Tag Archive for Phishing

| November 26, 2021
Comments Off on GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?GoDaddy (GDDY), the world’s largest domain name registrar has disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of those websites that are affected by this breach.

GoDaddy logoThe company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.

GoDaddy resellers also compromised

On Tuesday (11/23/2021) GoDaddy confirmed that a number of their resellers were also compromised in the attack. If you purchased your WordPress domains from

Assume your WordPress site has been compromised.

According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker initially gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, at which point the attacker access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

What happened at GoDaddy?

credentials in cleartextSeveral sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials in a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are industry best practices. This decision allowed an attacker direct access to password credentials without the need to crack them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

What did the attacker have access to?

The SEC filing indicates that the attacker had access to:

  • User email addresses,
  • Customer numbers,
  • Original WordPress Admin password that was set at the time of provisioning,
  • SSL private key, and
  • sFTP and database usernames and passwords.

What could an attacker do with this info?

The attackers had unrestricted access to these systems for over two months. During that time they could have:

  • Secure FTPTaken over these sites by uploading malware or adding a malicious administrative user. This would allow them to maintain persistence and retain control of the sites even after the passwords were changed.
  • The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites.
  • In some cases, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
  • Increased phishing risks caused by the exposed email addresses and customer numbers.

How to resecure your GoDaddy host WordPress site

GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

  1. If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
  2. Change passwordsChange all of your WordPress passwords.
  3. Force a password reset for your WordPress users or customers.
  4. Change any reused passwords and advise your users or customers to do so as well. 
  5. Enable 2-factor authentication wherever possible. 
  6. Check your site for unauthorized administrator accounts.
  7. Scan your site for malware using a security scanner.
  8. Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu.
  9. Be on the lookout for suspicious emails.

rb-

These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, and this affects not only site owners, but their customers. The SEC filing says that “Up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.


Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| October 11, 2021
Comments Off on Feds Nab Printer Toner Firms for Fraud

Feds Nab Printer Toner Firms for Fraud

Feds Nab Printer Toner Firms for FraudFollowers for the Bach Seat know that printer ink is one of the most expensive materials on earth. Well, the U.S. Department of Justice just prosecuted one of the worst examples of the sky-high price of printer toner. The DOJ announced that Gilbert N. Michaels of West Los Angeles was sentenced to 48 months in federal prison. He was convicted of orchestrating a decades-long, multimillion-dollar telemarketing scheme that defrauded more than 50,000 victims by selling printer toner cartridges.

ecades-long, multimillion-dollar telemarketing schemeAccording to the DOJ, his firms, IDC Servco and Mytel International, with the assistance of boiler room call center operators, fraudulently sold over a six-year span more than $126 million worth of printer toner cartridges throughout the United States. Michaels’ companies handled the billing and shipping of the toner. He charged the boiler rooms at or above retail prices for the toner they were selling to victims. Michaels provided price catalogs to the boiler rooms to use in making sales. The catalogs listed the price of the toner at up to five to 10 times the retail price. Many of the victims already were receiving toner at no additional charge under their existing contracts for copiers and printers.

Fake printer toner prices increases

To pull off the scam, the telemarketers would pretend to be representatives of toner-supply companies many of the businesses already had contracts with. The telemarketers would then tell the victims that the price of printer toner had increased. The fake sales reps told the victims they could buy the toners at the previous, lower price, prosecutors said.

boiler room call center operatorsBelieving they were dealing with their regular suppliers, the victims would sign order confirmation forms. IDC would then ship toner to victims along with highly inflated invoices. When the victim businesses realized they had been scammed, they called IDC to complain. The victims were typically told that IDC could not cancel the order or refund money because the victims had signed order confirmation forms. IDC also failed to disclose its relationships to the telemarketing companies that brokered the fraudulent deals.

IDC would threaten legal action or turn them over to collection agencies, prosecutors said. If IDC did agree to take the toner back, it would demand significant “restocking fees,” prosecutors said.

Not the first fraud conviction

Not the first fraud convictionMichaels’s operation dates back to the 1970s. This is not his first run-in with the DOJ. Michaels and his companies were under scrutiny in 1988. At that time, the companies were reprimanded for making false statements. They were forced to use an independent sales company to sell printer toner. 

As part of the sentencing, Michaels was ordered to pay a $200,000 fine. His net worth is said to be $6.7 million. Ciaran McEvoy, the spokesperson for the US Attorney’s Office in Los Angeles, said, “Mr. Michaels led a conspiracy whose deceptive practices were particularly damaging to the small business community.” 

