Municipal IT Director Put on Leave Following Breach

Hackers Had Access for Months Before Launching Ransomware Attack

Municipal IT Director Put on Leave Following BreachIn another sign that accountability is rising in cyber security, the IT director of the Suffolk County Clerk’s Office in New York has been put on paid administrative leave. An investigation following a September ransomware attack found that hackers had been exploring and exploiting Suffolk County’s systems since December 19, 2021, and accused IT Director Peter Schlussler of acting in “an incredibly nonchalant manner” toward the county’s cyber security.

Schlussler disputed the investigation’s findings in an email to The New York Times, noting that his requests for stronger cyber security at the County Clerk’s office had been rejected by superiors. Suffolk County wound up taking all of its systems offline in September when the hack was finally discovered and, according to the Times, is still using workarounds for some online functions.

Suffolk County Hack Timeline Illustrates Common Tactics and Detection Failures

An examination of the Suffolk County hack reveals opportunities when the intrusion could have been detected, had the IT Director been following security protocols that most cyber security specialists recommend.

December 19, 2021: Criminals gain access to the County Clerk’s systems via a known flaw in a common piece of software. Investigators found that there was no centralized authority for the municipal systems run by Suffolk County. As a result, patches to fix the known vulnerability were not applied across all systems. Suffolk County Executive Steven C. Bellone cited the IT director’s failure to patch the vulnerability as a cause of the cyber attack.

January 2022: Hackers install Bitcoin mining software on the Suffolk County systems. Criminals install software like this for two reasons: To see if it will be detected and removed, and to see if the data it sends will be detected and removed. Organizations that fail to spot rogue software communicating with unknown parties will have their data stolen.

Many IT directors perform regular scans of all systems to look for new software installations, which can be sign of a breach. This can be a challenging task in a large, decentralized environment, which is why cyber security professionals recommend centralized administration for users and software.

March 2022: Hackers install tools to run Suffolk County systems remotely. Criminals who do this have a high level of confidence in their ability to carry out significant attacks. These systems will be tested before the next phase of intrusion begins, offering an opportunity to detect the activity.

Every IT director and security professional should be scanning systems regularly for all known remote clients. Although New York investigators did not specify the kind of remote access tools used, many criminals use the same remote-access software that organizations use to keep their own remote employees connected. By itself, the presence of remote access software may not trigger concern, but the alarm should be raised if it is suddenly used more often, at unusual times of day or in unusual ways. Use a Virtual Private Network (VPN) secured with two-factor authentication (2FA) to enhance the security of remote access.

April 2022: Criminals create the first of several admin-level user accounts in the County Clerk’s systems. This is the boldest step yet, and at this point, the hacker is the IT director. With Admin-level access, criminals can install software, exfiltrate data and manipulate systems to cover their tracks.

There are a number of ways to alert IT staff when new accounts are created, and a number of ways to limit the access that new users have. Beyond these safeguards, user lists and access levels should be audited and verified on a regular basis, with any unrecognized accounts immediately flagged and suspended.

July 2022: Data exfiltration begins, including at least one file with the name, “Passwords.”

August 2022: Keyloggers are installed. Intrusions begin on systems connected to the County Clerk’s system. Hackers encrypt everything they can access as they prepare to launch a ransomware attack.

What should stand out about the Suffolk County attack is the patient, meticulous nature of the hackers. This was not a high-speed raid or a crime of immediate opportunity. Hackers got in, then slowly built up their presence and toolkit over time, starting with nuisance software and moving on to complete control and surveillance. At each step, the hackers stopped and waited to see if their activity would be detected. When it was not, they executed the next step of their takeover plan.

The month-by-month increase in activity correlates with what hackers know about most cyber security solutions: Scans run at least once a month. If 30 days pass and software or activity has not been detected, it is safe to escalate. Think of this like a burglar finding a series of unlocked doors in a home. After opening each door, the burglar looks around to make sure it is safe before opening the next door.

The Myth of “Opportunistic” Cyber Attacks

Far too many business owners and organizational leaders think a cyber attack occurs because someone lets their guard down for a moment. While these attacks do occur, they tend to be low-level financial attacks that scam a few hundred or a few thousand dollars. Real cyber criminals are as patient and methodical as the group that attacked Suffolk County, and the damage they cause can lead to millions of dollars in remedies and restitution. Large, distributed, heavily used networks like those found in municipal government offices are ripe targets for the troves of personal information they hold and the opportunities they offer for criminals to conceal their activities.

We see multiple points where the Suffolk County attack could have been stopped, but we also see the challenges faced by the IT director, which are common to both businesses and the private sector. Too many leaders do not understand the real nature of cyber attacks. Too many government and private-sector organizations see Virtual CISO services or Dark Web Monitoring as a needless expense. The irony here is that they wind up paying for these services after a breach, alongside any fines and costs associated with data loss and system repairs, when they could have prevented the intrusion in the first place.

There is also the question of accountability, and the decision to suspend the Suffolk County Clerk’s IT director. This follows Federal sanctions against the CEO of Drizly following the theft of customer data. In both of these cases, investigators uncovered events that should have been prevented by cyber security best practices and held the people responsible for overseeing cyber security accountable.

Three Federal Agencies Warn of Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) scams netted $2.4 billion in losses during 2021, with 19,954 complaints reported to the United States government. A joint advisory from the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI) and the U.S. Department of Agriculture (USDA) urges businesses in the agricultural and food sectors to beware of scams stealing physical goods, not money.

New BEC scams targeting food producers use phony emails and websites to order or reroute goods, such as powdered milk, sugar or whole milk. In some cases, fake emails were used to reroute existing shipments to criminals, while in others fake orders were placed by criminals pretending to be existing clients.

How Business Email Compromise Scams Work

BEC scams combine elements of social engineering and phishing. Criminals learn the names of senior executives at companies likely to order large quantities of ingredients or other goods. They then send phony emails or place fake online orders using spoofed assets and email addresses. In some cases, they will communicate directly with senior staff and place orders or ask for shipments to be rerouted. Because the emails look legitimate and generate real responses from humans, employees may accept the phony orders or reroute shipments, leading to hundreds of thousands of dollars in lost product.

Among the scams reported by the Federal government–

  • One group of criminals forged the identity of a U.S. company and placed orders for ingredients from June through August of 2022 with multiple suppliers. The scam netted at least $200,000 in stolen goods.
  • Criminals used a fake email to get a line of credit and $100,000 in milk powder by posing as a food company.
  • Four fake companies targeted a single food manufacturer, ordering nearly $600,000 in whole milk powder and non-fat dry milk.

How to Spot BEC Scams

In nearly every case outlined by U,S, government agencies, there was a small change in an email address that revealed the fraud. In some cases, an extra letter was added. In other cases, the number “1” was substituted for a lower-case “L.” Email addresses may also point to incorrect domains, such as a .org or .net instead of a .gov or .com.

Business Email Compromise scams can slip by employees, even those who have had cyber security training, because they appear professional and do not directly ask for money. They appear to be professional enquiries, often include recognizable names and company logos and present business opportunities. It is only after the order has shipped that companies realize they have been scammed.

As with most scams, awareness and verification stop the criminals and the attacks.

  1. Make all employees who handle orders and shipments aware of Business Email Compromise scams.
  2. Put a second set of eyes on any order over a certain amount, regardless of where it appears to come from.
  3. Do not respond directly to emails that appear suspicious. Study return addresses carefully and, if anything appears off, call the alleged client directly.
  4. Verify any large order or order change by calling the client directly and asking for confirmation.
  5. Ask for advance payment before delivering goods to any new client.
  6. Use Dark Web Monitoring to find out what information about your company has been circulating online. Names of staff could be used for social engineering and phishing attacks. Names of executives and company assets can be used by scammers to create phony emails and websites.

In the most insidious versions of a Business Email Compromise scam, criminals gain access to a company’s legitimate email server, then create fake accounts that they use to communicate with their victims. This can be remedied by reviewing all company email accounts regularly and by immediately closing the accounts of former employees.

As the government warning illustrates, cyber threats come in many forms and through many channels. This scam is a prime example of the kind of attack that many existing cyber training programs miss.

Your New Year’s Resolutions for Cyber Security

The More You Make and Keep, the Stronger Your Cyber Security in 2023

Resolution season is upon us as we take our annual stock of who we would like to be. Fitter, kinder, more charitable, as always, but why not safer?

Your New Year’s Resolutions for Cyber SecurityThese cyber security New Year’s resolutions vary from simple things you can do in a few seconds to things that might require some outside help. They all have one thing in common: Individually, they will make you safer in 2023, so following just one will give you greater protection against cyber criminals. Each resolution that you add will boost security for you and your business.

I will secure my phone. Around 1 in 4 people fail to use a screen lock on their smart phones. That’s an improvement from 2013,when around 1 in 3 people failed to secure their phones. Use of lock screens must be mandatory for all work-related devices. It is also the first step for stronger cyber security in 2023.

I will use two-factor authentication. Apart from securing your phone, this is the most critical thing you can do to boost security. Every email account, every account that processes payments and all online accounts relating to finances must have two-factor authentication, along with every account that allows admin-level access to business systems or customer data. Two-factor authentication takes a few minutes to set up and adds seconds to the login process. The strongest method sends a text message to your phone (already secured with a lock screen) link to click. Without access to your phone, criminals cannot use stolen passwords to log in. Links are better than plain-text codes, which may be visible on Android devices even while the screen is locked.

