Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Of Course, Scammers Exploit Fears of Iranian Hacking


A new phishing campaign is attempting to frighten people into handing over their credentials by claiming Microsoft was hacked by Iran, BleepingComputer reports. The campaign is capitalizing on recent warnings from the US Department of Homeland Security and others about the possibility of Iranian state-sponsored cyberattacks in the wake of Qasem Soleimani’s death last week.

The phishing emails in this campaign contain the subject line “Email users hit by Iran cyber attack,” and they purport to come from “Microsoft MSA.” They claim Microsoft’s servers experienced a cyberattack from Iran, and the company had to lock down users’ data in order to protect it. Recipients of the emails are instructed to click a link that says “Restore Data” in order to regain access. Clicking this link will take them to a fairly convincing imitation of Microsoft’s login page, which is designed to steal their credentials.

Many modern phishing campaigns have polished spelling and grammar, making them very hard to spot. This isn’t one of those cases, however.

“Microsoft servers have been hit today with an Cyber Attack from Iran Government,” the emails say. “For your seifty and security we had to take extra measures to protect your account and your personal data. Some emails and files might still be locked on our servers, in order to get full access to your emails and files you have to signin again. If you still have problems receiving emails please be patient, our support team is working on this issue and we will fix this as soon as possible.”

The campaign isn’t particularly sophisticated, but the emails did manage to make it past spam filters, so it’s possible some recipients could have fallen for it.

Iranian state-sponsored cyberattacks are a real concern as well, and they often begin with phishing attacks. Sophisticated threat actors, including Iranian APTs, generally use much more convincing phishing emails that are tailored to their specific targets. New-school security awareness training can enable your employees to recognize low-grade phishing attempts like this one as well as more sophisticated spear phishing attacks.


Continue reading

True North Networks becomes employee-owned!


SWANZEY — A local company is now employee-owned, turning to its workers as an investment in its future.

True North Networks handles information technology for clients in 35 states, typically financial service businesses, according to owner and President Steven Ryder of Keene. Essentially an outsourced IT company, True North has 40 employees, most of whom are in its Swanzey office off Old Homestead Highway, with other branches in Chichester; Scarborough, Maine; and Pittsburgh, Pa.

Ryder said he’s been considering an employee-ownership model for the past couple of years. Though he isn’t quite ready to retire, he said he’s been thinking ahead and wants a succession plan in place. He’s fielded calls from people interested in acquiring True North.

“I really don’t have any interest in selling it and having my company gutted,” he said. “I don’t believe I’ve been successful on my own.”

Rather than choosing to “walk away with a big paycheck, thank everybody and walk out the door” at his retirement, he wanted to share the wealth with the team that built the company since its founding in 2002. So Ryder began researching employee ownership.

The company started the transition this month and will gradually make the shift throughout 2020, he said. Employees now get stock in the company that will go toward their retirement, in addition to an existing 401k plan. Ryder stressed the switch doesn’t cost employees anything, since the program is entirely company-funded.

From a technical aspect, he said, nothing changes. But employees have ownership in their workplace, which is a morale and productivity booster, Ryder said.

“They don’t feel they’re making me rich,” he said. “… It’s about how to make more money collectively together.”

Having a clear succession plan that doesn’t involve selling the company and potentially shaking up the operation also puts minds at ease for both staff and clients, he said.

Ryder said he hopes other businesses will see this model as a win-win situation.



Continue reading

Ransomware-stricken firm tells laid-off employees to seek new jobs amid stymied recovery efforts


The Heritage Company, a telemarketing firm that laid off 300 employees just days before Christmas after a devastating cyber-attack, has now advised the former employees to look for new jobs as the company can’t seem to recover.

Two months ago, Arkansas-based The Heritage Company suffered a ransomware attack but kept it secret as it worked to restore the data. In a letter to employees, CEO Sandra Franecke admitted the company paid hackers the ransom in exchange for the decryption keys. However, recovery didn’t go as planned and the firm ended up losing “hundreds of thousands” of dollars.

As the company could no longer pay employees, Franecke made the tough decision to let everyone go just days before Christmas. In an apologetic letter, she instructed employees to check back on January 2 to see if they can get their jobs back. Local news station KATV confirms that employees calling in for an update were greeted by a recorded message informing them that they should seek new jobs.

The Heritage Company also issued a formal statement to employees, saying, “Hello Team Heritage. We have been working diligently over the past two weeks to reorganize in an effort to recover from the cyber incident. Though we have made progress, there is still much work to be done. With that in mind, we do not prevent you from searching for other employment. Please take care of yourselves, your loved ones, and have a happy New Year.”


Continue reading

Tricky Phish Angles for Persistence, Not Passwords


Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

Still, this phishing tactic is worth highlighting because recent examples of it received relatively little press coverage. Also, the resulting compromise is quite persistent and sidesteps two-factor authentication, and it seems likely we will see this approach exploited more frequently in the future.

In early December, security experts at PhishLabs detailed a sophisticated phishing scheme targeting Office 365 users that used a malicious link which took people who clicked to an official Office 365 login page — Anyone suspicious about the link would have seen nothing immediately amiss in their browser’s address bar, and could quite easily verify that the link indeed took them to Microsoft’s real login page. Read on for more: 



Continue reading

Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad


The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm. Foremost, CISA recommends organizations take the following actions:

  • Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
  • Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
  • Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see link below for further details).
  • Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.

Iranian Cyber Threat Profile

Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities. More recently, its use of offensive cyber operations is an extension of that doctrine. Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents.

Iranian cyber threat actors have continuously improved their offensive cyber capabilities. They continue to engage in more “conventional” activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.

The U.S. intelligence community and various private sector threat intelligence organizations have identified the Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks–either through contractors in the Iranian private sector or by the IRGC itself.

Iranian Cyber Activity

According to open-source information, offensive cyber operations targeting a variety of industries and organizations—including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base—have been attributed, or allegedly attributed, to the Iranian government. The same reporting has associated Iranian actors with a range of high-profile attacks, including the following:

  • Late 2011 to Mid-2013 – DDoS Targeting U.S. Financial Sector: In response to this activity, in March 2016, the U.S. Department of Justice indicted seven Iranian actors employed by companies performing work on behalf of the IRGC for conducting DDoS attacks primarily targeting the public-facing websites of U.S. banks. The attacks prevented customers from accessing their accounts and cost the banks millions of dollars in remediation. [1] 
  • August/September 2013 – Unauthorized Access to Dam in New York State: In response, in March 2016, the U.S. Department of Justice indicted one Iranian actor employed by a company performing work on behalf of the IRGC for illegally accessing the supervisory control and data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The access allowed the actor to obtain information regarding the status and operation of the dam. [2]
  • February 2014 – Sands Las Vegas Corporation Hacked: Cyber threat actors hacked into the Sands Las Vegas Corporation in Las Vegas, Nevada, and stole customer data, including credit card data, Social Security Numbers, and driver’s license numbers. According to a Bloomberg article from December 2014, the attack also involved a destructive portion, in which the Sands Las Vegas Corporation’s computer systems were wiped. In September 2015, the U.S. Director of National Intelligence identified the Iranian government as the perpetrator of the attack in a Statement for the Record to the House Permanent Select Committee on Intelligence. [3]
  • 2013 to 2017 – Cyber Theft Campaign on Behalf of IRGC: In response, in March 2018, the U.S. Justice Department indicted nine Iranian actors associated with the Mabna Institute for conducting a massive cyber theft campaign containing dozens of individual incidents, including “many on behalf of the IRGC.” The thefts targeted academic and intellectual property data as well as email account credentials. According to the indictment, the campaign targeted “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.” [4]

Recommended Actions

The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.

