Category: Email

Beware “Phishy” Emails

Jun 18, 2020 by Sam Taylor

By Wassef Masri

When the accounting manager at a major retail US company received an email from HR regarding harassment training, he trustingly clicked on the link. Had he looked closer, he could’ve caught that the source was only a look-alike address. Consequently, he was spear-phished.

The hackers emailed all company clients and informed them of a banking account change. The emails were then deleted from the “sent” folder. By the time the scam was discovered a month later, $5.1 Million were stolen.

As in the previous crisis of 2008, cyber-crime is on the rise. This time however, hackers are higher in numbers and more refined in techniques. Notably, the emergence of malware-as-a-service offerings on the dark web is giving rise to a class of non-technical hackers who are better at marketing and social engineering skills.

Phishing emails are the most common attack vector and are often the first stage of a multi-stage attack. Most organizations today experience at least one attack a month.

What started as “simple” phishing that fakes banking emails has evolved into three types of attacks that increase in sophistication:

  • Mass phishing: Starts with a general address (e.g. “Dear customer”) and impersonates a known brand to steal personal information such as credit card credentials.
  • Spear phishing: More customized than mass phishing and addresses the target by his/her name, also through spoofed emails and sites.

  • Business Email Compromise (BEC): Aka CEO fraud, is more advanced because it is sent from compromised email accounts, making them harder to uncover. They mostly target company funds.

How to Protect Against Phishing?

While there is no magical solution, best practices are multi-level combining advanced technologies with user education:

1. User awareness: Frequent testing campaigns and training.

2. Configuration of email system to highlight emails that originate from outside of the organization

3. Secure email gateway that blocks malicious emails or URL’s. It includes:

  • Anti-spam
  • IP reputation filtering
  • Sender authentication
  • Sandboxing
  • Malicious URL blocking

4. Endpoint security: The last line of defense; if the user does click a malicious link or attachment, a good endpoint solution has:

  • Deep learning: blocks new unknown threats
  • Anti-exploit: stops attackers from exploiting software vulnerabilities
  • Anti-ransomware: stops unauthorized encryption of company resources

It is not easy to justify extra spending especially with the decrease in IT budgets projected for 2020. It is essential however to have a clear strategy to prioritize action and to involve organization leadership in mitigating the pending threats.

Leave a comment or send an email to wmasri@crossrealms.com for any questions you might have!

THERE IS SOMETHING “PHISHY” ABOUT SPEAR PHISHING.

Jul 11, 2019 by Sam Taylor
Spear Phishing is known for making more calculated attacks, focusing on a smaller number of targets.

We all know about email phishing, it’s relatively easy to spot. When the prince of Nigeria emails asking for help, we know not respond with our banking info, but when your I.T. provider “emails” with a link to click to login, this might be a little harder to recognize as an attack. Spear phishing is the next worst version of plain old phishing.

Spear phishing is a relatively cheap and effective way to gain access to someone’s personal information or computer system. With a little research and an email address, a hacker can pose as a trusted source. Posing as this official source, hackers can access aia a spoofed login link or an attachment.

This type of phishing has increased by 65% since last year, meaning your inbox may soon receive an email you weren’t expecting. Here are a few examples of what a spear phishing attack may look like:

The Executive

Emails from higher-ups are always more likely to receive special attention, something hackers realize too. An American steel company was targeted with an email from the board of directors, which prompted employees to click a link. This link allowed for hackers to gain access to employee’s email database and all attachments.

Protect yourself from dubious links by double checking with the person who initiated the email. It is unlikely that there will be a login link attached in an email, but always double-check.

The Job Candidate

With team expansions come new hires, but not all job applicants are alike. This “potential” hire will typically send a short intro summary and an attachment of their resume, which is what holds this compromising malware.  

Protect yourself from malicious attachments by having an intermediary defense system, like a web portal or file uploader to scan all attachments to verify a word document.  

The IT Note

Who hasn’t run into IT troubles? When an email pops up from your provider, it doesn’t signal any red flags, but they link they provide might be anything but helpful.  

Protect yourself from these malicious links by remaining vigilant online and refraining from providing personal information online.

Remaining Vigilant Online

There are many ways for a hacker to investigate a user’s personal interests, such as through their social media. With simple research, a personally crafted attack could be sent to an unexpecting inbox. Don’t be the one to fall for the attack:

 

  1. Remain very vigilant online
  2. Double check with the sender
  3. Have an intermediary defense system
  4. Avoid links that direct to a login page
  5. Keep up to date with cyber attacks

WINDOWS HANDWRITING ASSIST: HARMLESS AID OR MASSIVE VULNERABILITY

Jul 11, 2019 by Sam Taylor

Those with a touchscreen or stylus capable Windows PC are most likely in love with the smart feature that allows a handwritten scribble to become formatted text. Introduced in Windows 8, the handwriting recognition tool was implemented with the goal of easing a user’s experience. 

The handwritten recognition tool has the capability of storing all previous texts in order to better interpret stylus scribbling and suggest corrections. All data is saved, collected and compiled into a file called WaitList.dat.

A Digital Forensics and Incident Response (DFIR) expert, Barnaby Skeggs, was the one to highlight the handwritten recognition tool. In an interview with ZDnet he reviewed complications, “The user doesn’t even have to open the file/email, so long as there is a copy of the file on disk, and the file’s format is supported by the Microsoft Search Indexer service,”.   

While this isn’t meant to be a major vulnerability, it ultimately poses a risk. WaitList.dat collects texts from other sources on the device that includes written text, like emails, written documents, passwords, and usernames.

Skeggs went on to elaborate that WaitList.dat could also recover text from deleted documents, “If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file.”

To a digital forensics expert like Skeggs this provides all the evidence he needs to show a document had once existed– as well as it’s data.

As mentioned before, the purpose of the handwritten recognition tool was to simply aid a user, not hinder them. PC users that are utilizing this tool may need to have extra precautions, but won’t be in danger unless their device is targeted.

If you’re looking to resolve this potential security issue, you can manually go to the following address and delete WaitList.dat. Skeggs listed the typical location of the file: C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat