Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been a national provider since 2002, providing IT support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

A "Secure DNS" Scam: an Upgrade that's a Downgrade

DNS

phishing campaign is targeting website owners with convincing, personalized emails that purport to come from WordPress, Naked Security reports. The emails claim that WordPress is upgrading the recipient’s domain to use DNSSEC (Domain Name System Security Extensions). The message has minimal spelling and grammatical errors, and it contains real explanations (copied from ICANN’s website) of what DNS and DNSSEC are. Naked Security notes that many website operators will most likely have heard of DNSSEC, and they probably know that it’s a good security measure.

“On the other hand, you’ve probably never set up DNSSEC or used it directly yourself, because it has typically been a feature used by service providers to help to keep their own DNS databases intact when they exchange data with other DNS servers,” Naked Security says. “In other words, activating DNSSEC for the server names that your hosting provider looks after for you certainly sounds like a good idea. So we can understand why some recipients of this scam might click through in order to learn more.”

The emails contain a link that’s tailored to each recipient. In Naked Security’s case, the link said, “Click here and activate DNSSEC to nakedsecurity.sophos.com.” If the recipient clicks the link, they’ll be taken to a phishing page that convincingly spoofs a WordPress login page. The page specifically says “Admin Area” to convince the user to enter their administrative credentials, which will be sent to the attackers.

While this scam was tailored to WordPress users (since Naked Security is hosted on WordPress), Naked Security found an image directory on the phishing site that contained the banner logos of 97 other hosting providers, including Akamai, HostGator, Linode, Magento, and Microsoft. The link in the email is customized so that users of different hosting providers will see the login page specific to their provider.

New-school security awareness training can enable your employees to be suspicious anytime they’re asked to enter their credentials.

Resource: https://nakedsecurity.sophos.com/2020/06/29/beware-secure-dns-scam-targeting-website-owners-and-bloggers/

  0 Comments
0 Comments
Continue reading

Business Email Compromise Attacks Focused on Invoice Fraud Surge by 75%

c-suite-decline

As attacks on the C-Suite decline, new data shows that employees in finance department roles are critical to the success of shifts in attack campaign strategy.

There’s one thing we’ve learned to be true about cybercriminals that use phishing emails as their initial attack vector – it’s that they always align their target victim with the campaign. From selecting the victim, to the choice of crime to be committed, to the social engineering tactics, every last detail is planned out to maximize the success of the attack efforts.

According to email security provider, Abnormal Security, in their Quarterly BEC Report Q1 2020, those cybercriminal organizations engaged in business email compromise attacks have changed their tactics – in some cases drastic changes:

  • From individual to group targets – campaigns with more than 10 recipients were up 27%
  • From C-suite to finance staff – campaigns targeting execs declined by 37% while those targeting finance staffers increased 87%
  • From engagement attacks to invoice fraud – paycheck and engagement attacks declined by more than half while invoice fraud increased by 75%
  • COVID-19 remains popular – Throughout the course of Q1, coronavirus-themed attacks rose by an average of 173%

With the overarching takeaway being that all your finance employees are the target of invoice fraud, there’s something tangible to communicate to that segment of your staff to avoid becoming a victim. But because tactics will continue to change as organizations become wise to attacks and other areas of businesses lax their sense of security, it’s important to keep the entire organization vigilant by enrolling them in continual Security Awareness Training, which educates them on the need to be watchful for suspicious content and offers up pertinent examples as attack trends change.

Resource: https://blog.knowbe4.com/business-email-compromise-attacks-focused-on-invoice-fraud-surge-by-75?utm_content=133919391&utm_medium=social&utm_source=linkedin&hss_channel=lcp-2225282

  0 Comments
0 Comments
Continue reading

How to protect yourself from COVID-19 scams and improve cyber hygiene

covid-hygiene

Earlier this month, the Canadian Centre for Cyber Security released an update to their list of ways that people in Canada can protect themselves from COVID-19 scams. In a statement made earlier today, Canada Labour Minister Filomena Tassi said that “Canadians are still being targeted by scams involving text messages and emails, which can lead to identity theft and financial loss; The Canadian Centre for Cyber Security has advice to help you improve your cyber hygiene.”