  1. Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  2. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.  
  3. Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
  4. Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  5. Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.

For additional informaiton on Iranian Cyber Activity and Patterns of Publically Known Iranian APTs (including mitigations and detection recommendations), please view the full alert details at


Continue reading

Messaging / Smishing Attacks: You are the Best Defense


One of the most common ways cyber attackers attempt to trick or fool people is by scamming you in email attacks (often called phishing) or try to trick you with phone calls. However, as technology continues to advance bad guys are always trying new methods, to include tricking you with messaging technologies such as text messaging, iMessage/Facetime, WhatsApp, Slack or Skype.

Here are some simple steps to protect yourself and spot / stop these common attacks.


What Are Messaging Attacks?

Messaging attacks (sometimes called Smishing, a play on the word Phishing) are when cyber attackers use SMS, texting or messaging technologies to reach out to you and try to trick you into taking an action you should not take. Perhaps they want to fool you into clicking on a malicious link or get you to call a phone number so they can get your banking information. Just like in traditional phishing email attacks, bad guys often play on your emotions to act. However, what makes messaging attacks so dangerous is that they often feel far more informal or personal than email, making it more likely you may fall victim.

In addition, with messaging attacks there is less information and fewer clues for you to pick up on that something is wrong or suspicious. When you receive a message that seems odd or suspicious, start by asking yourself does this message make sense, why am I receiving it? Here are some of the most common clues of an attack.

  • A tremendous sense of urgency, when someone is attempting to rush you into taking an action.
  • Is this message asking for personal information, passwords or other sensitive information they should not have access to?
  • Does the message sound too good to be true? No you did not win the lottery, especially one you never entered.
  • A message that appears to come from a co-worker or friend’s account or phone number, but the wording does not sound like them. Their account may have been compromised and taken over by an attacker, or the attacker is attempting to pretend to be them, tricking you into taking an action.
  • If you get a message that makes you have a strong reaction, wait a moment and give yourself a chance to calm yourself and think it through before you respond.

Sometimes bad guys will even combine email and messaging attacks. For example, gift card scams can work this way. A cyber attacker will send you an urgent email pretending to be a friend or co-worker, then ask for your cell phone number. Then they can send repeated text messages, pressuring you to purchase gift cards. Once purchased, the attackers have you scratch off the code on the back of the cards and message a picture of the codes back to them. Another common attack urges you to “check out” a video or picture (“you won’t believe this!”). It appeals to your sense of curiosity. If the message looks like it is from someone you know, perhaps call the person on the phone to verify before you act.

If you get a message from an official organization that alarms you, check with them directly. For example, if you get a text message from your bank saying there is a problem with your bank account or credit card, contact your bank or credit card company directly by visiting their website or calling them directly using the phone number from the back of your bank card or credit card. Bear in mind that most government agencies, such as tax or law enforcement agencies, won’t contact you via text message.

When it comes to messaging attacks, you are your own best defense.


Continue reading

FBI Warns U.S. Companies About Maze Ransomware


The FBI is warning U.S. companies about a series of recent ransomware attacks in which the perpetrator, sometimes posing as a government agency, steals data and then encrypts it to further extort victims.In an advisory to the private sector last week, the FBI called for vigilance to combat the so-called Maze ransomware, which the bureau said began hitting U.S. organizations in November.

“From its initial observation, Maze used multiple methods for intrusion, including the creation of malicious look-a-like cryptocurrency sites and malspam campaigns impersonating government agencies and well-known security vendors,” states the advisory obtained by CyberScoop.

“In a late November 2019 attack, Maze actors threatened to publicly release confidential and sensitive files from a US-based victim in an effort to ensure ransom payment,” the advisory says, without naming the victim.

Maze is but one of an array of different strains of ransomware to emerge in recent years, a scourge with which companies and state and local governments have struggled to contend. This particular hacking tool caught the attention of security researchers last fall, when it was used in a scheme to dupe people in the U.S., Italy, and Germany into installing malware on their computers. Last month, the Maze perpetrators gained more notoriety when they published data supposedly stolen from the City of Pensacola, Florida, to pressure the city into paying a ransom.

“The combination of the theft and encryption of data will feel like a one-two punch for victim organizations,” said Charles Carmakal, senior vice president at Mandiant, the incident response arm of cybersecurity company FireEye. “Organizations may feel more coerced to pay the threat actors because they may feel it’s the best option to prevent the disclosure of sensitive information.”

The FBI “Flash”— a document the bureau periodically sends to U.S. companies to alert them to hacking activity — offers technical indicators to detect Maze ransomware and asks victims to provide information that could help track the hackers. The bureau requests things like bitcoin wallets used by the hackers and the complete phishing email they sent to the victim. The request for victim data related to Maze aligns with a new FBI offensive against ransomware that taps a wealth of data held by corporate victims. Last September, for example, the FBI held an unprecedented, closed-door summit on ransomware with private sector experts to get a handle on the problem.


Continue reading

How to improve cybersecurity for your business: 6 tips


Business cyber risks rates are holding steady for US companies, according to the US Chamber of Commerce and FICO. Here's how to stay safe.

Cybersecurity risk faced by US businesses held steady in Q1 2019, according to a recent report from the US Chamber of Commerce and FICO.

The quarterly Assessment of Business Cyber (ABC) Risk, based on scoring nearly 2,400 US companies using the FICO Cyber Risk Score, was 687--unchanged quarter over quarter. The ABC indicates the probability of an organization suffering a data breach in the next year, and, like a FICO credit score, ranges from 300 to 850. The higher the score, the lower the likelihood of experiencing a breach.

For small businesses, scores dropping slightly, from 740 to 737, while large firms' scores rose slightly, from 646 to 643.

"The disparity in risk scores between small and large organizations is due to the fact that large firms have a wider attack surface and are more frequently the target of cybercriminals," Doug Clare, vice president for cybersecurity solutions at FICO, said in a press release.

Businesses should note that different industries carry different levels of risk, even outside of the control of individual firms, Clare said in the release. For example, unsurprisingly, banks are a high target, with more valuable data.

Tips to improve cybersecurity

Managing cybersecurity risk involves managing behavioral risks, skills gaps, and technical flaws, the report noted. The US Chamber of Commerce and FICO offered the following recommendations to help businesses stay safe:

1. Use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to develop an information security program. The framework enables organizations--regardless of their size, risk profile, or cyber sophistication--to develop a cybersecurity plan or improve an existing one.

2. Develop a reliable understanding of one's network. This includes identifying assets to apply security management based on risk.

3. Identify functions and teams whose process and policy maturity are not performing adequately. This will enable organizations to identify weak links in technology, personnel, policy, and leadership.

4. Oversee an organization's network team to confirm alignment to the details of network management policies. Avoid unnecessarily exposing network infrastructure assets and ensure correct configuration for those that must be exposed.

5. Protect and monitor network endpoints. Organizations that monitor endpoints are able to provide an early warning of potential problems.

6. Develop a process to confirm that active certificate management programs are in place and are being implemented.

"When we launched the ABC in October 2018, it was a wake-up call to many businesses across the country," Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the US Chamber of Commerce, said in the release. "Our focus this quarter is to help businesses understand how to improve their cyber posture. It is important to emphasize that a lower score--whether for a company or a sector--does not necessarily imply that insufficient diligence is being applied by those entities. Such entities may simply have a higher risk profile (i.e., they face greater risk of breach) due to the nature of their businesses."


