Tag Archive for Phishing

| October 2, 2014
Comments Off on Superman Most Dangerous on Web

Superman Most Dangerous on Web

Superman Most Dangerous on WebSuperheroes are supposed to be our friends but sometimes a plot twist allows their arch-enemies to trick our heroes turn against us. This is also true on the intertubes. Attackers are using our superheroes to infect computers to scam people into visiting compromised sites and downloading dangerous software according to Santa Clara, California-based McAfee.

The security company scoured the web and identified the most dangerous superheroes online. The report, “Most Toxic Superhero 2014” estimates how likely the average user is to come across malware by searching for the name of any given superhero.

McAfee lined up 11 likely suspects. They gathered viable threat evidence from popular search engines like Google (GOOG), Yahoo (YHOO), and Microsoft (MSFT) Bing for spyware, adware, spam, phishing, viruses, and other malware. The company also searched each superhero’s name in conjunction with common phrases like “free torrent download” and “free app,” as seeding fake torrents is a common way for attackers to infect computers.

The most dangerous superheroes online by percent of his search traffic leading to unsafe sites are:

  1. Superman 16.5%
  2. Thor 16.35%
  3. Wonder Woman 15.7% (tied)
  4. Aquaman 15.7% (tied)
  5. X-Man Wolverine 15.1%
  6. Batman 14.2%
  7. Black Widow 13.85%
  8. Captain America  13.5%
  9. Green Lantern 11.25%
  10. Ghost Rider 10.83%

McAfee tells citizen do-gooders to protect themselves by:

  • Beware of clicking on third-party links. You should access content directly from the official websites of content providers.
  • Ensure you use web protection that will let you know of risky sites or links before you visit them. Stick to official news sites for breaking news.
  • Don’t download videos from suspect sites. This should be common sense, but it bears repeating: don’t download anything from a website you don’t trust — especially video. Most news clips you’d want to see can easily be found on official video sites and don’t require you to download anything.
  • “Free downloads” are by far the highest virus-prone search term. Anyone searching for videos or files to download should be careful not to unleash unsafe content such as malware onto their computers.
  • Always use password protection on your phone and other mobile devices. If you don’t and your phone is lost or stolen, anyone who picks up the device could have access to your personal information online.
  • Don’t “log in” or provide other information: If anything asks for your information—credit card, email, home address, Facebook login, or other information—to grant access to an exclusive story, don’t give it out. Such requests are a common tactic for phishing that could lead to identity theft.
  • Search online using an Internet security program in the background. These tools protect users from malicious websites and browser exploits. A complimentary version of McAfee’s SiteAdvisor software can be downloaded at www.siteadvisor.com

rb-

Whether you live in Metropolis or Gotham, do-gooders need not work very hard to avoid these scams. Avoid dark alleys where superhero websites tend to have the same flaws as any other unsafe page. Keep an eye out for typos and files that look suspicious. Run an Internet security program in the background (your antivirus or anti-malware program probably has one built-in). Lastly, check what other commenters say before downloading a torrent.

Related articles
  • Mobile malware: Past and current rends, prevention strategies (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| April 29, 2014
Comments Off on Social Engineering Terms

Social Engineering Terms

Social Engineering Terms Social engineering means manipulating a person to get access without authorization. Practically speaking, it’s a blanket term for non-technical hacking. FierceITSecurity gives the classic example: Hacker calls target and pretends to be “from the IT department,” getting the target to divulge a password or other sensitive corporate information.

non-technical means.Derek C. Slater at FierceITSecurity discusses a short-list of social engineering terms with Chris Hadnagy, author of the book “Unmasking the Social Engineer: The Human Element of Security.” The author explained that some of the terms below aren’t social engineering per se, but they are related to the same goal: Gaining unauthorized access to information, systems, and facilities through deception and other non-technical means.

In his Social Engineering course, Mr. Hadnagy tells participants that one goal is that every target “will be glad to see them” because the social engineering methods covered seem friendly, not antagonistic. “It’s amazing how much information people will give you if you’re just nice to them,” he says. “Con men don’t look malicious–they’re the guys with the biggest smiles.

