your staff understand what social engineering is and how to combat it. For example, if an email sounds too good to be true, it probably is. And the best thing to do with a suspicious email is to take a deep breath and think long and hard before clicking any links.

Always keep offline backups: if all your files are encrypted then you’re going to have a hard time retrieving them without paying a costly ransom. And, remember, Phobos actively seeks out backups and shadow copies you may have stored on your network. However, if you regularly backup to an offline source, such as an isolated network or drive, you have the opportunity to minimize your file loss.

Use anti-malware tools: one of the best ways to add an extra layer of protection to your PCs is by ensuring that anti-malware tools are installed. These tools are discreet, mostly running in the background, and can identify malware before they launch their attacks. This allows you to quarantine and delete threats such as SmokeLoader before they can take over your system.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Safeguarding Your Business Against Social Engineering

complex passwords, malware, multi factor authentication, Ophtek, Phishing Email, Ransomware, social engineering, vulnerabilitycomplex passwords, malware, multi factor authentication, Ophtek, phishing, ransomware, social engineering, vulnerabilityOphtek, LLC

Dec 2023

One of the biggest threats to your organization’s IT comes in the form of social engineering attacks. Therefore, you need to keep your business protected.

In the digital age, there are many threats to your IT infrastructure. These can include ransomware, software vulnerabilities and malware. However, perhaps the most dangerous, and easiest to launch, attack involves social engineering. This attack relies on exploiting human psychology to gain a foothold within a targeted network. In many ways, it’s an age-old deception strategy from the physical world, but simply transferred over to the digital world. This article looks deep into the world of social engineering and should provide you with a better understanding of how to safeguard your business.

What is Social Engineering?

The main objective of social engineering, for a threat actor, is to convince individuals that divulging sensitive information or performing network actions is the right thing to do. Often, this strategy relies on phishing emails. These are emails which are sent to targets and claim to have been sent from someone they know e.g. a work colleague or a supplier. However, what the threat actor is trying to do here is either extract confidential information – such as login credentials – or encourage the target to click a malicious link.

Get Your Team to Recognize Social Engineering

Social engineering attacks will always be targeted at your employees, so this means that you need to invest in educating your employees. While an IT induction represents a good opportunity to warn them of the telltale signs of social engineering, the sheer range of social engineering strategies requires something more intensive. Accordingly, regular training courses which are followed up with refresher courses are highly recommended. Even better, sending randomised ‘spoof’ phishing emails internally can indicate which employees require tailored training.

Strengthen Your Authentication Processes

If you want to add an extra layer of defense to your IT infrastructure, strengthening your authentication processes is an excellent way of achieving this. Not only will this thwart social engineering campaigns, but it will also protect you against almost all other security threats. Therefore, make sure you focus on the following:

Integrate password rules which require your employees to create complex passwords e.g. using a mixture of case types, numbers and symbols.

Bring in multi-factor authentication to help protect your employees’ existing login credentials and place a further obstacle in the way of unauthorized access.
Put a time limit on passwords and ensure that they have to be updated within a set time e.g. every two months.

Secure Your Communication Channels

Applications such as Microsoft Outlook and Teams have revolutionized the way that businesses communicate, but they also represent a rich source of data. With this in mind, you need to secure these communication channels against the threat of social engineering. Encrypting data flowing in and out of these applications is paramount to protect the type of data that social engineering is hungry for. So, use VPN’s where possible and make sure your employees avoid using their devices on public Wi-Fi.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Major US Casinos Hit by Ransomware

BlackCat, educate team, MGM, Ophtek, Phishing, protection, Ransomware-as-a-Service, social engineeringBlackCat, educate team, MGM, Ophtek, phishing, protection, ransomware as a service, social engineeringOphtek, LLC

Nov 2023

A major ransomware attack on the MGM brand of casinos has led to the firm’s IT systems having to be shut down.

The ransomware-as-a-service hacking group BlackCat has taken responsibility for the attack, and it’s an attack which has caused major issues for MGM. IT systems responsible for processing electronic payments, digital key cards, parking systems and ATMs have all been impacted by this attack. While the attack is considered major, it was executed by the simplest of means. As ever, this attack on MGM contains some important lessons for organizations to learn and enforce.

How Were the MGM Casinos Hacked?

The MGM attack was made possible by the use of social engineering techniques. In particular, BlackCat identified an MGM employee by scouring related profiles on LinkedIn. With this information at their disposal, the threat actors contacted the MGM help desk and used this employee’s details as their way into the system. The exact nature of the breach, for security reasons, has not been disclosed, but it’s believed that it only took 10 minutes for BlackCat’s strategy to be successful.