Continue reading

Understanding Social Media Threats and How to Protect Against Them


Social media is a great way for organizations of all sizes to engage with customers. In fact, social media advertising revenue has been climbing steadily every year. In the U.S., for example, it was $13.1 billion in the first half of 2018, up 38% from the previous year.1 And it’s no wonder companies are willing to invest in social media, considering that there were nearly 3.2 billion active social media users in 2018.2

But these online networking environments are fraught with peril. Cyber criminals have reaped approximately $3.25 billion in revenues per year from social media threats.3 Most brands do not have the time or technology to monitor, classify and organize all the social media threats they face on Facebook, YouTube, Twitter, Instagram and LinkedIn. It’s simply too big of a job for a company to take on by itself.

How Cybercriminals Execute Social Media Threats

Virtually anyone is a potential target for social media threats – from respected public figures and celebrities to name brand companies and the average user. Hackers and bad actors use a number of tricks and tactics to achieve their objectives – whether they are financially or politically motivated. Here are some of the most common techniques4 they use when carrying out social media threats:

    • Account access: Social media password management at most organizations is often treated much too casually. As brands see turnover and onboard new employees, passwords are shared and former employees retain access to social media accounts. And the security protection provided by social media networks is not enough. For example, Facebook links administrative accounts to personal accounts, creating a security vulnerability that could impact the brand. Companies must ensure that corporate and personal password management policies are in place. The consequences of poor password management and subsequent account takeovers can have a lasting and devastating impact to a brand’s social reputation
    • Phishing attacks targeting employees: Fraudsters can pretend to be a company executive to extract funds or sensitive information by creating fake social media accounts on LinkedIn. They usually target a senior member of the company’s finance team or supply chain. Impersonators exploit human nature in two ways. First, they take advantage of the victim’s trusting nature by assuming the persona of someone the victim knows and strives to please. Second, they impose time pressure, short-circuiting the victim’s normal decision-making process. The impersonator might ask for an urgent money wire transfer or for confidential information.
    • Phishing attacks targeting customers: In these attacks – also known as angler phishing – cyber criminals create highly convincing customer service accounts and then wait for your customers to reach out to your brand with a help request. Automated listening tools make it easy for criminals to monitor your social accounts to find a potential victim. They often strike on evenings or weekends when your customer service teams are less likely to monitor the account for requests. When the fraudster sees a customer contact your brand account, they intercept the communication and send a timely reply from the look-alike support account. Cyber criminals will then direct the unsuspecting user to click on a look-alike web domain where they will be phished of their credentials.
  • Physical attacks targeting executives: Credential phishing attempts aren’t the only threats on social media targeting individuals. Doxing is an internet-based practice of gathering identifiable information about a person with the objective of shaming, scaring or blackmailing the target. In the U.S., doxing is a form of stalking and is illegal under many different federal and state laws, depending on the exact facts and location. Bad actors can publish personal information about your executives to a wide audience on social media. Once your executives’ details are posted in a public forum, they can then be threatened publicly or privately by anyone who wants to harass or harm them.

Social Media Schemes and Scams

Now that you understand some of the methods cyber criminals use when launching social media threats against people and organizations, let’s take a look at some of the threats that are aimed at the general public.

These more traditional social engineering scams include posting bogus coupons and links to malicious pages claiming to be free offers, often for movies or performances. In other cases, attackers send carefully engineered phishing scams as direct messages to social media users. The scams include:

  • Free movie streaming downloads
  • Work from home/make easy money
  • Fake coupons
  • Free airline flights

Protecting Against Social Media Threats: The Basics

There are several steps you can take to safeguard your people and your organization against social media threats:

  • Enable two-factor authentication to protect your social media accounts and management tools in addition to your passwords. This extra step of login verification will trigger a text or email alert with a verification code if someone attempts to sign in from an unrecognized device or IP address.

  • If you set up two-factor authentication, you'll be asked to enter a special login code or confirm your login attempt each time someone tries accessing Facebook from a computer or mobile device we don't recognize. You can also get alerts when someone tries logging in from a computer we don't recognize.
  • Encourage security teams to coordinate with social media teams as a way of gaining greater visibility into how your company is engaging on social media. From there, the security team can then define social threat protection measures.
  • Take inventory of all your social media accounts for your people and brand – official and unofficial. Consider using a tool to automate the discovery process and keep track of new accounts as they are created.
  • Once you have an inventory, identify everyone who has login access to accounts and applications. Confirm that each user’s access is authorized.
  • Simplify administration. Begin by reducing the number of direct administrators, strengthening your passwords and using password management solutions. Consider using the same single sign-on solution you use for email, applications and network access.
  • Reduce the number of third-party social media applications, especially those used to publish posts or comments on your behalf. This will minimize the probability of hackers gaining access to accounts and publishing bad content.
  • Implement a solution that will automatically monitor your accounts for anomalies that may indicate social media cybercriminal activities and threats.


Continue reading

Mysterious Global Phishing Campaign Uncovered


A mysterious phishing campaign was spotted by threat researchers from Anomali. The global credential gathering phishing campaign was directed primarily at government procurement departments; however, other sectors' including email and courier services were also targeted.

According to Anomali, "The elaborate scam used a legitimate compromised domain and various subdomains to create phishing pages designed for credential harvesting. Phishing emails went out in various languages."  The domains were hosted in Romania or Turkey and "all of the sites use Domain Validation (DV) certificates issued by “cPanel, Inc”.

The subdomains have similar naming conventions, targeting online credentials and containing a secure, verification, bidding or delivery theme", Anomali observed.  

Spoofed Organizations

  • United States - U.S. Department of Energy
  • United States - U.S. Department of Commerce
  • United States - U.S. Department of Veteran Affairs
  • United States - New Jersey House and Mortgage Finance Agency
  • United States - Maryland Government Procurement Services
  • United States - Florida Department of Managed Services
  • United States - Department of Transport
  • United States - Department of Housing and Urban Development
  • DHL International courier service
  • Canada -  Government eProcurement service
  • Mexico - Government eProcurement services
  • Peru - Public Procurement Centre
  • China - SF-Express courier service
  • China - Ministry of Transport
  • Japan - Ministry of Economy, Trade and Industry
  • Singapore - Ministry of Industry and Trade
  • Malaysia - Ministry of International Trade and Industry
  • Australia - Government eProcurement Portal
  • Sweden - Government Offices National Public Procurement Agency
  • Poland - Trade and Investment Agency
  • South Africa - Government Procurement Service

 Anomali’s  Conclusions:

"This credential harvesting campaign has been primarily targeting government bidding and procurement services. The focus on these services suggests the attacker is interested in those organisations (private and public) that may be a potential contractor or supplier for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question.

Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organizations firewall will not know to block it.  Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign.

At the time of writing none of the sites in this campaign were active, Anomali researchers consider it likely that the actors will continue to target these services in the future." New-school security awareness training can help your employees recognize a scam when they see one. Read the very detailed Anomail report on their blog site.


Continue reading

Choosing and Protecting Passwords


Why you need strong passwords

You probably use personal identification numbers (PINs), passwords, or passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Tracking all of the number, letter, and word combinations may be frustrating, but these protections are important because hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of non-secure and inadequate passwords. Once a system is compromised, it is open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to "Il!2pBb." creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (8–64 characters) when you can. For example, "Pattern2baseball#4mYmiemale!" would be a strong password because it has 28 characters and includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—for example, some applications limit the length of passwords and some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don'ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it—don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to your other accounts with the same password. Use the following techniques to develop unique passwords for each of your accounts:

  • Use different passwords on different systems and accounts.
  • Use the longest password or passphrase permissible by each password system.
  • Develop mnemonics to remember complex passwords.
  • Consider using a password manager program to keep track of your passwords. (See more information below.)
  • Do not use passwords that are based on personal information that can be easily accessed or guessed.
  • Do not use words that can be found in any dictionary of any language.