I will update my passwords every 3 months. The start of each new business quarter should bring new passwords. Google can be configured to require this on a schedule that you set. This is a best practice for email and all business systems. The advantage is obvious: Stolen passwords become useless once you change them. The more often you change them, the greater your cyber security. If keeping track of business and personal passwords is a challenge, consider using a password manager that centralizes all of your credentials. Good password managers require your main login to be updated regularly.

I will not write passwords down. There is no safe place to store passwords on scraps of paper. Someone determined to find them will, whether they’re on a note in a drawer, tucked in your wallet or written backwards on a receipt hidden in a piece of ice in the freezer. If you must write passwords down to remember them, the safe way to store them is in a password-protected Excel spreadsheet. You will need to change that password a few times a year, and avoid writing it down anywhere.

I will limit what I share online. Some companies make it far too simple for social engineers to get the information they need to launch attacks by publishing executive information online. Far too many individuals overshare on personal social media accounts. Social engineers data mine public information for the names, emails and password hints they use to launch intrusions and phishing attacks. There is a delicate balance between what needs to be shared to promote a business and what creates cyber risks. Sharing less is always better. When personal information must be shared, it should be with safeguards in place to help employees spot possible attacks using that information.

I will close all my unused accounts. This is a more time-consuming resolution, but it only needs to be done once a year. Take an inventory of all the logins you have that you no longer use. Do you still have a MySpace account from your college days? Has your business changed software vendors but left the old logins active? Did you once buy something from an online store and then never visit again? Did you try a social media site for a day or two and then stop using it? Take the time to identify, disable and delete these outdated accounts for two reasons. First, criminals may try to access them through old logins, creating a base that can be used to compromise your identity. Second, if you do not actively use those accounts, particularly if you changed emails after you opened them, you may not be receiving security alerts or breach notifications. Anything you have not used in the past 14 months should be deactivated.

I will review financial statements. Criminals probe bank accounts by initiating a very small transaction, such as $1, then reversing it with a credit. Legitimate businesses also do this to verify bank accounts, credit cards and debit cards. Businesses must mandate a specific review of financial statements for these types of transactions; any debit that is subsequently credited should be scrutinized, along with any small transaction. Anything suspicious should be reported to your financial provider immediately. Do the same for your personal accounts. Financial providers are good at challenging large, unusual purchases, but they often fail to notice the tiny debit/credit transactions that precede an attempt at a big-ticket purchase. Some of the most determined cyber criminals siphon off a small amount each month from a company’s finances, knowing the theft is unlikely to be detected. Bookkeepers and accountants should pay close attention to any new vendors who invoice an organization and raise the alarm if those vendors have the same address, email or phone number as employees.

I will train myself and my employees to prevent phishing attacks. Phishing attacks rose by 61% in 2022, with more than 255,000,000 incidents. For cyber criminals, this is a numbers game. The more attacks they launch, the more likely they are to find a victim. It is no longer just big companies with volumes of personal data at risk, it’s every business in every sector and nearly every individual who has a smart phone or an email address. Annual phishing awareness training should be mandatory at all companies. Twice-annual training is better. Programs that include simulated attacks with a summary of how employees responded provide the best results. You will need professional support for this, but there are a number of affordable solutions available. Weigh that cost against the potential expense of a phishing attack: Someone sending a $500 gift card to a cyber criminal may not seem like a big deal, but once any criminal successfully attacks your organization, more criminals with more sophisticated attacks often follow.

I will hire or contract a Chief Information Security Officer (CISO). All large businesses and most mid-sized businesses have a CISO on staff or on retainer. This executive-level information-security professional handles all cyber security needs, from evaluating and setting up security measures to documenting compliance to ensuring that employees receive appropriate cyber security training. Small businesses and startups, outside of the tech sector, have a far lower level of CISO protection. A full-time security specialist may be beyond the needs or budget of many small companies. In these cases, a part-time, affordable Virtual CISO can significantly improve cyber security. For companies that fall under the FTC Safeguard Rule in 2023, professional support is almost mandatory.

You must change habits to improve cyber security. These New Year’s resolutions can help you do that, and most of them are very easy to keep, with no additional cost for you or your business beyond a bit of time. If you feel that you are not doing enough to improve your business’ security, or if you are unsure where to begin, contact us online or call us at 1-800-658-8311 to speak to a cyber security professional. We build custom security awareness solutions for our clients, based on their needs and what they can afford.

Good luck with all your New Year’s resolutions.

‘Tis the Season to Be Mindful

Don’t Wind Up on a Cyber Criminal’s Nice List

Amid the December maelstrom of planning, parties, shopping and activities lie more opportunities for cyber criminals than any other time of the year. The Grinches running scams like the holidays a lot because they know you have an above-average number of emails and online purchases flying around, because your schedule is packed and because there’s a greater level of personal activity around your workplace and your home. These are ripe conditions for your vigilance to slip, giving cyber criminals the opportunity they need to steal your money, your identity or business data.

Celebrate and savor the season, but keep these tips for cyber security in mind while you do.