BlackCat, with full access to MGM’s IT infrastructure, set about issuing demands to MGM through a secure communication channel they had put in place. However, MGM refused to pay any of the ransom fees demanded by BlackCat. Instead, on the recommendations of their security team, MGM began shutting their Okta servers – used for authorization processes – down.

However, BlackCat were able to remain active on the network due to the administrator privileges that they had gained during the attack. And, in response, BlackCat set about compromising over 100 hypervisors – applications which are used to manage virtual machines located on a PC – and encrypting the data contained on them.

BlackCat, again, brought their ransom demand to the table and also threatened to launch further attacks if this was not met.

How Could MGM Have Protected Their IT Systems?

As a thriving, world-famous organization, MGM could have done without the headlines relating to the attack by BlackCat. And, as with all social engineering attacks, this could have easily been avoided if MGM had practiced the following:

Be skeptical: unsolicited requests for information should always be treated with caution. If personal information is being requested, then always question the person, even if they appear to be legitimate, asking for the information. More importantly, take steps to verify their identity through official channels to confirm their authenticity.
Educate your team: it’s important that you familiarize your team with the most common social engineering tactics such as phishing emails and baiting. Awareness of these techniques will allow your staff to recognize these manipulative techniques before they can execute their malicious payloads.
Protect personal information: it’s crucial that you always protect sensitive data such as passwords, financial details, and personal identification. Avoid sharing such information with strangers or unverified individuals, such as on social media sites – as social engineers often harvest these channels to discover vulnerabilities.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Vidar Malware Attacks Online Sellers

malware, Ophtek, Phishing, social engineering, Vidar Malware, Virusesmalware, Ophtek, phishing, social engineering, Vidar_Malware, virusOphtek, LLC

Aug 2023

E-commerce means big business in the 21^st century and it proves a highly attractive target to threat actors, as online sellers are now finding out.

Such is the size of the e-commerce industry – estimated to hit $4.11 trillion in 2023 – threat actors have many reasons for attacking online merchants. Taking control of a seller’s account will instantly provide hackers with a treasure chest of personal information about their customers e.g. payment methods, personal identifiers, and email addresses. It’s also common for threat actors to lace these compromised inventories and shops with malicious JavaScript code, this can then record credit card details during the checkout process.

Therefore, this latest attack, which uses the Vidar malware to advance its payload, is one that you need to be aware of.

How is Vidar Causing Havoc in the Digital Aisles?

The attack launched against online sellers uses a combination of social engineering and phishing emails to deceive its targets. Threat actors are posing as disgruntled customers who claim to have had large amounts of money deducted from their bank without an order being processed. Using a bit.ly URL – which is typically used to shorten long URLs, but also hides the true destination of the link – the sender of the email advises the merchant to investigate a screenshot of their bank account. This, they claim, will show proof that funds have been taken.

Clicking this link will take the victim to a malicious website designed to look like a genuine Google Drive account. Here, the victim is encouraged to download a .PDF of the bank statement which the sender claims will demonstrate that an illegal transaction has taken place. However, rather than downloading a .PDF, the victim will instead download a file called bank_statement.scr. And this file contains the Vidar malware.

Vidar was first discovered in 2018 and its method of attack is well known. A classic data miner, Vidar will steal information such as passwords, browser cookies, text files, and also take screenshots of the infected PC. After uploading this data to a remote location, the threat actors can easily download this information and use it to exploit the victim further e.g. sell login credentials on the dark web or access other user accounts using the same information.

Taking Vidar Back to the Store

If you believe that your PC has been breached by Vidar, the good news is that most anti-virus tools will pick it up and eradicate it from your system. Nonetheless, it’s always better to not get infected in the first place. Therefore, make sure you follow these best practices to avoid falling victim to Vidar:

Pick up on suspicious language: phishing emails are full of telltale signs, but you need to know what you’re looking for. Firstly, look out for urgency, fear, and excitement-inducing words. Secondly, watch for requests to disclose personal information or click on suspicious links. And, finally, pay attention to poor grammar or spelling errors.

Only download from trusted sources: it’s advisable to only download files from sources you can verify are genuine. Downloading files from customers, even if they are genuine, should be avoided wherever possible. These files could, as the Vidar attack has shown, contain anything. In a scenario where you need verification, always turn to an IT professional.

Use anti-phishing tools: installing anti-phishing software is a good way to enhance your protection against phishing attacks. These tools can be implemented as either browser extensions or part of a security suite. Once they detect an attempt at phishing, they will block the content and present you with a warning in its place.

For more ways to secure and optimize your business technology, contact your local IT professionals.

1 2 Next »

Tag Archives: social engineering