How to protect your passwords

After choosing a password that's easy to remember but difficult for others to guess, do not write it down and leave it someplace where others can find it. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, makes it easily accessible for someone with physical access to your office. Do not tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There's no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up to date.
  • Use and maintain antivirus software and a firewall. (See Understanding Firewalls.)
  • Regularly scan your computer for spyware. (Some antivirus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.


Continue reading

Security Predictions for 2020


In this year’s Cyber Security Predictions, the WatchGuard Threat Lab has imagined the top cyber attacks we’ll see in 2020 and has provided tips for simplifying your approach to stopping them. Even though the threats coming at you won’t be any less intense, complicated, or difficult to manage, 2020 will be the year of simplified security.

1. Ransomware Targets the Cloud


  • Ransomware is a billion-dollar industry.
  • Overall volume of ransomware is down, but targeted ransomware against vertical industries is on the rise.
  • In 2020, targeted ransomware now tries to infect consolidated cloud assets, such as file stores, S3 buckets, and virtual environments.

Ransomware is now a billion-dollar industry for hackers, and over the last decade we’ve seen extremely virulent strains of this malware wreak havoc across every industry. As with any big-money industry, ransomware will continue to evolve in order to maximize profits. In 2020, we believe ransomware will focus on the cloud.

Recently, untargeted “shotgun blast” ransomware has plateaued with attackers showing preference for targeted attacks against industries whose businesses cannot function with any downtime. These include healthcare, state and local governments, and industrial control systems.

Despite its far-reaching damages and soaring revenues, ransomware has largely left the cloud untouched. As businesses of every size move both their servers and data to the cloud, it has become a one-stop shop for all of our most important data. In 2020, we expect to see this safe haven crumble as ransomware begins targeting cloud-based assets including file stores, S3 buckets, and virtual environments.

Security Tips: Do you have cloud security? Virtual or cloud UTM? Asking these questions is where to start. Use advanced malware protection to detect evasive malware. More importantly, consider new security paradigms that allow you to implement security controls, like advanced malware protection, in cloud use cases. Finally, the cloud can be secured, but it requires work. Make sure you’ve hardened your cloud workloads. For instance, investigate resources for properly securing S3 buckets.

2. GDPR Comes to the United States


  • California has passed the California Consumer Privacy Act (CCPA).
  • A national Consumer Data Protection Act (CDPA will not pass in 2020).
  • In 2020, 10 or more states will pass laws like California’s CCPA.

Two years ago, the General Data Protection Regulation (GDPR) came into force, protecting the data and privacy rights of European Union citizens. As of yet, few places outside the EU have similar laws in place, but we expect to see the United States (U.S.) come closer to matching it in 2020.

GDPR boils down to placing restrictions on how organizations can process personal data, and what rights individuals have in limiting who may access that data, and it has already shown teeth. To date, companies have been fined millions of euros for GDPR violations, including massive €50 million and £99 million judgements in 2019 against Google and Marriott respectively. While the burden placed on companies can be intense, the protections provided to individuals are massively popular.

Meanwhile, the U.S. has suffered a social media privacy plague the last few years, with no real GDPR equivalent to protect local consumers. As organizations like Facebook leak more and more of our personal data, which bad actors have used in everything from targeted election manipulation to unethical bounty hunting, U.S. citizens are starting to clamor for privacy protections like those enjoyed by our European brothers and sisters. So far, only one state, California, has responded by passing their California Consumer Privacy Act (CCPA), which goes in effect in early 2020.

Though the same senator who passed CCPA in California has proposed a Federal Consumer Data Privacy Act (CDPA) bill, we don’t think it will gain enough support to pass nationwide in 2020. However, we do expect more and more states to jump onto California’s bandwagon, and pass state-level consumer privacy acts of their own. In 2020, we anticipate that 10 or more states will enact similar laws to California’s CCPA.

Security Tips: There isn’t a specific security tip for this prediction, but you can still take action. Contact your local congressperson to share your opinion on regulations to protect your privacy. Meanwhile, consider the lack of regulation here when sharing your private information online and with social networks.

3. Voter Registration Systems Targeted During the 2020 Elections


  • Though voting machines are hackable, adversaries won’t spend much time targeting them.
  • However, external threat actors will go after state and local voter databases with the goal of creating voting havoc and triggering voter-fraud alerts during 2020 elections.

Election hacking has been a hot topic ever since the 2016 U.S. elections. Over the last four years, news cycles have covered everything from misinformation spread across social media to alleged breaches of state voter systems. During the 2020 U.S. presidential elections, we predict that external threat actors will target state and local voter databases with a goal of creating voting havoc and triggering voter fraud-alerts during the 2020 elections.

Security experts have already shown that many of the systems we rely on for voter registration and election day voting suffer from significant digital vulnerabilities. In fact, attackers even probed some of these weaknesses during the 2016 election, stealing voter registration data from various states. While these state-sponsored attackers seemed to draw the line by avoiding altering voting results, we suspect their previous success will embolden them during the 2020 election, and they will target and manipulate our voter registration systems to make it harder for legitimate voters to submit their votes, and to call into question the validity of vote counts.

Security Tips:

While there isn’t a specific cybersecurity tip for this prediction, we do have some voter preparedness tips in the event this prediction comes true. First, double-check the status of your voter registration a few days before the election. Also, monitor the news for any updates about voter registration database hacks, and be sure to contact your local state voter authority if you are concerned. Be sure to print out the result of a successful voter registration, and bring you ID on election day, even if technically unnecessary.

4. During 2020, 25% of All Breaches Will Happen Outside the Perimeter


  • While working remotely can increase productivity and reduce burnout, it comes with its own set of security risks.
  • A quarter of all network compromises or data breaches will involve off-network assets.

Mobile device usage and remote employees have been on the rise for several years now. A recent survey by WatchGuard and CITE Research found 90% of mid-market businesses have employees working half their week outside the office. While remote working can increase productivity and reduce burnout, it comes with its own set of security risks. Mobile employees often work without any network perimeter security, missing out on an important part of a layered security defense. Additionally, mobile devices can often mask telltale signs of phishing attacks and other security threats. We predict that in 2020, one quarter of all data breaches will involve telecommuters, mobile devices, and off-premises assets.

Security Tips: Make sure you’re as diligent implementing off-network protection for your employees as you are perimeter protection. Any laptop or device that leaves the office needs a full suite of security services, including a local firewall, advanced malware protection, DNS filtering, disk encryption, and multi-factor authentication, among other protections.

5. The Cybersecurity Skills Gap Widens


  • Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees. 
  • The cybersecurity skills gap grows by 15%.

Cybersecurity, or the lack of it, has gone mainstream. A day doesn’t seem to go by where the general public doesn’t hear of some new data breach, ransomware attack, company network compromise, or state-sponsored cyber attack. Meanwhile, consumers have also become intimately aware of how their own personal data privacy contributes to their own security (thanks, Facebook). As a result, it’s no surprise that the demand for cybersecurity expertise is at an all-time high.

The problem is, we don’t have the skilled professionals to fill this demand. According to the latest studies, almost three million cybersecurity jobs remained unfilled during 2018. Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees. Three-fourths of companies claim this shortage in cybersecurity skills has affected them and lessened their security.

Unfortunately, we don’t see this cybersecurity skills gap lessening in 2020. Demand for skilled cybersecurity professionals keeps growing, yet we haven’t seen any recruiting and educational changes that will increase the supply. Whether it be from a lack of proper formal education courses on cybersecurity or an aversion to the often-thankless job of working on the front lines, we predict the cybersecurity skills gap to increase an additional 15% next year. Let’s hope this scarcity of expertise doesn’t result in an increase in successful attacks.