Thwarting Cyber Criminals at Home

  • Never Click on Email Links.  Bogus links in spoofed emails are a favorite tactic for cyber criminals at the holidays. Chances are you are ordering more things online. You may be expecting statements or shipping details. You get an email in the evening, claiming to be from Amazon or UPS, and click on the link without thinking. At best, you get scammed for a few hundred dollars. At worst, you compromise your identity or allow a cyber criminal to install malware on your device. Always go to a website via a browser, not an email link, to verify order and shipping details. If you get a tracking number via email, copy it, go to the shipper’s website, and paste it into their package tracker. That will identify any attempts to trick you with phony shipping. You should also read up on a new scam targeting Pay Later users.
  • Leave your devices home for the holidays. If you plan to travel, or your holiday involves overnights at a hotel, a motel or a friend or family member’s home, leave every device with sensitive information at your home. You should never connect your devices to a public network at a hotel or someone else’s home. You have no way of knowing who else is connected, or if the connection is encrypted and secured
  • Don’t let guests connect to your home network. This one is tough if you have friends or relatives staying with you, but you simply cannot allow guests in your home to access your Wi-Fi or wired home network. Familiar fraud is one consequence of too much generosity with your home password. You also run the risk of malware from a guest’s device infecting your network, either when they first log in or while they surf the web. If your guests must have access to email or the daily crossword, provide a device for them in a busy part of your home. Make sure that device has a password-protected login, and be sure to turn it off at night and when a majority of people are out.
  • Scan those tech gifts before you connect them. New phones, laptops, tablets and all USB devices should get an offline antivirus scan before they go online with your network. Be very wary of any USB memory stick or card given as a gift or brought by a well-meaning friend or relative, as malware infections on these devices are increasingly common.
  • Turn off Bluetooth and Wi-Fi discovery on your phone. Big holiday crowds at malls, airports and transit hubs attract cyber criminals, who blend quietly into the crowd looking for data to steal. Open Bluetooth connections and devices seeking Wi-Fi can wind up connecting to criminals with significant consequences. Bluetooth should always be off unless you have a specific need for it. Wi-Fi should be off in general unless you are on a trusted network at home or a secured connection at work.

Protect Against Cyber Criminals at Work

  • Never bring devices to the holiday party. Hats and coats aren’t the only things that disappear when the staff gathers to toast the year. Laptops loaded with customer data have disappeared from cabs and cloakrooms, leading to potential data breaches, expensive customer notification and monitoring campaigns and cyber security headaches.
  • Log off devices ahead of office parties. It can be tempting to hop up and run to say hello to a visiting co-worker or client, or to work right up to the start of a conference-room celebration, but that open device is an invitation to criminal activity. Always log out of devices before leaving your work area and power them off if you can. Threats to data and passwords can come from criminals who sneak into buildings, from visiting clients or from fellow employees.
  • Don’t hold the door for strangers. “Tailgating” is a tactic used by criminals to gain entrance to a secure area. These thieves will ask someone to hold the door, or try to slip in behind an employee before a door closes. During the holidays, tailgaters may pose as delivery people to access secure areas. Whenever you encounter someone you do not know at a door, bring them to the reception area.
  • Give your work devices a holiday break. Avoid traveling with work devices. If you must, leave them turned off and packed in a carry-on bag, never with luggage that will be checked. The best practice is to keep work devices at work during a vacation. The chances of device theft, information theft or malware attacks rise when you are away from the secure environment of your office.
  • Avoid shopping on work devices. It can be convenient to shop from and ship to the office, particularly if you’re trying to keep a gift a surprise or if your neighborhood is prone to porch piracy. Remember that cyber criminals use fake invoices, fake shipping notices and fake order updates, along with the usual assortment of fake gift card offers, to try and steal your personal information and login credentials. It can be challenging enough to spot the scams in your personal email account without adding that burden to your work emails. If your company allows it, shipping to your office is a good holiday option, but always order using your personal email.

Wherever the holidays find you, remember that cyber criminals are also hoping to find you. Trust your instincts. If something seems off to you, like a long-lost “friend” who starts sending holiday greetings via social media, or an email stating you missed a package delivery, find ways to verify without directly interacting with those emails, private messages or texts.

Personal security and device security are critical components of cyber security. Protect Now helps businesses and organizations manage cyber threats by making security personal to every individual. Contact us online to learn more about our services, including Virtual CISO, Dark Web Monitoring and cyber awareness training, or call us at 1-800-658-8311.

Why Do I Need Dark Web Monitoring?

Dark Web monitoring fills an important security gap for individuals and businesses. It has applications in cyber security, reputation management and brand management. By monitoring Dark Web activity, individuals and organizations may be alerted to cyber attacks or data breaches.

Admit it: You search your name on Google to see what’s there. Most businesses pay attention to their online reviews. Some monitor social media to see what customers are saying. Dark Web monitoring completes the picture of your and your organization’s online reputation. It can also tip you off to data breaches or potential cyber attacks.

