by Felicien | Feb 3, 2020 | Education
‘Conversation hijacking’ Seeks Sensitive Business Intelligence
Your employees probably know not to open unexpected file attachments or click on random links, but what if an attachment arrives as part of an email conversation with trusted colleagues?
Sophisticated hackers are using a technique known as “conversation hijacking” to insert themselves into business operations, gain insight into sensitive details, and exploit the information for financial gain. What should you know about this insidious form of cyberattack on businesses?
Conversation Hijacking: Infiltrating Business Communications
New research indicates that the incidence of conversation hijacking increased by more than 400 percent in the second half of 2019 alone.
In a conversation hijacking attack, a hacker uses various methods for gaining access to business credentials — for instance, an email login. By using the phished information, the hacker then may join an existing email conversation by posing as someone already involved in the conversation.
Conversation hijacking attacks are mounted by hackers willing to invest significant time to gain access to sensitive information. The hacker may read through numerous emails and conduct research online to learn about business deals in progress or other potentially valuable information.
By gaining the trust of other people in the email thread, the hacker then can use a variety of techniques for gaining access to banking information and financial assets.
Forms of Conversation Hijacking
Conversation hijacking can take a number of different forms, with information coming from a range of different sources. Hackers may compromise email accounts through phishing or data breaches and use the stolen account information to stage account-takeover attacks.
A hacker then may spend time monitoring an email account — including ongoing message threads — to gain information about sensitive business details or financial arrangements. An attack may involve a hacker creating a fake domain similar to the real domains used by a company. In the case of domain impersonation, the goal is to create a domain similar enough to the real domain that unsuspecting employees click or download files without realizing the error.
Hackers also may impersonate the domain of a client, vendor or business partner to gain the trust of employees for the ultimate purpose of accessing financial accounts and information.
Protecting Your Business
Conversation hijacking can be more difficult to detect than other types of hacking, but you can take steps to protect your business, your employees and your clients and partners.
The most important step you can take is ensuring that your team members understand how conversation hijacking attacks work. They should always use caution when downloading files or clicking on links and take time to ensure that all information — including domain names — matches their expectations.
In addition, any requests for financial information or immediate payment should raise red flags and should be reported to your company’s accounting department. If an employee doubts the authenticity of an email, they can contact the sender by phone or by starting a new email thread with an email address known to be accurate. Employees also should report to your IT team any email conversations or other incidents that seem suspicious.
Additional security measures — including robust email filtering and inbox rules — also can help, and restricting macros within documents can limit the means for hackers to gain access to account information. Multi-factor authentication also can provide extra protection against sophisticated conversation hijacking attacks.
by Felicien | Jan 28, 2020 | Education
Data Privacy Day commemorates the anniversary of the signing of the first international treaty focused on data protection. Here’s how you can get involved.
January 28th, Data Privacy Day 2020, is here. First introduced in January of 2008, Data Privacy Day commemorates the anniversary of the signing of Convention 108, one of the first international treaties focused on data protection. Here’s what you can do to get involved.
Ways to participate at home
Visit with your family about online privacy and safety. Discuss what information is private information and consider together the risks associated with sharing confidential information online. Take a look at the online accounts of any children in the home to identify breaches, risky behavior, and connections with strangers. Remedy any problems identified and use the opportunity to share information and teach.
Now is also a good time to go through old papers, files, and devices, and schedule safe destruction to protect your information before it lands in the wrong hands. Remember, never throw away bills, bank statements, check blanks, or devices without destroying them first.