Security Tips: While the available cybersecurity workforce won’t appear immediately, you do have options to help create and manage a strong cyber defense. Taking a long-term view, you can work with your local educational institutes to identify future cybersecurity professionals so that you might fill your open roles first. In the short term, focus on solutions that provide layered security in one solution, or work with a managed services provider or managed security services provider to whom you can outsource your security needs.

6. Multi-Factor Authentication (MFA) Becomes Standard for Mid-sized Companies


  • 2020 will bring increased adoption of MFA among mid-sized companies.
  • We’ll also see wide-spread adoption among all service providers, and even privileged or admin accounts at all businesses.

We predict that multi-factor authentication (MFA) will become a standard security control for mid-market companies in 2020. Whether it’s due to billions of emails and passwords having leaked onto the dark web, or the many database and password compromises online businesses suffer each year, or the fact that users still use silly and insecure passwords, the industry has finally realized that we are terrible at validating online identities.

Previously, MFA solutions were too cumbersome for mid-market organizations, but recently three things have paved the way for pervasive MFA, both SMS one-time password (OTP) and app-based models, among even SMBs. First, MFA solutions have become much simpler with cloud-only options. Second, mobile phones have removed the expensive requirement of hardware tokens, which were cost-prohibitive for mid-market companies. And finally, the deluge of password problems has proven the absolute requirement for a better authentication solution. While SMS OTP is now falling out of favor for legitimate security concerns, app-based MFA is here to stay.

The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors. That’s why we believe enterprise-wide MFA will become a de-facto standard among all midsized companies next year.

Security Tips: This tip is simple – implement MFA throughout your organization. Everything from logging in to your laptop each day to accessing corporate cloud resources should have some sort of multi-factor authentication tied to it. 

7. Attackers Will Find New Vulnerabilities in the 5G/Wi-Fi Handover to Access the Voice and/or Data of 5G Mobile Phones


  • Wireless carriers that manage 4G and 5G networks often hand off calls and data to Wi-Fi networks to save bandwidth, particularly in high-density areas.
  • In 2020, flaws in this cellular to Wi-Fi handover process will allow attackers to access the voice and/or data of 5G mobile phones.

The newest cellular standard, 5G, is rolling out across the world and promises big improvements in speed and reliability. Unknown to most people, in large public areas like hotels, shopping centers, and airports, your voice and data information of your cellular-enabled device is communicated to both cell towers and to Wi-Fi access points located throughout these public areas. Large mobile carriers do this to save network bandwidth in high-density areas. Your devices have intelligence built into them to automatically and silently switch between cellular and Wi-Fi. Security researches have exposed some flaws in this cellular-to-Wi-Fi handover process and it’s very likely that we will see a large 5G-to-Wi-Fi security vulnerability be exposed in 2020 that could allow attackers to access the voice and/or data of 5G mobile phones.

Security Tips:

Most mobile devices don’t allow the users to disable cellular to Wi-Fi handover (also known as Hotspot 2.0). Windows 10 currently does, however. If unsure, individuals should utilize a VPN on their cellular devices so that attackers who are eavesdropping on cellular to Wi-Fi connections won’t be able to access your data. For businesses looking to enable Hotspot 2.0, make sure your Wi-Fi access points (APs) have been tested independently to stop the six known Wi-Fi threat categories detailed at If the APs block these threats, attackers cannot eavesdrop on the cellular to Wi-Fi handoff.

Continue reading

How to protect your organization against the Snatch ransomware threat


Discovered and analyzed by security provider Sophos, Snatch attempts to bypass traditional security software by rebooting your PC into Safe Mode.

Windows Safe Mode tries to help you troubleshoot various maladies by rebooting your PC in a vanilla way without loading certain software, drivers, or services. That process also prevents anti-virus software from loading. And that leads to a tactic being employed by a particularly dangerous strain of ransomware.

Known as Snatch, the ransomware as described by Sophos in a news post on Monday, forces a Windows PC to reboot into Safe Mode, thereby preventing any anti-virus or security software from running. Snatch, which itself runs as a service during Safe Mode, encrypts the victim's hard drive, and tries to force the user to pay the necessary ransom to be able to access the drive again.

Sophos actually ran into Snatch last year and said it believes the ransomware has been active since the summer of 2018. In mid-October 2019, the security vendor had to help a targeted organization investigate and resolve a ransomware outbreak. Seeing Snatch at work, Sophos believes that the Safe Mode component is a newly added tactic.

What is Snatch?

The Snatch malware comprises a collection of tools. The ransomware feature and a separate data stealer were likely created by the cybercriminals to control the malware, according to Sophos. Also in the mix are a Cobalt Strike reverse-shell, and several publicly available tools that aren't malicious by themselves but are used by system administrators and penetration testers.

Created using Google's Go program, the Snatch variant seen by Sophos is able to run only on Windows, including all versions from 7 through 10 and in both 32-bit and 64-bit editions. The Snatch samples analyzed were packed with the open source packer UPX to hide their contents.

The criminals behind Snatch, who call themselves the Snatch Team, use an active automated attack model in which they try to get past enterprise networks through automated brute-force attacks against vulnerable accounts and services. Once inside, the Snatch team members then attempt to spread their attack internally within an organization's network. A type of malware used in the Snatch attacks has also been stealing a large amount of data from the targeted organizations.

In one incident against a large company, Sophos found that the attackers brute-forced the password to an administrator's account on a Microsoft Azure server and were then able to log in to the server using Remote Desktop Protocol (RDP). The attackers used that same account to log into a domain controller on the same network, which allowed them to run surveillance on the network over several weeks. In this incident, the criminals managed to install surveillance software on around 200 machines, about 5% of the computers on this organization's network.

How it works

At some point during an attack, the ransomware piece is downloaded to a targeted computer. The ransomware installs itself as a Windows service called SuperBackupMan, which is set immediately before the PC starts to reboot, giving an organization little or no chance to stop the service in time.

The attackers then use administrator access to run the Windows command-line tool BCDEDIT to force an immediate reboot of the computer in Safe Mode. After the PC reboots, the malware uses a Windows command called vssadmin.exe to delete all the Volume Shadow Copies on the system, thereby preventing a recovery of the files encrypted by the ransomware. Finally, the ransomware encrypts documents on the hard drive.

Sophos said that its endpoint security protection was able to detect the ransomware payload for their customers, thus preventing it from infecting machines outfitted with the product. But another company called Coveware, which handles extortion negotiations between ransomware victims and attackers, told Sophos that it had negotiated with Snatch criminals 12 times this year between July and October. The ransom demands in Bitcoin ranged from $2,000 to $35,000, but rose upward over those four months.

Protection tips

To protect your organization against this type of ransomware, Sophos offers several pieces of advice:

  • Don't expose your Remote Desktop interface to unprotected internet access. Sophos recommends that organizations refrain from exposing the Remote Desktop interface to the unprotected internet. Organizations that need to permit remote access to machines should put them behind a VPN on their network, so they can't be accessed by anyone without VPN credentials.
  • Secure your other remote access tools. In a post on a criminal message board, the Snatch attackers wanted to hire or contract with other criminals able to break into networks using such remote access tools as VNC and TeamViewer. They also were looking for people with experience using Web shells or hacking into SQL servers using SQL injection attacks. Any internet-facing remote access tools and other vulnerable programs pose risks if they're left unattended.
  • Use multi-factor authenticator for administrators. Organizations should set up multi-factor authentication for users with administrative privileges to make it harder for attackers to brute force those account credentials.
  • Inventory your devices. Most of the initial access points and footholds that Sophos found in connection with Snatch were on unprotected and unmonitored devices. Organizations need to run regular, thorough inventory checks of all devices to make sure no gaps exist.
  • Search your network for threats. The Snatch ransomware went into action after the attackers had several days of undetected, uninhibited access to the network. A full threat-hunting program could potentially identify this type of activity before the ransomware has the ability to take hold.