Social Engineering terms

Confidence manConfidence trick: The ‘con’ in “con man” refers to gaining the confidence of the target before attempting to exploit him. Examples: The movie Grifters with John Cusack, and every Ponzi scheme from Charles Ponzi himself on through to Bernie Madoff and whoever’s doing it now. And somebody’s doing it now warns the article.

Amygdala hijacking: Your amygdala is the part of your brain that manages decision-making and emotional responses. “Amygdala hijacking” in the social engineering context means putting the target emotionally off-balance by causing stress, or contacting the person during an unusually stressful time, according to Hadnagy. That means the target is less rational and more vulnerable to exploitation.

Amygdala hijackingExample: Friday at 4:30 pm, or the day before holiday vacation starts, many employees–not you or me, obviously–are anxious to get out of the office. That’s a perfect time for a pretexting call (see below) or a hacker-simulated crisis, putting the target further off-balance and making them more likely to do whatever is expedient–giving information over the phone or via email to make the “crisis” go away.

Elicitation: means getting information without asking for it directly.

Influencing:  Mr. Hadnagy says influencing means provoking a desired response from the target “while getting them to think it’s their idea.”

Manipulation: involves getting the target to perform the desired action, regardless of whose idea they think it is. Unlike influence, manipulation could involve a direct or implied threat, for example.

Pretexting: Mr. Hadnagy’s definition, is equal to method acting. The social engineer doesn’t just say “I’m Bob”–he becomes Bob.

Example: Contracted to test one company’s defenses, Hadnagy gained access to various facilities by posing as Paul the Pest Inspector. “I had the uniform with the name patch, I had Paul’s business cards, and for a day before the event, my team was calling me ‘Paul’,” he says.

Phishing: is the use of email as a conduit for social engineering attacks.

PhishingExample: Know those emails that start “I’m Prince Phillip and I need help transferring my royal fortune to an American bank”–the venerable so-called 419 or Nigerian scam? People still fall for those. It’s a phishing attack and an example of a confidence scam.

Spear-phishing: Spear-phishing is a more targeted form of phishing. Instead of blasting that “I’m a Prince” email to everyone with an email address, a spear-phishing attack is personalized to reach a small group or individual.

Example: A hacker identifies a target, Fred, and finds personal details, professional connections, and current project information via Fred’s LinkedIn profile. He then sends the target an email that is correctly addressed to Fred, appears to come from a real colleague, and references specific project details. Fred is much more likely to click on malicious links or open attachments in this email than he is likely to respond to Prince Phillip spam.

These next four terms don’t involve deception. However, they’re all important non-technical information attacks and can work in concert with social engineering efforts.

Harvesting – is using publicly available sources–particularly on social media, these days–to gather information about a target for later use in social engineering.

Dumpster diving – means what it sounds like: rooting through the trash to find discarded papers or items with valuable information. This is less glamorous than social engineering, but it’s also a useful form of harvesting and doesn’t need human interaction. (rb- I have covered the dangers of dumpster diving on Bach Seat since 2010.)

Shoulder surfing – means reading sensitive information on-screen and over the shoulder of a legitimate user.

Tailgating – is the ancient practice of going through a physical access point on the heels of someone who has an access card, key, or entry code. Catching the door before it shuts behind them, as it were.

rb-

Whether it is your home or corporate email account, social engineering is dangerous. Being educated about the risks of social engineering is critical. The next time someone reaches out via email or the phone, take a second and ask a few questions before you give away your digital identity unless of course they also have a candy bar

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| December 19, 2011
One comment

McAfee’s 12 Scams of Christmas

McAfee's 12 Scams of ChristmasBefore logging on from a PC, Mac, or mobile device for the last-minute holiday online shopping madness, consumers should look out for these 12 Scams of Christmas identified by anti-malware firm McAfee:

1. Mobile Malware—A National Retail Federation (NRF) survey found that 52.6% of U.S. consumers who own a smartphone will use it for holiday shopping. Malware targeting mobile devices is rising, and Google’s (GOOG) Android smartphones are most at risk. McAfee cites a 76% increase in Android malware in the second quarter of 2011, making it the most targeted smartphone platform.