What Is the Dark Web?

In its broadest definition, the Dark Web is a portion of the Deep Web, which itself is a collection of websites and databases that are not indexed by the major search engines (Google, Microsoft Edge, Yahoo!, DuckDuckGo, etc.). In 2018, CNBC estimated that the Deep Web was 400 to 500 times the size of the Internet that most people use.

The Deep Web itself is benign. It consists of password-protected content, encrypted databases and data, including millions of articles, books, recipes and public records. Some of these can be accessed through specialized search engines, such as a university’s library catalog of digital media or LexisNexis.

Amid those terabytes of data lurks a smaller set of sites that can be accessed with browsers such as TOR, short for The Onion Router, a browser that attempts to conceal the user’s location by routing web traffic randomly across the globe. Promises of anonymity and cover from law enforcement have made the Dark Web a haven for illegal activity. It is where many cyber crimes originate, and where you will find cyber criminals offering their services and software for sale alongside the fruits of their labors: credit cards, login credentials and personal information.

Why Are Businesses Monitoring the Dark Web?

Because a great deal of cyber crime originates on the Dark Web, monitoring is a tool that thwarts and reveals attacks. In some cases, it can be the first warning of a data breach.

Dark Web monitoring begins with a deep dive on selected data points. For businesses, this is most commonly the business name and the names of senior executives and managers. This creates a baseline of information that is known to be compromised, as well as intelligence on any discussions about the business or its leaders among cyber criminals. This information is provided to the business with notes on any areas of concern.

Once the baseline is established, the Dark Web is searched on a regular basis for new information. This may include

  • Mentions of the business or its leaders by cyber criminals, which can signal a pending attack
  • Solicitations to buy or sell information on the business or its leaders
  • Newly posted data, which may include compromised logins for systems, user accounts or personal accounts of the company’s leaders
  • Customer data, such as credit card numbers, exfiltrated from a company’s database

When new information is found, the business receives an immediate alert that can be used to prepare for or stop a cyber attack. In some cases, this is the first evidence of a data breach that compromises customer information.

Dark Web monitoring may also reveal what people are saying about a business and its employees, providing opportunities to repair reputational damage. It can also be used to prevent disgruntled former employees from selling stolen data online after their separation from a company.

How Can I Monitor the Dark Web?

Dark Web monitoring requires specialized software that can access and index the hundreds of thousands of hidden sites that criminals use to communicate. There is currently no free solution, and until recently, monitoring was an expensive service available only to large companies.

Protect Now is pleased to offer affordable small-business Dark Web monitoring that includes a full baseline examination of data about your business and employees, as well as regular updates on any new information that appears online. If someone adds to that information, attempts to buy or sell it or discusses using it, you will be notified immediately so that you can take action.

Phishing Is the Tool, Ransomware Is the Payload: IBM 2022 Threat Intelligence Index

Phishing remains the top tool for criminals targeting businesses, while ransomware has become the most popular form of cyberattack, according to the IBM Security X-Force Threat Intelligence Index 2022. The report, which catalogs attacks recorded between January and December 2021, ahead of a rise in cyber attacks related to the war in Ukraine, offers some sobering statistics for business owners and cyber security professionals.

Phishing Is the Tool, Ransomware Is the PayloadPhishing accounted for 41% of intrusions in 2021

IBM found that phishing was the leading method of compromising security across all industries, and that it accounted for 46% of intrusions at financial institutions. Criminal organizations now offer Phishing as a Service (PhaaS) and have improved their techniques. IBM reported that phishing campaigns that included phone calls were 3 times more effective than non-call phishing campaigns, with a click rate of 53.2% of those targeted. Major technology brands, including Google, Apple and Microsoft were frequently used to create  phishing emails.

There are two concerning trends here. The first is the arrival of phishing as a service. When organized criminals start working on behalf of multiple clients, they can measure their success rates in the same way that legitimate businesses measure their marketing success. This will allow them to evolve strategies faster.

The second is the astounding 53.2% success rate for attacks that included phone calls.. A little persistence from a hacker should not cause your people to fall for the phish. Robust phishing awareness training becomes even more critical in the face of this threat.

Ransomware led all attacks

Ransomware accounted for 21% of attacks IBM observed and was the most common type of attack encountered in 2021. Those attacks escalated in 2022, as Microsoft noted in its Digital Defense Report. Hackers are not simply using ransomware to extort businesses anymore; increasingly, they use it to exfiltrate data and then wipe systems clean, removing all traces of their activity.

Facing a ransomware attack is bad enough, but the new trick for state-sponsored hackers is to simply erase all your business data without ever asking for a payment. In some cases, stolen data gets put up for sale on the Dark Web, while in other cases the damage to your cyber infrastructure is the intended result. The only remedy for this is to back up your data frequently, a process that benefits from the guidance of an experienced Virtual CISO. Even if you have in-house IT support, speaking with an expert on intrusions and recovery can help you develop protocols that will prevent permanent data loss.