According to the Canadian Centre for Cyber Security, the five ways that people in Canada can protect themselves from COVID-19 scams are as follows:

1. Be on guard for scams

Don’t click on suspicious links. Also note that the government will never send you a text message about a payment or send you an e-transfer. (Visit the CRA website for ways to spot different scams.)

2. Secure your social media and email accounts

Review your privacy settings on social media and make sure your security questions to all your account logins are something only you would know the answer to.

3. Apply updates to your mobile devices, computers and applications

These updates are important and often contain “security patches.” Enable automatic updates if given the option to do so.

4. Store your data securely and know your back-up procedures

In addition to using an anti-virus or anti-malware program, it’s important to back up important information and files. You can use a cloud service to do that, but be sure to practise data recovery at least once so you know what to expect if you have to do it again.

5. Practice good password etiquette

Use passwords that are complex, and never share them. Don’t use the same passwords between different accounts, and use two-factor authentication when possible.

For the complete statement on cyber hygiene during COVID-19 from the Canadian Centre for Cyber Security, click here.

Resource: https://cultmtl.com/2020/06/how-to-protect-yourself-from-covid-19-coronavirus-scams-canada-cyber-hygiene-canadian-centre-for-cyber-security/

  0 Comments
0 Comments
Continue reading

Half of all Remote Employees Aren’t the Slightest Bit Prepared for Cyberattacks

remote-workforce

New data from IBM suggests that employees, their devices, training, and organizational policies are all lacking when it comes making sure remote workers don’t become a victim of cybercrime.

We’re well-past the shock of needing to setup remote operations with employees working from home. And enough time has passed that the world has seen how cybercriminals have changes their targets and tactics to take advantage of the unsuspecting remote worker.

So, surely, one would expect to see organizations taking steps to ensure the security of the employee, and the organization itself, right?

Well, according to IBM Security’s newly-released Work from Home Study, cyber readiness in the remote workplace is still a mess:

  • 53% of remote employees “have yet to be given any new security policies on how to securely work from home”
  • Of the over half of remote employees using their personal device for work, 61% say their employer hasn’t taken steps to help secure it
  • 66% haven’t been given any password management guidelines
  • 45% haven’t been given any new security training

The shift to working from home is not just about making employees operational; it’s also about extending at least the same security policies and governance to the remote worker, while shoring up security upon realizing the increased risk of them working from home.

With so many security issues to address – from insecure WiFi, to personal devices, to home distractions, to a lack of guidance, where should organizations pick up the pieces today?

Given so many variables of how a given employee may be connecting to organizational resources, the answer lies in the one constant – the employee themselves. By enrolling employees in Security Awareness Training, the organization props up the best possible defense against the ever-changing state of cyberattack. Employees can be taught to be mindful of corporate data, the use of phishing and social engineering, and how to spot suspicious email and web content.

Remote workers still have a lot of adjustment on their plate and it seems like every week, there’s something new to deal with. By providing a source of stability through training, organizations can immediately see an improvement in their remote security stance, providing time to address the other factors.

Resource: https://blog.knowbe4.com/half-of-all-remote-employees-arent-the-slightest-bit-prepared-for-cyberattacks

  0 Comments
0 Comments
Continue reading

National Security Agency warns that VPNs could be vulnerable to cyberattacks

VPN

The National Security Agency issued a new cybersecurity advisory on Thursday, warning that virtual private networks, or VPNs, could be vulnerable to attacks if not properly secured. The agency's warning comes amid a surge in telework as organizations adapt to coronavirus-related office closures and other constraints.

A VPN allows users to establish private, encrypted connections to another network over the internet. They are used widely by corporations and other organizations to protect proprietary data from hackers while employees work remotely. 

A senior NSA official who briefed reporters Wednesday said the increase in remote work had attracted the attention of potentially malicious cyber actors.  

  0 Comments
0 Comments
Continue reading
TOP