Malicious Mobile ApplicationsNew malware has recently been found that targets QR codes, a digital bar code that consumers might scan with their smartphone to find good deals or to learn about products they want to buy.

2. Malicious Mobile Applications—These are mobile apps designed to steal information from smartphones or send expensive text messages without a user’s consent. Dangerous apps are usually offered for free and masquerade as fun applications, such as games. Last year, 4.6 million Android smartphone users downloaded a wallpaper app that collected and transmitted user data to a site in China.

Facebook3. Phony Facebook Promotions and Contests—Who doesn’t want free stuff? Unfortunately, cyber scammers know that “free” things are attractive lures, and they have sprinkled Facebook with phony promotions and contests to gather personal information. A recent scam advertised two free airline tickets but required participants to complete multiple surveys requesting personal information.

4. Scareware, or Fake Antivirus software—Scareware is fake antivirus software that tricks people into believing that their computer is at risk or already infected, so they agree to download and pay for phony software. This is one of the most common and dangerous Internet threats today, victimizing one million victims each day. In 2010, McAfee reported that scareware represented 23% of all dangerous Internet links, which has been resurgent recently.

5. Holiday Screen savers—Bringing holiday cheer to your home or work PC sounds like a fun idea to get into the holiday spirit, but be careful. A recent search for a Santa screen saver that promises to let you “fly with Santa in 3D” was malicious. Holiday-themed ringtones and e-cards have also been known to be malicious.

Mac Malware6. Mac Malware – Until recently, Mac users felt insulated from online security threats since most were targeted at PCs. However, with the growing popularity of Apple (AAPL) products, cybercriminals have designed a new wave of malware directed squarely at Mac users. According to McAfee Labs, as of late 2010, there were 5,000 pieces of malware targeting Macs, and this number is increasing by 10 percent each month.

7. Holiday Phishing Scams—Phishing is tricking consumers into revealing information or performing actions they wouldn’t normally do online using phony emails or social media posts. Cyber scammers know that most people are busy around the holidays, so they tailor their emails and social messages with holiday themes to trick recipients into revealing personal information.

  • This is a fake notice from UPS (UPS) saying you have a package and need to complete an attached form. The form asks for personal or financial details to complete the delivery, and it sends that information straight into the hands of cyber scammers.
  • Banking phishing scams continue to be popular, and the holiday season means consumers will spend more money and check bank balances more often. From July to September of this year, McAfee Labs identified about 2,700 phishing URLs per day.
  • Smishing –SMS phishing remains a concern. Scammers send fake messages via text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it reactivated and collect the user’s personal information, including his Social Security number, address, and account details.

Online Coupon Scams8. Online Coupon Scams—An estimated 63 percent of shoppers search for coupons when they buy something online. October 2011 NRF data shows that 17.3 percent of smartphone users and 21.5 percent of tablet consumers use mobile devices to redeem those coupons. But watch out because scammers know that offering an irresistible online coupon can get people to hand over some of their personal information.

9. Mystery Shopper Scams—Mystery shoppers are hired to shop in a store and report back on the customer service. Scammers use this fun job to lure people into revealing personal and financial information. There have been reports of scammers sending text messages to victims, offering to pay them $50 an hour to be mystery shoppers and instructing them to call a number if they are interested. Once the victim calls, they are asked for personal information, including credit card and bank account numbers.

Scareware10. Hotel “Wrong Transaction” Malware Emails – Many people travel over the holidays, so it is no surprise that scammers have designed travel-related scams to get users to click on dangerous emails. In one example, a scammer sent out emails that appeared to be from a hotel, claiming that a “wrong transaction” had been discovered on the recipient’s credit card. It then asked them to fill out an attached refund form. Once opened, the attachment downloads malware onto their machine.

11. “It” Gift Scams—Hot holiday gifts sell out early in the season every year. Not only do sellers mark up the price of the must-have toy, but scammers also start advertising them on rogue websites and social networks, even if they don’t have them. So, consumers could wind up paying for an item and giving away credit card details only to receive nothing in return. Once the scammers have the personal financial information, there is little recourse.