Manufacturers were the top target

In a shift from 2020, manufacturing became the most-targeted industry for cyber criminals observed by IBM, moving ahead of financial services and accounting for 23.2% of all attacks. Ransomware was the most common attack unleashed on manufacturers.

There are two possible reasons for cyber criminals to shift their focus to manufacturers. Supply chain disruptions that magnified in the second half of 2021 put enormous pressure on manufacturers to increase production. Criminals are usually looking for a fast, hassle-free payout. Faced with the prospect of days, if not weeks, of downtime to restore systems, manufacturers found themselves in a place where payments were the quickest way to get operations back up to speed. Don’t give in to that temptation, as hackers can and will erase your data after you make that payment, costing both the time to restore operations and the ransom money.

Manufacturing is also a softer target than financial services. Nearly all banks and service providers have robust cyber security and regular anti-phishing training to thwart attacks. Manufacturers may not recognize the risks to their systems as readily and may not have all systems secured. Legacy software and legacy operating systems are a particular vulnerability for this sector. Remember that anything connected to the Internet is a possible path for a cyber attack.

 

New Scam Targets Pay Later Users: What You Need to Tell Your Employees (and Maybe Your Customers)

A new Pay Later scam targets users with fake invoices that deliver funds directly to thieves. Those who have linked a Buy Now, Pay Later account to their PayPal may be at greater risk.

What Is the Pay Later Scam?

Scammers harvest emails to their mailing lists, then create fake invoices like the one below:

Buy now pay later

The invoice appears to come from a legitimate source. The link points to PayPal and seems legitimate because it is a real PayPal link. Scammers created the phony invoice, complete with the stolen Best Buy logo, to trick careless users into sending them money. These scam emails often arrive late in the afternoon or early in the evening, when you may be tired and less focused on specifics. If you were expecting a Best Buy invoice and saw a payment due at 7PM or 8PM, would you click the link? If it pointed to PayPal, would you be more likely to click it? Pay Later scammers are counting on that.

How to Avoid the Pay Later Scam

To avoid the Pay Later scam, remember one of the most basic rules of cyber securityNever click on links in emails. Always go to a company’s website, log in to your account (preferably with two-factor authentication), and complete payments manually. If you want to help PayPal crack down on these scams and encourage them to remove tools that allow scammers to create these fake invoices, you can report it to the PayPal Security Center.

As an extra layer of security, try to avoid associating Pay Later services, such as Affirm, Afterpay or Sezzle, with PayPal accounts or bank accounts. The extra time it takes to put in your information and authorize a transaction, versus simply clicking a link, may be the time you need to recognize a fraudulent invoice. Also try to avoid paying invoices late in the day or when you are distracted.

Inform Your Employees About Pay Later Scams

If you own or run a business, you should be in the habit of reporting new scams to your employees for two reasons:

  1. Scammed employees are unhappy employees, and unhappy employees are less productive. It can take days to undo the personal financial damage from a scam. Set up a program to provide regular emails to your employees when new scams get reported, both business and personal.
  2. Once someone interacts with a criminal, more criminals show up. Scammers are always hunting for “hot” targets. What begins as an individual attack can escalate into phishing attacks that jeopardize your cyber security.

Should I Tell My Customers About Pay Later Scams?

Imagine the reaction of someone victimized by a Pay Later scam. They are going to blame themselves, but they may also blame everyone else involved, including the business that was spoofed in the scam and the platform that processed the payment. That’s a small amount of damage to a company’s reputation, but those small amounts add up over time.

Larger companies may lack the means to notify every customer of every scam and often are not aware that their identities have been spoofed. Companies should take steps to be both proactive and reactive when scams like this appear.

Proactive means informing your customers at the point of sale and in every email that you will not send them links to pay their bills. (If you are sending links to pay bills, please stop.) Remind customers to always go to your website and log in to complete a financial transaction.

Reactive means alerting customers when scams like Pay Later reach your desk. If customers start complaining about fake invoices or invoices they believed that they paid, it’s time to investigate the source and take action. Reach out to impacted customers and request copies of the emails they received, then send an alert to your customers informing them of the scam and reminding them not to click links in emails. This step may take a little time to complete, but the goodwill it builds will justify the cost.

Cyber Warfare Is Here: Are You Prepared?

When you think about cyber warfare, you probably imagine an underground bunker full of people working computers to try and take down the Pentagon, or to shut down air traffic control. You probably don’t imagine North Korea or Russian agents coming for your small business.

Cyber Warfare Is Here: Are You Prepared?It’s time for that thinking to change. In its 2022 Digital Defense Report, Microsoft reported that nation-state attacks targeting infrastructure rose from 20% of the attacks they detected to 40%. Microsoft cited espionage attacks on NATO countries and attacks on IT firms as areas of higher activity.

