Netizen Cybersecurity Bulletin: 12 September 2018 Edition

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Phish Tale of the Week!
  • URL Spoofing
  • The Hazards of IoT Devices
  • Targets of Phishing
  • How can Netizen Help?

Phish Tale of the Week!

Netizen received an email claiming to be from Microsoft in regards to OneDrive. That email can be found below:

OnePhishDrive

OnePhishDrive2

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments.
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
  • Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
  • Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

URL Spoofing

Unpatched Edge and Safari browsers are allowing attackers to spoof URLs, posing as legitimate websites creating a much more difficult phishing attempt to spot. One of the primary methods of detecting a phishing attempt is to examine the URL to determine if a website is fake. The vulnerability is caused when the browsers allow JavaScript to update the page address in the URL bar as the page is loading.

Upon successful exploitation of the flaw, the attacker initially loads the legitimate web page while, displaying the proper URL, before quickly replacing the code in the web page with a malicious site. Using this method, attackers can impersonate popular sites like that of Gmail, Facebook, Linked-In, various banks, etc. to steal credentials and other sensitive information.

Recommendations:

Microsoft has issued a patch for Edge in their latest update, however, Safari still remains vulnerable to the exploit. We recommend routinely patching all systems if they have not been already, and to exercise caution when reading emails. Since this particular attempt is harder to spot, rely more on the circumstance of the email itself:

  • Should you be getting this email?
  • Were you expecting this email?
  • Verify the sender.

The Hazards of IoT Devices

We have smart lightbulbs, smart speakers, smart refrigerators, smart washers & dryers – they are all over our house. The Internet of Things (IoT) has virtually digitized many aspects of our lives.  But in that acronym – IoT – something is missing.

Developers of IoT devices want to make the lives of their customers as easy as possible – whether it is to easily control our lights or set our homes’ temperature, the underlying goal is ease.  That ease extends into making these devices easy to install on home networks.  However, too often this ease leaves the door open for criminals to gain a foothold into our homes, small & mid-size businesses (SMBs) and even large corporations.  The attacks range from mere nuisances (a smart refrigerator was set to make ice cubes non-stop) to treachery (baby monitors hacked to eavesdrop and in some cases speak to/wake up children), to potentially frightful (imagine a hacker could determine when you’re not home and override your smart door locks and alarms?).  Offices are seeing more IoT devices, from smart displays in conference rooms to personally owned smart speakers in cubicles.

IoT devices lack security measures for many reasons, including lower costs and faster development. Offshoots of these reasons can result in hard-coded ADMIN passwords and backdoors created by the developers who might have forgotten to close them, or because the coders were removed from the project before it was fully vetted.  Should a hacker take control of one of your IoT devices, they may be able to exploit other devices on your network and compromise the confidentiality and integrity of your data.

Clearly, the adage regarding IoT devices cannot be argued:  the ‘S’ in IoT stands for ‘Security’.    Make sure you take the necessary steps to secure your devices at home and in the office.

Recommendations:

  • Always change the default login credentials. Not only the password but the username whenever possible.  Consider: a hacker already has half of the username+password combination if you use the default ADMIN.  Make the password difficult to guess.
  • Always segment your IoT devices to a wifi network separate from your primary (Home) network. Often this is as easy as using the GUEST wifi on your router.  If your router lacks the ability to have 2 or more segments, it’s probably time to upgrade.
  • Businesses should ensure the use of IoT devices comply with the corporate Acceptable Use Policy (AUP).
  • Make a calendar reminder to check your devices for firmware updates. While not all IoT devices update their firmware, make certain to install the patches to help stay ahead of vulnerabilities.
  • Evaluate whether you really need those devices in your home or office.  For example: do you really need a web-enabled toaster?

Targets of Phishing

A security company called Proofpoint Researchers has recently discovered that 60% of targeted phishing attacks are directed towards individual contributors and low-level management users. These attacks mainly consisted of malware or credential phishing attacks. This comes in comparison that upper management and executives only receive 24% percent of all attacks and only 5% of the targeted attacks. While this may seem like a small portion, it effectively is a larger disproportionate amount due to the smaller representation of the total workforce.

The recent findings come amid a continual surge of malicious email messages. Researchers have observed over a 35% increase in email attacks in the first and second quarters of 2018 alone. While every company size from large to small is targeted, companies in retail and healthcare experienced far greater growth rates for attacks compared to other sectors. Along with these findings was an 85% increase in attacks in this years second quarter, compared to last year. Growth rates for the automotive and education industries were even larger at 400% and 250% respectively.

Recommendations:

  • Ensure those individual contributors, and lower-level management is receiving the appropriate training to identify and report malicious email attacks.
  • Leverage advanced threat analysis and social media security to combat fake accounts.
  • Continue comprehensive security awareness for the entire workforce.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

ISO

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s