How you can participate at work
There are a number of ways you can use this opportunity to promote data security at work:
designate this as archive week, encouraging all staff to identify electronics that are no longer in use so they can be destroyed appropriately
use games and activities to refresh staff knowledge of the risks of security breaches and internet best practices
take a moment to ensure all corporate computers have the safest web browser, operating system, and security software installed and working as expected
review your policies and procedures to ensure they’re still compliant with best practice; we learn and evolve every day so a periodic review is critical to achieving the best results
share current news surrounding data breaches and lead a discussion exploring what went wrong and how similar crises can be avoided in your organization and industry
Involving your community
Data Privacy Day provides a great opportunity for community outreach and involvement. Include clients, stakeholders, and community members in your commitment to privacy. Host an open house, where you share materials encouraging safe internet practices at home and sharing what your organization is doing to protect client information. Send out client emails celebrating the occasion and summarizing all of the steps that go into maintaining their protected information (and the results of your hard work). You might even consider launching a survey to learn more about stakeholder satisfaction with your commitment to privacy and data protection program.
by Felicien | Jan 24, 2020 | Education
Cybersecurity education is essential in order to keep businesses one step ahead of this evolving space. Learn about types of attacks and preventative actions.
Cyber solutions are the future of business, with innovation such as the Internet of Things (IoT) gaining increasing popularity. Accordingly, focus on the protection and recovery of networks, devices and programs from cyberattacks is no longer a luxury, but a very basic necessity to remain competitive in today’s landscape. Here is a basic overview of cybersecurity:
Things to know
Data breaches are intended to access proprietary information, usually for financial gain. These activities can result in damaged corporate reputations, significant downtime and even the cessation of business viability
Hackers are becoming much more sophisticated, and traditional anti-virus software programs may not be sufficient to prevent attacks
As more devices and gadgets are connected to networks via IoT, they provide backdoors for hackers to access proprietary data
Despite the rising prevalence and notoriety of data breaches, they can be prevented. Cybersecurity often relies less on high-end technology than on common sense and solid security practices /protocols, such as:
Restricting employee access to sensitive data
Employing strong password controls
Educating employees on e-mail security
Encrypting data
Appropriately secure mobile devices – smartphones, tablets
Investing in IT professionals with current cybersecurity knowledge and skills
Types of Attacks
Malware is any type of malicious software utilized to gain unauthorized access to a computer
Ransomware is a form of malware that locks owners out of their devices/data until a ransom is paid
Spyware is a form of malware that spies on users in order to acquire sensitive information
Fileless malware attaches to existing programs running on the computer, thereby embedding inside the computer’s memory
Viruses are malicious programs usually sent as attachments, and which infect devices once downloaded
Watering holes are when a known website is hacked either directly or via a third-party service hosted on the site. In this way, anyone who visits the site is infected
Phishing is the act of sending e-mails that trick people into revealing sensitive information
Spearphishing is related to phishing but is more focused to prey on specific targets by including relevant details about the individual (usually obtained via research), thus luring them to click on the link
Pharming is the act of directing users to illegitimate websites under the guise of a legitimate link
Hacking is the act of accessing a network or device without appropriate authorization to do so
Types of Cyber Security
Network Security: These are defenses implemented to prevent hackers from gaining access to organizational networks and systems. Examples would be password controls and two-factor authentication
Application Security: This is when software and/or hardware is employed to protect against threats from malicious programs. An example would be antivirus programs
Information Security: This is the protection of data via restricted access or encryption
Cloud Security: These are tools utilized to monitor and protect corporate data stored in the cloud
by Felicien | Jan 23, 2020 | Education
Small Town Reeling After BEC Scammers Get Employee to Wire $1M
Would you fall for this scam that cost a small town $1M? Find out what a BEC scam is, how it works, and what you can do to keep your company from falling victim.
What would you do if you found out your employee just cost you a million dollars? We’ll just guess they probably wouldn’t stay working for you much longer.
The little town of Erie, Colorado, was recently faced with this scenario. Hackers used a Business Email Compromise (BEC) scam to deplete the town’s savings.
Don’t know what a BEC scam is? You should. Here’s what you need to know
What Is a BEC Scam & How Does It Work?
BEC scams are targeted and sinister. In this scam, a hacker gains access to the business email someone in C-suite, or of similar power.