What Does Cyber Warfare Look Like?

Cyber warfare is happening right now, every time a nation-state hacker infiltrates an IT backbone or targets a public health provider. Nation-state actors will not “declare cyber war” or announce their intentions. They will simply strike at whatever targets they can compromise, with the intent of causing as much disruption as possible.

What Is a Nation-State Cyber Attack?

Nation-state cyber warfare differs from criminal cyber attacks in two ways. First, the attack is either carried out directly by foreign agents, or by people who get funding, training and infrastructure support from an enemy country.

Cyber criminals can often be stopped with basic cyber security and phishing awareness training, because they’re looking for easy money and easy victims. They use well-known malware and common social engineering techniques to extort their victims.

Cyber warfare is far more sophisticated. It uses techniques and custom-designed software designed to avoid detection, and to prevent common methods of restoring system access. In less-destructive forms, it is a tool to harass and extort an adversary. In more sinister applications, it can silently exfiltrate information that can give an enemy a strategic advantage, such as the ability to delete needed data or take control of mechanical and energy systems.

Why Would a Nation State Attack My Business?

As in any conflict, there are degrees of cyber warfare. In any attack, the following entities are vulnerable:

  • Energy generation, transmission and controls
  • Water utilities
  • Chemical and fuel facilities
  • Public health facilities
  • Telecommunications, including emergency response

The goal of these attacks is to sew chaos. The size of the target does not matter. Most cyber warfare analysts expect big-city infrastructure and large health systems to be primary targets, but nation-state attackers will look to spark terror in any way they can. Opening a dam in a small town or poisoning a water supply will lead to widespread fear, and smaller municipalities may not be as well protected against a cyber attack as urban providers.

In a wider attack, a nation-state will almost certainly target the following:

  • Banking
  • Food processing and distribution, including supermarkets
  • Logistics, including package delivery, rail and trucking
  • Pharmacies
  • Managed service providers
  • Cloud networks
  • Payroll processing

The goal is to cause as much disruption as possible by denying people access to everyday goods and services. Shutting down thousands of websites via an attack on a cloud provider or managed service provider interrupts the flow of goods and services and gets media attention. Shutting down pharmacy computers makes it harder for people to get essential medications. Adversaries want media amplification of their attacks that will make people fearful.

Your (Unexpected?) Role in Cyber Warfare

We tend to think of cyber attacks in terms of breaches, monetary theft or lost access to systems. If you operate a system that has been compromised, it is easy to see that you have been attacked. If your managed service provider, ISP or cloud servers go down, you may be surprised to find out that you are the reason why.

This is where cyber warfare becomes every online organization’s responsibility. Nation-state attackers continually probe for weaknesses and novel ways to get at essential online infrastructure. Everyday things that many business and developers do can be opportunities for foreign adversaries.

  • Posting source code on GitHub or other online repositories. We recently explained how that led to Federal sanctions against a U.S. executive. Posting source code can expose passwords and pathways to adversaries.
  • Launching new apps or forms without thorough testing. Nation-state attackers have a catalog of known software vulnerabilities and near-unlimited resources to find websites that have those vulnerabilities. You could be the crack in the door that gives an adversary the access needed to take down an ISP or managed services provider.
  • Insufficient online monitoring. The antivirus program will not stop a nation-state attacker, who is using new methods of attack that the software does not recognize. In the most sophisticated attacks, adversaries embed their code in system software so that it looks normal to any scanner. Dark Web monitoring is sometimes the most reliable way to identify these vulnerabilities.

Every business and organization that publishes or maintains a website, whether you collect information or not, is a potential target of nation-state cyber warfare. You could have an unexpected and unwanted role in the next attack, because the United States does not prioritize the role individuals play in cyber security. Major targets may have significant defenses against nation-state attackers, but they also have necessary connections to the World Wide Web. This is like building a massive wall to protect a town but leaving a tiny hole for the wastewater to flow downstream. Enemies will find that hole, find a way to get into it and run wild once they are on the other side.

We often discuss cyber security in terms of business interruption and liability. Those are still significant concerns, but with determined nation-state attackers continually working to find new methods of attack, we need to consider how individual vulnerabilities could escalate into a local or national emergency.

Protect Now specializes in cyber security and compliance for small businesses. We provide affordable VCISO support, cyber security training and Dark Web monitoring. Call us at 1-800-658-8311 or contact us online to speak to a cyber security expert.

Prevent Apple ID Phishing Scams

Apple owners have noticed something very weird: they are becoming victims of a scam using Apple IDs. Once they give up the IDs, scammers can sometimes get access to their Apple account. Here’s how it works: People get a text that says their Apple ID is going to expire, and they are asked to click a link. When they do, the scam occurs because they unknowingly give up their ID and password to a scammer. It’s not rocket science, but it’s an easy and smart scam.