Other defendants

Six other defendants were also found guilty along with Michaels:

  • James R. Milheiser of CA who owned and/or controlled Material Distribution Center, PDM Marketing, Bird Coop Industries, Inc., and Copier Products Center. He was convicted of conspiracy and mail fraud.
  • Francis S. Scimeca of CA owned Supply Central Distribution, Inc. and Priority Office Supply, was convicted of conspiracy and mail fraud.
  • Leah D. Johnson of CO who owned Capital Supply Center and LJT Distribution, Inc.
  • Jonathan M. Brightman, of CA and owner of Copy Com Distribution, Inc.; Independent Cartridge Supplier; and Corporate Products.
  • Sharon Scandaliato Virag owned XL Supply, Inc.
  • Tammi L. Williams, office manager at Elite Office Supply, and worked at Specialty Business Center, Rancho Office Supply, and Select Imaging Supplies.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| September 11, 2021
Comments Off on 10 Ways To Catch A COVID Phish

10 Ways To Catch A COVID Phish

10 Ways To Catch A COVID Phish

Cybercriminals, like to take advantage of fear. They are taking advantage of the ignorance-fueled COVID-19 Delta variant surge. Attackers are increasingly using business-looking COVID phish emails to do their dastardly deeds.

return to the office.More than half of employers are forcing a to return to the office. Employers are requiring the submission of paperwork such as COVID test results and proof of vaccination to keep your job. Hackers know that communication from employers about COVID can spark an emotional reaction and compel people to click. Researchers at Proofpoint found that business looking COVID phish attempts have increased by 33%.

Cybercriminals are taking advantage of these requirements. The demands for COVID paperwork give the attackers more ways to disguising their phishing attempts. Sherrod DeGrippo, Vice-President of Threat Research and Detection at Proofpoint, told The Washington Post. “That almost makes it easier for the bad actors because people are getting used to: ‘Upload your negative test here, go download this COVID form, fill it out.’” 

Fake O365 COVID phish attempts

Proofpoint logo

Proofpoint has detected fake Microsoft Office 365 phishing emails from cybercriminals posing as human resource departments. The attackers ask the recipients to submit proof of vaccination. The attacker’s goal is to steal your Microsoft 365 sign-in credentials. If you receive such an email, be sure to take the time to verify that it’s come directly from the organization you work for. One’s vaccination card contains useful information such as birthdates or full names, which hackers could target.

Proofpoint’s research has found emails telling employees they’ve lost their jobs due to COVID-19 are also on the rise. And what better way to do that than tell someone they’ve been fired? Mr. DeGrippo explains “It quite literally is clickbait. They need you to click on them, so in order to get the person to take the action, you’ve got to escalate their emotional state to one that has them emotional, instead of intellectual — thinking with the smart part of the brain.”

What if you suspect a phishing email

  1. Fake O365 COVID phish emailBreathe – If an email seems to make you particularly angry, worried, or curious – it’s best to pause for a moment before you click.
  2. Altered domain names are a giveaway. Did  “humanresources@widgit.com” suddenly become “HR@widgit.com” – verify these requests through a second channel —  get someone from HR on the phone before opening it.
  3. Be skeptical of emails from familiar people (like the CEO) who do not usually communicate directly with you. Don’t click on links or open attachments from those senders. Always get someone on the phone before opening it.
  4. Hover over the link to expose the associated web addresses in the “to” and “from” fields. Your company’s email is probably not gmail.com.
  5. Note grammatical errors in the text of the email; they’re usually a sure sign of fraud.
  6. Use different passwords for your work and personal email. That way, if one gets compromised, hackers can’t break into the other and use it to compromise more accounts. A good password manager tool should help.
  7. Don’t forward suspicious emails to co-workers.
  8. Report suspicious emails to the IT security department.
  9. Install and keep up-to-date anti-malware software on all your devices to scan web sessions and emails.
  10. Never donate to charities via links included in an email; instead, go directly to the charity website to donate.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| October 3, 2020
Comments Off on Seven Social Engineering Classics

Seven Social Engineering Classics

Seven Social Engineering ClassicsSocial engineering describes a range of non-technical attack techniques cybercriminals use to manipulate users. The attackers hope the user will bypass security or other business process protocols and perform harmful actions, or givr up sensitive information. Make sure you don’t fall prey to these social engineering classics.

Business Email Compromise

Business Email CompromiseDon’t get fooled by official-looking emails. Even though the email appears to be work-related. Subject lines such as “Invoice Attached” or “Here’s the file you needed,” might be a social engineering classic. To be sure you should hover your cursor over email addresses and links before clicking to see if the sender and type of file are legit. BEC is the most costly form of cybercrime. It stems from faked emails called “Business Email Compromise” or BEC scams. A typical BEC scam involves phony e-mails in which the attacker spoofs a message from an executive at a company and tricks someone into wiring funds to the fraudsters.

VishingVishing

Corporate phone systems are often set up to forward voice mail audio files to employee’s inboxes. While this is convenient – forwarding the files can be risky. It makes it harder to determine if the email is phony or legit. Scammers have been installing malicious software through emails designed to look like internal voicemail messages since 2014, making vishing a social engineering classic.

With vishing, cyber-criminals use an urgent or alarming voicemail message to try to get potential victims to call back with their personal information. Fake caller-ID information is often used to make the calls appear to be from a legitimate organization or business.

Free stuff a social engineering classic

Free pizzaFree stuff is one of the oldest social engineering classics. Most people can’t resist free stuff, from pizza to software downloads. They will click just about any link to get it. Of course, nothing is truly ever free. Sophisticated attackers might send a link to genuine free software, but they’re sending you through their website, That means you may be getting infected or compromised.