Once inside, they monitor the account to determine who among your staff they should target from that account for financial gain. Once they’ve identified the person who holds the purse strings, they send that person an email from your account with instructions to wire money somewhere.
If the person who receives the email is suspicious, hackers don’t want their cover blown. So they may also mess with your email rules so that any emails received with words like “scam”, “is this a joke” or “please verify” in them automatically get deleted.
They may target several people to see who takes the bait. And the scammers use the principle of social engineering to convince people to comply.
In the case of the Erie BEC scam, the criminals were able to find a real account payable and request that the employee change where the payment was sent.
This gave legitimacy to the request that reduced suspicion.
How Do Hackers Get Access to Your Email?
The most common way to hack your email is through a phishing email scam. The fraudster may send an email to you that looks like it’s from your email service provider. They then trick you into giving up your password by having you log into a spoofed website or download malicious key-tracking software.
If your business email is through Microsoft, Google or another company with many product lines that use a single password, they can get it in a roundabout way, further lowering your guard.
If you don’t have a strong password, they may also be able to guess it by following the bread crumb trail all of us leave online.
How Do You Protect Against BEC Scams?
BEC scams are convincing. You’re dealing with professional con artists, not hacker hobbyists. Because of that, you need a multi-faceted plan, which will include email scam security solutions like:
Employee education
Having a clear verification process including additional safeguards when changing where payment is sent or when other red flags go up
Email server monitoring for suspicious activity
Strong password policy with two-step verification along with enforcement
Spam filters, which reduce the risk of you or someone else in C-suite seeing the spoof email in the first place.
Up-to-date malware protection
And above all, stay informed about scams and schemes like these. Criminals constantly adapt their strategies. Don’t fall for it. Follow our blog to stay up-to-date.
by Felicien | Jan 16, 2020 | Education
Learn about juice jacking and how to prevent you or employees from becoming a victim.
Here’s a new cyber threat to worry about: Juice Jacking. Read on to learn what about juice jacking and how to prevent yourself or employees from becoming a victim.
What Is Juice Jacking?
One common feature of modern smartphones is that the power supply and data stream pass through the same cable. When you plug your phone in to charge, hackers could theoretically access your phone through the same cable and inject malicious code or steal your personal information.
Your USB connector has five pins. However, it only uses one of those five pins to pass-through power for charging. Two additional pins are used for transferring data. So, when you charge, you could also be opening a port for passing data between devices.
We have only seen unconfirmed reports of juice jacking happening in the real world, but engineers have demonstrated how it is possible. In theory, threat actors might hide a device in a public charging station at airports or hotels. It’s a big enough concern that the District Attorney’s office in Los Angeles recently put out a warning to travels to avoid using public USB charging stations.
The FBI put out a warning about a device that’s small enough to fit inside a USB charger that can steal keystrokes from wireless keyboards. Another device hidden inside a USB charging station accesses your video display. It then records a video of everything you do, which might include passwords, accounts numbers, or PINs.
How To Prevent Juice Jacking From Happening to You or Your Employees
We’ve been warning people about the potential danger of using public Wi-Fi stations for years. Hackers can set up Wi-Fi hotspots in coffee shops and other public places then intercept data as it’s sent back and forth to your device. Now you can add public charging stations to the list of potential problems.
This doesn’t mean you shouldn’t use them. You just need to take basic security precautions to stay safe.
Avoid using public USB charging stations or plugging into computers that you aren’t familiar with.
Instead, use an AC power outlet and your own charging device. No data transfer is going to take place when you’re using an AC outlet and your charger.
Consider external batteries, power banks, or wireless charges if you need a charge on the go.
You should also avoid the temptation to plug into a USB charger you find left plugged in somewhere. It may be waiting for you to plug in and infect your device.