12. “I’m away from home” Scammers – Posting information about a vacation on social networking sites could be dangerous. If someone is connected with people they don’t know on Facebook or other social networking sites, they could see their post and decide it may be a good time to rob them. Furthermore, a quick online search can quickly turn up their home address.

How to Protect Yourself

  • Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them.
  • Be extra vigilant when reviewing and responding to emails.
  • Watch out for too-good-to-be-true offers on social networks. Never agree to share your personal information to take part in a promotion.
  • Don’t accept requests on social networks from anyone you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home.
Related articles

Mobile Threats Top Holiday Scam List (pcworld.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| December 1, 2011
2 comments

Blackhole Malware

Blackhole Malware Dark Reading reports that attackers are increasingly using the Blackhole exploit kit in phishing campaigns. The latest phishing scam poses as an email notification from an HP (HPQ) OfficeJet Printer that has sent around 36,000 per minute resulting in nearly 8 million emails thus far and uses 2,000 domains to serve up the malware.

BotnetResearchers at AppRiver told Dark Reading the trend demonstrates how Blackhole is following the pattern of popular malware kits Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. “This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time,” says Fred Touchette, senior security analyst for AppRiver.

Blackhole, which was previously marketed as a high-end crimeware tool, costing $1,500 for a one-year license, in May was unleashed for free in some underground forums. That has propelled more use of the toolkit according to the AppRiver blog.

Appriver logoMr. Touchette said that attackers using Blackhole have changed tactics, “This is the first that I have personally noticed that leads email recipients to Blackhole websites. Before that, people using the Blackhole Kit relied on techniques such as SEO poisoning to lead victims to their sites,” he says.

The OfficeJet email campaign, like other Blackhole attacks, is trolling for victims’ online banking credentials according to Dark Reading. It works a lot like Zeus and others, using browser vulnerabilities on victims’ machines and creating a backdoor for downloading and installing the Trojans. AppRiver’s Touchette says Blackhole appears to favor Sun Oracle (ORCL) Java (I wrote about Java holes here) and Adobe (ADBE) bugs (I wrote about Adobe bugs here).

HPThis most recent campaign is still trickling in, but will soon stall as most of its domains have been picked up and blacklisted by security professionals … we were seeing malicious emails related to this campaign coming in at a rate of around 36,000 per minute,” Mr. Touchette says.

Recent botnet takedowns have spurred an increase in malware attacks recently as botnet operators try to rebuild, AppRiver’s Touchette told Dark Reading.

rb-

Yeap- We are still seeing these trickling in and still have users reporting they can’t access their OfficeJet.

Related articles
  • Positive Trend in Malware: Rootkit Developers Killing Each Other’s Code (pcworld.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized | Tags: , , , , , , , , , , , ,
| June 22, 2011
Comments Off on Teachers Highly Susceptible To Phishing Attacks

Teachers Highly Susceptible To Phishing Attacks

Teachers Highly Susceptible To Phishing Attacks Internet Security Awareness Training (ISAT) firm KnowBe4 has released new cybercrime statistics that identify Education as one of the most Phish-prone™ industry sectors. Education is the second most susceptible sector to cybercrime ploys. DarkReading reports the percentage of companies in each sector that responded to the phishing emails are:

  • Travel – 25%
  • Education – 22.92%
  • Financial Services – 22.69%
  • Government Services – 21.23%
  • IT Services – 20.44%

KnowBe4 founder and CEO Stu Sjouwerman told DarkReading,  “Our cybercrime statistics should serve as a wake-up call … Not only are these businesses at risk for financial loss through a cyberheist, but their susceptibility to phishing tactics could compromise sensitive customer data such as credit card, bank account, and social security numbers.

These findings are based on a recent phishing experiment KnowBe4 conducted among enterprises featured in the latest Inc. 500 and Inc. 5,000 listings.

rb-

Having worked in K12 for a number of years, I saw lots of teachers and a few superintendents get caught by phishing traps, They would then complain to me why they and their organization has entered SPAM jail and then needed me to hit SORBS.net to get the mail flowing again.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
« Older Entries   Recent Entries »