Continue reading

Planning for 2020? Here are 3 Cybersecurity Trends to Look Out For


It’s almost 2020, which means teams are finalizing cyber budgets, strategies and goals. However, as you’re preparing for the new year, it’s important to keep an eye out for how the cybersecurity landscape might shift in 2020.

From the rise in investor focus on cybersecurity issues to diversifying of cyber insurance, there are three critical security trends cyber professionals should be prepared to address if they want a successful — and secure — 2020.

Investors will add cyber risk into their analyses

In 2020, cybersecurity is going to play a larger role in financial investments than ever before. Equifax was the first company that ever received a credit downgrade because of a data breach, and it made investors hesitate to invest in companies without understanding their cyber risk.

It’s an understandable fear: Our research shows a majority of Fortune 1000 companies have at least one remote administration service running on an open port. With current security like this, breaches are inevitable.

Savvy investors are holding off on investing in companies without good security. They’re beginning to uncover a link between companies with strong cybersecurity posture and strong stock performance. Though the research is still in its infancy, I suspect that many investors will soon incorporate cyber into their ESG analysis.

For the security professional, this is an opportunity to showcase your worth to the C-suite. Having strong security will no longer be just about protecting against breaches, it also means a better draw for investors, whether they’re looking to purchase stocks or invest in your business.

Attackers will focus less on zero-day vulnerabilities and more on blunt-force attacks

Zero-day vulnerabilities receive the most attention from the media, but in 2020, hackers probably won’t bother with these highly publicized attacks. Instead, they’ll hone in on simple strategies, like gaining access to a network through a third-party or unpatched system.

In fact, this trend is already starting to emerge. For example, APT33 uses almost exclusively brute-force password spraying when attacking critical infrastructure. These methods have seen success with breached companies facing Shamoon and Shapeshifter, two of APT33’s go-to deployments. And the number of business email compromise (BEC) attacks has soared immensely in the past year; financial media conglomerate Nikkei lost $29 million to this ploy. On top of these recent examples, the NSA reports that it very rarely responds to intrusions from zero-day vulnerabilities — instead it focuses primarily on incidents involving exploited unpatched hardware and software.

To counteract these trends, cyber plans will need to return to the basics and focus on building a strong security foundation. This includes continuously monitoring for new threats and vulnerabilities, consistently evaluating the security posture of your third-party partners, and more. The importance of employee cyber education also can’t be understated. Oftentimes, the weakest link in security postures is still the human element.

Cyber insurance will play a larger role in cyber plans

From ransomware to BEC, the costs of responding to cyberattacks are relentlessly increasing, and 2020 will be the tipping point for cyber insurance. Many companies, especially smaller ones, are learning the hard way they don’t have the resources to mitigate cyberattacks alone, especially ones that arrive from third-, fourth-, or even fifth-party partners.

Though most cyber insurance won’t directly pay for any money lost in a BEC or phishing attack, they will help finance legal investigations and fees. As more companies adopt cyber insurance policies, the insurance industry will educate themselves on the nuances in cyber attacks and begin offering additional cyber coverage plans, including ones that cover consequences and losses outside of the cyber realm.

Whether it’s through an extended power outage that leads to looting or a crash from faulty transportation communications, companies need to go into 2020 ready for how cyber attacks could impact the physical world. One way to do that is for companies to reevaluate their current cyber insurance policy or start shopping for their first.

Planning for 2020 cybersecurity trends

The new year will bring a range of challenges for cyber professionals, but trying to anticipate and plan for them now will mitigate their ramifications.

To start, companies need to ensure their CFOs and other stakeholders understand the growing financial impact of cybersecurity. As security tools become more efficient, executives might be tempted to lower budget without understanding how badly a cyber attack would affect not only their day-of operations, but the business’s long term financial stability.

Additionally, the importance of a strong cyber foundation needs to be a focus in the new year. We’re seeing hackers rely on tried-and-true methods rather than chasing down the latest zero-day vulnerability, meaning routine patching and third-party partners with continuously monitored, strong security hygiene are key to protecting businesses.

Finally, the role cyber insurance will play in businesses can’t be ignored any longer. Cyber insurance is expanding to mitigate losses that come from anywhere in the supply chain, including outside of it; it doesn’t matter if you’ve been breached or if your next-door neighbor has been.


Continue reading

Get Smart Devices This Holiday Season? Learn How to Best Strengthen Your Security.

The FBI Is Warning That Your Smart Home Devices Aren't Secure. Here's What You Should Do About It

A string of warnings about smart home vulnerability means that its time for a refresher course on keeping your network and devices safe.

You may have heard that the FBI is warning people about their smart TVs, smart speakers, and smart home devices in general. Just last week, the Portland, Oregon Field Office issued two notices warning people that they may be susceptible to hackers through these devices since they often lack the same level of security features found on computers or smartphones. 

In fact, most of the smart home devices you connect to your router have almost no security at all, which means it's important to take steps to secure your home network as a whole. Fortunately, there are a few things you can do to strengthen your security.


Use Encryption on Your WiFi Router

You wouldn't believe how many people leave their wireless router open to the public. Considering your WiFi is the entry to your home network, it would be like leaving your front door unlocked and open for anyone to walk in. I think we can all agree that's a bad idea. Instead, use encryption such as WPA2, and use a secure password. 

Also, change the name for router to something that isn't associated with your name or your address. That makes it harder for would-be hackers to pinpoint your location based on the name of your network. Also, it should go without saying, but let's just say it: never, ever, ever use the default name or password for any device. 

Create a Guest Network

Most of us are notoriously bad at keeping our passwords secure. That's true of our Netflix account, and it's true of our home WiFi. Instead, most of the routers you can buy today allow you to create a "guest network" that doesn't allow access to the devices on your secure network. That means your friends can get online without running the risk that anyone might access your smart home. 

The key is to make sure to use a different strong password for this network. Some routers, like the NetGear ORBI allow you to set an expiration for a guest network session, which provides an added layer of security. 

Turn Off Direct Print

WiFi-enabled printers, like many HP models, include a handy feature called Direct Print. This creates an SSID broadcast directly from the printer, allowing you to print directly to the printer without connecting to your WiFi network. The problem is, chances are, your printer is connected to your network. If you're using AirPrint, for example, there's really no reason to enable direct print, especially since it means that you've essentially left the back door of your network wide open for anyone to connect. 

Use a Firewall

Just because your laptop uses a firewall doesn't mean the rest of your network is secure. Many routers have a firewall you can turn on, but if you really want to be safe, you can purchase hardware options that can be placed between your modem and your WiFi access point. That prevents malicious data from coming in, or bad guys from accessing anything on your network. 

The SonicWall SOHO and BitDefender Box 2 are both good home options that are easy to to set up, but still give you control over your security settings. Even a firewall built into your WiFi router or modem is better than nothing.

Keep Your Gadgets Up to Date

Most of us pay attention to security updates on our iPhones or Android devices. We're a little worse about our laptops, but at least recognize that it's probably a good idea to keep those up to date. Did you know most of your internet-connected devices could use an update every once in a while as well?

Some, like Google's smart speakers or Nest thermostats and cameras, will automatically check for updates on their own. They'll download and install them without you having to do anything. Others, like your smart TV probably need you to update them manually. You should. Set yourself a reminder each month to check for important security updates. 


Continue reading

Shop Safer This Holiday Season!


The holiday countdown is on, and more than half of holiday shoppers plan to make purchases online during the 2019 season of giving. Unfortunately, it’s also the season for online scammers to make a killing — typically, at your expense.

Online purchase scams, which can expose your identity and even drain your wallet, are the riskiest form of consumer fraud, according to a report published by the Better Business Bureau. And a recent Experian survey found that 43% of victims said their identity theft occurred while holiday shopping online.

While the thought of getting ripped off — during the holiday season, no less — is enough to make anyone say “Bah, humbug!” there are ways you can protect yourself while holiday shopping online.

Online holiday season shopping: The facts

Shopping heats up in November and December, and a lot of those transactions occur on laptops, tablets, and mobile devices. Amid the increase in e-commerce, financial fraud climbs, too.

  • 8% of consumers surveyed in 2018 said they were a victims of identity theft during the holiday season.
  • 43% of online shoppers surveyed said their identity theft occurred holiday shopping online.
  • 56% of holiday shoppers plan to make purchases online in 2019.
  • $1007: average amount that American consumers plan to spend on holiday shopping in 2019.
  • Up to $149 billion: online holiday shopping sales for 2019 (projected), from November to January.
  • 84% of holiday shoppers plan to use their smartphones to research products and look for coupons before buying in-store.
  • 18%: The amount online sales are projected to grow in 2019 compared with 2018.

How to protect yourself while holiday shopping online and afterward

The holidays should be a time of joy as you spend time with friends and family — not stress and frustration as you untangle a case of identity theft or financial fraud. Stay ahead of online scammers and identity thieves by using these tips to help secure your personal information while shopping online.

Ship to a secure location

The rise of online shopping has led to an increase of home deliveries — and with it, an increase in “porch pirates”, or thieves who steal packages from doorsteps. If no one’s home to accept a package, consider shipping to your office or another safe place. UPS, Amazon, and FedEx all now have shipping lockers available for secure deliveries.

Only use official retailer apps to shop

Mobile apps allow you shop for and purchase items while you’re on the go — making holiday shopping a breeze. But the danger arises if you unknowingly install an app laced with malicious software, or malware. Criminals use these apps to infiltrate smartphones and do any number of things, like direct users to fraudulent premium subscription services or automatically subscribing users to expensive content providers without the user’s consent. .

Protect yourself against malicious mobile apps by only downloading apps from reputable stores, such as Galaxy Apps, the App Store, Amazon App Store and Google Play. Some providers, such as Google Play, scan apps for malware prior to publishing them on their store.

Don’t save your credit card information on your accounts

While it may be convenient to store personal and payment information in your online accounts, it does come with risk. Some retail websites may not be equipped to secure your info, which could leave your personal details and payment card data vulnerable to cyberthieves or data breaches.

If a hacker accesses your favorite shopping account, it could then be easy for them to make fraudulent purchases with the credit card information you’ve saved in that account. That’s why it’s best to either skip the autofill option or try using a password manager, which provides an extra layer of protection to your account info.

Consider using Apple Pay or Google Pay for a second layer of protection

Credit card fraud is a serious problem in the U.S., but using a digital wallet or app, such as Apple Pay, Google Pay, Venmo, or others can increase your transaction security.

The digital wallet obscures your payment card information so the merchant sees a unique, one-time code that’s only good for that purchase. So if a store employee or a hacker tries to get their hands on the store’s payment information, they wouldn’t be able to see your credit card or bank details.

Don’t buy from unfamiliar retailers without confirming it’s legit

Expect a record for online holiday spending this year. But shopping IRL — in real life — offers one advantage: You can usually be sure the business and the inventory exist. On the web, some businesses are fabricated by people who just want your credit card information and other personal details. To play it safe, consider doing online business only with retailers you trust and have shopped with before. Or at least spend the time to confirm it’s a legitimate entity, by checking customer reviews and other consumer feedback.

Don’t jump at the lowest price

Black Friday, Cyber Monday, and other big sales along the way have become a tradition of holiday shopping. But if a website offers a deal that seems too good to be true, then it probably is. Compare prices and pictures of the merchandise at similar websites. Rock-bottom prices could be a red flag that the business doesn’t have those items in stock. The website may exist only to get your personal information.

Never make purchases on public Wi-Fi

You might be tempted to take your shopping spree to a coffee shop for a cup of joe. Keep in mind, Wi-Fi networks use public airwaves. With a little tech know-how and the freely available Wi-Fi password at your favorite cafe, someone can intercept the data you send and receive while on free public Wi-Fi.

Shopping online usually means giving out information that an identity thief would love to grab, including your name, address, and credit card information. Bottom line: It’s never a good idea to shop online or log in to any website while you’re connected to public Wi-Fi.

Try shopping with the extra security of a VPN

Still can’t resist the lure of shopping online while sipping that peppermint latte? If you must shop online on public Wi-Fi, consider installing and using a VPN — short for virtual private network — on all mobile devices and computers before connecting to any Wi-Fi network.

A VPN creates an encrypted connection between your smartphones and computers and the VPN server. Think of it as a secure tunnel your Internet traffic travels through while you browse the web, making the data you send and receive safer from interception by nearby hackers.

Use strong passwords and a password manager

If someone has the password to your account, they could log in, change the shipping address, and order things with stored payment data while you get stuck with the bill. Help keep your account safe by securing it with a strong password — “Santa123” won’t do. Here are some tips on how:

  • Use a complex set of at least 10 lowercase and uppercase numbers, letters, and symbols.
  • Don’t use personal information that others can find or guess, such as birthdates, your kids’ names, or your favorite color.
  • Don’t use the same password — however strong — on multiple accounts. A data breach at one company could give criminals access to your other, shared-password accounts.
  • Consider using a password manager to generate and safely store those strong, complex passwords.

Check security policies on your selected retailers

That small lock icon in the corner of your URL bar tells you that the web page you’re on has privacy protection installed. The URL will start with “https.” These websites mask any data you share, typically on pages that ask for passwords or financial information.

If you don’t see that lock or the “s” after “http,” then the webpage isn’t secure. There is no privacy protection attached to these pages, so we suggest you exercise caution before providing your credit card information over these sites.

Don’t get tripped up in holiday shopping scam emails

Sometimes, something in your email in-box can stir your holiday consumer cravings. For instance, it might be tempting to open an email from an unfamiliar business that promises a “special offer.” But that offer could be special in a bad way.

Clicking on emails from unknown senders and unrecognizable sellers could infect your computer with viruses and malware. It’s better to play it safe. Delete them, don’t click on any links, and don’t open any attachments from individuals or businesses you are unfamiliar with.

No retailers ask for your Social Security number, so don’t give it out

No shopping website will ever need your Social Security number. If you’re asked for very personal details, call the customer service line and ask whether you can supply some other identifying information. Or just walk away and find a better-known, accommodating website for your holiday buys.

Buy with credit cards

Attention, holiday shoppers: You’ll usually get the best liability protection — online and offline — when you use a credit card. Here’s why.

If someone racks up unauthorized charges on your credit card, federal regulations say you won’t have to pay while the card company investigates. Most major credit cards offer $0 liability for fraudulent purchases.

Keep in mind, your liability for unauthorized charges on your debit card is capped at $50, if you report it within two business days. But if someone uses your account and you don’t report the theft, after 60 days you may not be reimbursed at all.

You can also try a virtual credit card. Some banks offer this nifty tool that acts like an online version of your card. With a virtual credit card, the issuer will randomly generate a number that’s linked to your account, and you can use it anywhere online and choose when the number expires. It might be best to generate a new number every time you buy something online, or when you shop with a new retailer. Anyone who tries to use that number will be out of luck.

Use prepaid debit cards

Using a prepaid debit card removes a lot of the risk that goes with online shopping. These are different from debit and credit cards because the money isn’t connected to your credit history or to a bank account. You just load money onto the prepaid debit card, use that balance for purchases and reload when needed.