For iOS users, you can also use USB Restricted Mode which allows charging but prevents data transfers under certain circumstances. You’ll find it by going to Settings > Face ID & Passcodes (or Touch ID & Passcode) > USB Accessories. For Android users, USB data transfer should be disabled by default. If you want to check to make sure that’s the case, plug in your phone in a safe place, click on the notification and check USB Configuration options.
by Felicien | Jan 15, 2020 | Education
What You Can Do to Prevent Cyber Attacks Targeting Employee Data
Threat actors are targeting companies to obtain personal information about employees to use for tax fraud and filing false returns.
Your company stores all sorts of personally-identifiable data about your employees. Birth dates, social security numbers, health information, and bank account numbers are all on the shopping lists for hackers who can sell the information they steal or use it for malicious acts. One of the most sought-after documents by bad guys is tax records and tax forms.
These threat actors use that information to steal identities and file fake tax returns. Tax identity theft is the biggest type of ID theft reported to the Federal Trade Commission (FTC) each year. The FTC estimates the fraud at more than $5 billion annually.
Often, the victims aren’t aware anything has happened until they go to file their personal tax returns. They may try to file electronically, and have it rejected as a duplicate, or get a notice from the IRS saying there’s a problem. By then, the fraudsters are long gone.
How Do Hackers Steal Employee Data?
The most common way your employee data is breached is via phishing emails. Nearly a third of all data breaches and 78% of cyber-attacks started with a phishing email.
Hackers use email as a weapon to gain access to your systems. It may be as simple as sending an email asking employees to update their payroll information. Clicking on a malicious link can send that info to the wrong people. That’s exactly what happened to employees at the University of Kansas who soon found the direct deposit of their paychecks had been re-routed.
Other phishing emails may be targeted at individual employees using a variety of schemes to trick employees into giving up login credentials allowing cybercriminals to have access to company records. Other schemes may install malicious code when clicked and set up backdoors for hackers to access company computer networks. HR employees are also being targeted. A forged email may appear to come from a company executive or a third-party payroll processor asking for verification of information.
In an increasingly mobile society, hackers are gaining access to sensitive data when employees are connecting remotely to company servers without using proper security practices. When employees use public Wi-Fi, for example, they are vulnerable to man-in-the-middle attacks where threat actors intercept data as it’s being transmitted back and forth.
How To Prevent Becoming A Victim
Educating your employees about the dangers of phishing emails is a good place to start. One trillion phishing emails are being sent every year. While your company’s spam filters catch many of them, a significant number can slip through. Employees need to recognize the warning signs and everybody within your organization needs to take precautions to safeguard your data:
Install anti-virus and anti-malware software on all devices
Use strong passwords of 8 or more characters, numbers, and alphanumeric characters. Force changes regularly.
Encrypt all sensitive information
Back up sensitive information to a secure external source
Limit access to employee data with escalating security procedures
Require employees to install security software on all devices that access company data, including personal devices
Use Virtual Private Networks (VPNs) to encrypt data accessed remotely
It’s also important to keep all your software up-to-date. Hackers exploit what’s known as zero-day vulnerabilities in outdated software. These are known security problems that have been patched by the company. If the patches haven’t been applied by those using the software, hackers can exploit this known problem. That’s what happened to credit reporting agency Equifax, which saw hundreds of millions of records stolen when the company had failed to apply patches to known security issues.
Consider A Managed Service Provider
Even the best IT teams can be overwhelmed by managing all the various devices and entry points to their networks. They may not have the expertise needed to stay on top of constantly evolving threats and security practices.
A Managed Service Provider (MSP) can actively monitor a company’s servers, exchange servers, active directory servers, firewalls, routers, switches, and platforms remotely. This ensures software is always up-to-date and breaches are identified immediately.
An MSP will monitor your network traffic and incursion points 24/7 in a cost-effective way. In case there is a cyber-attack, an MSP can be your best weapon in identifying the threat, shutting it down, and building additional security walls to prevent future breaches.