There are some ways to determine if a message is a scam. First, your Apple ID isn’t going to expire, ever. Apple will occasionally request you log into your account, they will occasionally lock your account, and they will occasionally make things difficult because well, they are Apple and they and you are a big target. As long as you are not responding to and clicking links in text messages or emails then you aren’t going into the scammers rabbit hole. Only engage in Apple ID requests on your Apple device in the settings menu or in your browser preferably on a laptop or desktop when logging directly into Apple’s website.

Beyond Apple ID scams, always look for anything weird like misspelled words or grammar that seems off. Messages that make promises that you will win something, or create a sense of urgency, like “you must do this now,” are also very sketchy. Honestly, any text that you get from a number that is not recognizable is probably a scam. If you think a text from a company might be legit, give the business a call.

This is a really tricky scam as it seems very real, and it is fairly simple for scammer to pull off.

As you can see from the above screen shots, it is not easy to choose which of the photos is the real Apple ID request and the fake one. Keep in mind that the fake one only comes up if you click a link in a text. However, that same pop-up to sign in will generally only come from activity in your settings menu iTunes iMessage FaceTime etc.

First, take a deep breath. Instead of blindly filling out your information every time you get a password request, and be sure of the source of that request. To do this, hit the home button, and then touch “Settings.” Look at iTunes, iMessage, and FaceTime. When you enter each of them, if your account needs authenticating, you will see a pop-up. This is a legitimate one.

Your Apple ID Doesn’t Expire and other Facts 

News flash – as previously stated, your Apple ID will not expire. Even if you forget your password, your username, or you haven’t used it in years, your ID is active.

Another thing you should know is that if you use two-factor authentication, you should use it with your Apple ID. This prevents most phishing scams that use “authentication.”

You also might want to consider taking a screen shot of any scam message your get and report it to Apple by sending it to imessage.spam@apple.com. You can also use the “Report Junk” option if you get an iMessage from someone who is not a contact. This also sends the info directly to Apple. Mind you, I don’t do this. I don’t have the time. And there are millions of other people doing it.

If you get a scammy message from SMS (the green message) and or the iMessage (the blue message,) you can report those, too. Or just delete it and reported as junk so you don’t get it again. But, if you are inclined, you will have to do that via the FTC website. Major mobile phone providers including Verizon, T-Mobile, and AT&T also allow customers to forward messages to 7726.

As of today, this password scam is out there, and it’s easy enough for people to create others, so use caution…and don’t forget to set up Apples two-factor authentication and account to recovery details.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Here are 12 Ways to Contain a Hack for Yourself and Your Business

Do you have a business? If “yes,” you have to read this. Do you have personal information? “Yes,” you do. In both scenarios, you will find that hackers have you on their radar, and here are 12 ways that you can mitigate the damage caused by a hack.

Ways to Contain a Hack for Yourself and Your Business

  1. Work with a Professional – It is very possible for a small business to be hacked because staff often did not use professional techs in the first place. So, companies offering breach mitigation and security should be contacted ASAP. These IT professionals, also known as chief information security officers or if virtual are virtual chief information security officers, are experts in containment, and they can forensically determine the nature of a hack, remove any vulnerabilities, update hardware and software, and ensure that breaches like this won’t happen again.
  2. Temporarily Disconnect Every Device from the Internet – You want to remove all devices from the network temporarily to stop data from leaving the network and prevent hackers from communicating with the server. This could mean totally disconnecting internet connections and routers.
  3. Reset and Change All Passwords – You also want to make sure that you and all staff are changing and resetting passwords. The moment the network or device goes back online, the hacker will try the same passwords again, and they can get right in.
  4. Update Your Software – Start by scanning all of your software and hardware with an anti-virus program and remove anything malicious. Many vulnerabilities are caused by outdated anti-virus software. Updating this software with patches eliminates the threats.
  5. Get New Hardware – You should also consider getting new hardware, too. Old hardware can often not keep up with the requirements of new software.
  6. Back Up Your Data – You also have to make sure that you are backing up your data on a consistent basis.
  7. Manage Any and All Identities – You also should make sure that you are managing all identities and access to your accounts. Do this across the board. It could make your network very vulnerable.
  8. Start Using Conditional Access – On top of this, you should make sure you are using conditional access that is based on things like device and location.
  9. Use Multi-Factor Authentication – You should also use multi-factor authentication to keep your accounts safe, too.
  10. Invest in Security Awareness Training – Make sure your employees know what to do…and what not to do…in regard to network security. Providing good security awareness helps make your entire company safe.
  11. Patching – Create a system so you can always make sure that both your hardware and software is patched and updated regularly. This also makes sure that your data is safe.
  12. Align Your IT Security with Other Security – Finally, if you are in the IT industry, you might feel like you are constantly struggling to keep up with everchanging technology, including security technology. The success of your business is based on keeping it safe and secure, and by keeping security in mind, it can have a direct and positive impact on your revenue.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.