So if a scammer gets hold of the card information, the crime pretty much ends there. The crook can’t open new credit accounts in your name, drain your checking account, or make purchases over the amount you’ve already loaded.

Plus, you still have some degree of fraud protection. If you have previously registered the card and you report the loss or theft to the card issuer, most will restore your original balance and issue a new card. However, since many prepaid debit cards come with high fees, read the terms before getting one, and consider only using these for holiday shopping.

After purchasing gifts, keep an eye on all your accounts and bank statement

Robust holiday shopping can add pages to your credit card statements. Check your statements for fraudulent charges at least once a week or set up account alerts. When you receive a text or email about a charge, you can check the message and likely easily recall whether you recognize the charge and made the purchase.


Continue reading

How Phishing is Evolving


Attackers are always using new tactics to stay ahead of defenders, and Microsoft’s Office 365 Threat Research Team describes three noteworthy phishing techniques they’ve observed in 2019. The first was the use of hijacked search results to redirect users to malicious sites. Attackers used a traffic generator to artificially push a baited website to the top of Google search results for specific keywords. When a user clicked on the harmless bait website, they would be redirected to a phishing site or a malware download. This allowed the attackers to send phishing emails with benign links in order to bypass email security filters.

The second technique involved using custom 404 pages as phishing sites. Phishing campaigns are much more efficient when attackers have an easy way to move their phishing page to a different URL, because security technologies are constantly flagging and taking down malicious URLs. By using a URL for a non-existent page on the phishing domain, attackers could use an unlimited number of URLs in their phishing campaigns. When a user clicked on one of these URLs, they would automatically be redirected to the domain’s 404 Not Found page. These pages can be customized just like a normal webpage, so the attackers made them appear to be sign-in pages in order to steal credentials.

A third phishing technique abused Microsoft’s secure rendering site to automatically generate a duplicate of the targeted company’s Microsoft login page. The researchers explain that this allowed the attackers to create targeted phishing sites for each recipient with minimal effort. “Phishers sent out emails with URLs pointing to an attacker-controlled server, which served as the man-in-the-middle component and simulated Microsoft sign-in pages,” the researchers write. “The server identified certain specific information based on the recipient’s email address, including the target company, and then gathered the information specific to that company. The result was the exact same
experience as the legitimate sign-page, which could significantly reduce suspicion. Using the same URL, the phishing site was rendered differently for different targeted users”

Attackers will continue finding ways to increase the efficiency of their scams. Security technologies for the most part react to new attack techniques, and attackers know this. New-school security awareness training can enable your employees to anticipate and recognize unfamiliar attacks.


Continue reading

Over Half of SMBs Experience Phishing and Social Engineering Attacks


The assertion that SMBs aren’t a cyber-target is officially dead. SMBs are victims of the very same attacks as enterprises in growing numbers, according to new research.

Most SMBs don’t have the same cybersecurity resources as larger organizations, so it’s critical for them to focus on protecting against the most prevalent types of attacks SMBs face.

According to the latest data from Ponemon in their 2019 Global State of Cybersecurity in Small and Medium Businesses report, SMBs are feeling the heat of cyberthreats:

  • 66% experienced a cyberattack in the last 12 months
  • 63% experienced a data breach in the last 12 months
  • 69% say cyberattacks are becoming more targeted
  • 60% say cyberattacks are becoming more sophisticated
  • 61% say cyberattacks experienced are becoming more severe in terms of negative consequences
  • 39% say more time is needed to respond to cyber incidents

So, what are the big attack vectors SMBs are experiencing? According to the research:

  • Social Engineering / Phishing plague 53% of SMBs
  • Web-based attacks (50%)
  • Malware (39%)
  • Compromised or Stolen Devices (37%)
  • Credential Theft (29%)

The big issue here is the use of social engineering; whether as part of a phishing or web-based attacks, the use of social engineering tactics help to draw the victim in, create a sense of urgency, and do enough to cause the victim user to act in the desired way. Users are not educated with Security Awareness Training to be vigilant, looking for indications that an email may be malicious in nature. And in SMBs especially, the lack of a security culture and proper security tools in place is cause enough to focus on aspects of security that will have a material impact on keeping the organization secure.


Continue reading

They Know If You've Been Bad or Good...


Like most of the rest of us, malicious actors the world over love the holidays. It's a prime season to run social engineering schemes on users who are already of a mind to open their wallets for charities as well as online retailers.

Between Black Friday, Cyber Monday, and the deluge of holiday greetings, general good cheer, and Christmas shopping there are plenty of opportunities for the bad guys to use cleverly crafted malicious emails to separate fools from their money -- and persuade your employees to open the door to your organization's network, with all the riches contained therein.  

This year, though, the bad guys are bringing something new. This holiday season they've got their own Naughty-and-Nice list.

Don't worry -- they won't be spoofing Santa (even if every holiday season seems to bring a raft of stories about dodgy department store Santas behaving badly). No, they'll be spoofing the next best thing: your organization's HR and payroll departments.

Over the past year, bad guys have been ramping up their efforts to credibly spoof HR departments, leveraging the inherent authority of HR to motivate users to engage with malicious emails pushing malicious links, malware-laden attachments, and fraudulent demands for money and information. This isn't an accident.

As we noted a year ago in a piece on the noticeable increase in HR-themed phishing emails, HR is an attractive target for malicious actors looking to bamboozle cubicle-dwelling employees because of the inherent trust and authority enjoyed by HR in most organizations.

"Trust is a funny thing...While trust often develops organically over a period of time, trust can also be generated or backstopped with some element of compulsion and authority. When you don’t have much of a choice, trust can seem the easier path to take. And the best example of this dynamic is the relationship that employees enjoy with their organizations’ HR departments. Whether your company’s HR department is beloved, feared, or loathed, it is a center of power in most organizations that few employees can afford to ignore."

And, so, this holiday season many of your users will learn that Santa's local reps in your HR department are bringing them either a most welcome gift -- in the form of a generous annual bonus -- or a lump of coal -- in the form of a pink slip. And you better believe your users will be sitting up in their chairs, eager to learn whether Santa (HR) thinks they've been naughty or nice this past year.

As the holiday season ramps up, some users are already learning which of Santa's lists they're on. Let's take a look, courtesy of customers who have been reporting these phishing emails to us via the Phish Alert Button (PAB).


Read more here:

Continue reading

Researchers Discover Malicious Email Campaign Using Greta Thunberg's Name to Spread Emotet Malware

In a nutshell: Cybersecurity researchers at Proofpoint have discovered an active email campaign designed to spread Emotet, a banking trojan that targets Windows PCs to steal financial information. The malicious campaign is using the name of Greta Thunberg and a fake invitation from her to join a climate change protest this Christmas Eve.

Swedish climate activist Greta Thunberg was recently named Time Magazine's Person of the Year for 2019 for her efforts in raising global environmental awareness. Combine her mission and popularity with the spirit of the Christmas holidays, and hackers have the potential ingredients needed to craft a malicious email campaign for targeting unsuspecting users with malware.

According to Proofpoint security researchers, the global campaign is mainly aimed at students with .edu email addresses across the US, Europe, and Asian territories, where several versions of the malicious email were identified in multiple languages.

"We saw more .edu domains attacked than domains associated with any specific country—this makes sense given the strong support Thunberg has among students and young people," noted Proofpoint.

The campaign has been designed to infect computers with Emotet malware, at a time when many students are at home using family computers, making them a potential target for the trojan, which comes disguised as an MS Word file attachment titled "Support Greta Thunberg.doc." with an email subject along the same lines.

"This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season," says Proofpoint, adding that lures used by attackers in such campaigns are "a reliable barometer of public interest and awareness."



Continue reading