Baiting

Baiting is a variant of “Free Stuff.” The attacker hopes to trick their victims into executing code, usually by piquing their curiosity or otherwise convincing them to run hardware or software with hidden malware. For example, innocent-looking USB sticks handed out at a conference or casually “dropped” in the parking could actually contain malware. They then detonate when the curious user plugs it into their PC. This is how Stuxnet attacked the Iranian nuclear program.

 

Quid pro quo social engineering classic

Seven Social Engineering ClassicsAnother version of “Free Stuff.” In Latin, Quid pro quo means “something for something.” The attacker offers something of genuine worth to the victim and will, in exchange, work their way into the target’s network. An example: The attacker poses as tech support and solves a problem for you—but then convinces you to type in a line of code that serves as a “backdoor.” On the other hand, it may be as simple as trading a candy bar in exchange for a password!

Waterholing

This type of attack plants malware on a website you and your colleagues frequently visit. The next time you surf the site, the malware—such as a remote-access Trojan, or RAT—is downloaded to your computer. And just like that, the attacker can begin exfiltrating data from your employer’s network.

Pretexting

Pretexting is another form of social engineering where attackers focus on creating a fabricated scenario, that they can use to try and steal their information. It is a true con game. It relies on the crook fostering a sense of trust in the victim.

Pretexting

Pretexting can also be used to impersonate co-workers, police, bank, or tax authorities. They pretend to be any individual who could have perceived authority or right-to-know in the mind of the targeted victim. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet to create a pretext scenario.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| November 16, 2019
Comments Off on Why Don’t Users Protect Themselves

Why Don’t Users Protect Themselves

Why Don't Users Protect ThemselvesA new report (PDF) from recently swallowed and swallowed again Webroot, says that American technology users overestimate their levels of cyber hygiene. Cyber hygiene is a cybersecurity risk mitigation technique introduced by Vinton Cerf in 2000 where you train yourself to think proactively about your cybersecurity. The goal is to resist cyber threats and online security issues to protect and maintain IT systems and devices and implement cybersecurity best practices, just as you do with your daily personal hygiene.

Webroot logoThe report says U.S. users do not know how to protect themselves from cyber threats. Americans are overconfident in the perceived protection they have. The endpoint security and threat intelligence provider found that 88% of interviewed Americans believe they are taking the appropriate steps to protect themselves from cyber-attacks.

Their confidence is misplaced. Instead, Americans have only a surface-level understanding of the most common types of cyber threats according to Webroot. We can recognize some of the names of the most common cyber-attacks such as malware (79%) or phishing (70%), but for most, that’s where their knowledge ends. Very few (less than 1 in 3) actually know what these common cyber-attacks are or what they do.

While Americans claim to have heard of some of the most common cyber-attack terms when prompted, very few actually understand what those cyber-attacks are. When asked about critical cyber-hygiene issues like malware, backups passwords, and identity theft surveyed Americans reported:

20% update their AV software regularlyMalware – 79% have heard of malware, but only 28% can confidently explain what it is. 82% are using some sort of AV software on their personal devices. 62% of those who use AV software use a free product. Only 20% update their AV software each time they are prompted.

Backups – are another weakness. 78% of respondents report backing up their data. However, 57% are still leaving themselves susceptible to risk by only backing up using one method, rather than backing up online (cloud) and offline.

  • 22% rarely or never backup their data.34% Automatically backup to the cloud
  • 27% Backup to an external hard drive
  • 24% Backup to a USB stick
  • 22$ backup locally on My Computer
  • 17% backup manually to the cloud
  • 22% rarely or never back up their data.

Among those who are backing up their information by uploading it to the cloud, only 43% are taking the extra step in ensuring that it’s stored in an encrypted format.

33% of Americans admit to sharing their passwordsPasswords – Followers of Bach Seat know that passwords suck and the Webroot report confirms it. 33% of Americans admit to sharing their passwords with others. To make matters worse, 63% are reusing passwords across multiple accounts. The research found that Americans have on average 9 passwords for 17 accounts.

Mobile – While on the go, 67% of Americans use public Wi-Fi, but only 35% take the extra step to protect themselves by using a VPN. Additionally, 34% use a work device as their primary personal device at home.

Identity theft 74% of Americans believe their identity stolen has never been stolen.

According to the Webroot whitepaper, the 5 most cyber risky U.S. states are:

  1. Mississippi most cyber risky stateMississippi
  2. Louisiana
  3. California
  4. Alaska
  5. Connecticut

The 5 least risky U.S. states are

  1. New Hampshire least cyber risky stateNew Hampshire
  2. North Dakota
  3. Ohio
  4. Idaho
  5. Kentucky

rb-

According to the research conducted by Wakefield for Webroot, Michigan ranked 31 among the 50 states. Overall, the average home user scored a 60% for cyber-hygiene. The researchers also found that those who they classified as “Superstars” tended to be:

  • A Boomer
  • Married or in a relationship
  • Suburbanite
  • Not a parent.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries