Posts

Finding out which Employees keep clicking on Phishing E-mails

You have the best IT security, but dang it…the bad guys keep getting in. This means someone inside your house keeps opening the back door and letting the thieves slip inside. You have to find out who this enabler in your company is, and it may be more than one.

11DThey don’t know they’re letting in the crooks, because the crooks are disguising themselves as someone from your company or a vendor or some other reputable entity.

After figuring out who these welcome-mat throwers are, you then have to continuously keep them trained to recognize the thieves.

So how do you locate these gullible employees? The following might come to mind:

  • Create a make-believe malicious website. Then create an e-mail campaign—toss out the net and see how many phish you can catch. You must make the message seem like it’s coming from you, or the CEO, or IT director, a customer, a vendor, the company credit union, what-have-you.
  • You’ll need to know how to use a mail server to spoof the sender address so that it appears it really did come from you, the CEO, IT director, etc.
  • This giant undertaking will take away good time from you and will be a hassle, and that’s if you already have the knowledge to construct this project.
  • But if you hire an extraneous security expert or phish-finder specialist to create, execute and track the campaign, you’ll be paying big bucks, and remember, the campaign is not a one-time venture like, for example, the yearly sexual harassment training. It needs to be ongoing.
  • What leads to a data breach is that one doggone click. Thus, your “find out who the enabler is” should center on that one single click.
  • This means you don’t have to create a fake website and all that other stuff.
  • Send out some make-believe phishing e-mails to get an idea of who’s click-prone.
  • Set these people aside and vigorously train them in the art of social engineering. Don’t just lecture what it is and the different types. Actually have each employee come up with five ways they themselves would use social engineering if they had to play hacker for a day.
  • Once or twice a month, send them staged phishing e-mails and see who bites.
  • But let your employees know that they will receive these random phishing tests. This will keep them on their toes, especially if they know that there will be consequences for making that single click. Maybe the single click could lead them to a page that says in huge red letters, “BUSTED!”
  • This approach will make employees slow down and be less reflexive when it comes to clicking a link inside an e-mail.
  • Of course, you can always institute a new policy: Never click on any links in any e-mails no matter whom the sender is. This will eliminate the need for employees to analyze an e-mail or go “Hmmmm, should I or shouldn’t I?” The no-click rule will encourage employees to immediately delete the e-mail.
  • But you should still send them the mock phishing e-mails anyways to see who disregards this rule. Then give them consequences.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Phishing Scams: Don’t Click that Link!

You’re sitting on your front porch. You see a stranger walking towards your property. You have no idea whom he is. But he’s nicely dressed. He asks to come inside your house and look through your bank account records, view your checkbook routing number and account number, and jot down the 16-digit numbers of your credit cards. Hey, he also wants to write down all your passwords.

13DYou say, “Sure! Come on in!”

Is this something you’d be crazy enough to do? Of course not!

But it’s possible that you’ve already done it! That’s right: You’ve freely given out usernames, passwords and other information in response to an e-mail asking for this information.

A common scam is for a crook to send out thousands of “phishing” e-mails. These are designed to look like the sender is your bank, UPS, Microsoft, PayPal, Facebook, etc.

The message lures the recipient into clicking a link that either leads to a page where they then are tricked into entering sensitive information or that link is infected and downloads malware to the users’ device.

The cybercriminal then has enough of your information to raid your PayPal or bank account and open up a new line of credit—in your name.

The message typically says that the account holder’s account is about to be suspended or deactivated due to (fill in the blank; crooks name a variety of reasons), and that to avoid this, the account holder must immediately re-enter login information or something like that.

Sometimes a phishing e-mail is an announcement that the recipient has won a big prize and must fill out a form to collect it. Look for emails from FedEx or UPS requiring you to click a link. This link may be infected.

Aside from the ridiculousness of some subject lines (e.g., “You’ve Won!” or “Urgent: Your Account Is in Danger of Being Deactivated”), many phishing e-mails look legitimate.

If you receive an e-mail from a company that services you in any way, simply phone them before you click on any link. If you click any of the links you could end up with malware.

Watch this video to learn about how to avoid phishing:

https://youtu.be/c-6nD3JnZ24

Save yourself the time and just call the company. But you don’t even have to do that. Just ignore these e-mails; delete them. Nobody ever got in trouble for doing this. If a legitimate company wants your attention, you’ll most likely receive the message via snail mail, though they may also call.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Phishing 101: How Not to Get Hooked

You’d think that it would be as easy as pie to avoid getting reeled in by a phishing scam. After all, all you need to do is avoid clicking on a link inside an email or text message. How easy is that?

A phishing scam is a message sent by a cybercriminal to get you to click on a link or open an attachment. Clicking on the link or attachment downloads a virus, or takes you to a malicious website (that often looks like real site).

You are then tricked into entering user names, passwords and other sensitive account information on the website that the scammer then uses to take your money, steal your identity or impersonate you.

Intel Security recently designed a quiz to help people identify a phishing email. Sometimes they’re so obvious; for example, they say “Dear Customer” instead of your actual name, and there are typos in the message. Another tip-off is an unrealistic “threat” of action, such as closing down your account simply because you didn’t update your information. Some scammers are more sophisticated than others and their emails look like the real thing: no typos, perfect grammar, and company logos.

The quiz showed ten actual emails to see if all of us could spot the phishing ones.

  • Out of the 19,000 respondents, only 3% correctly identified every email.
  • 80% thought at least one phishing email was legitimate.
  • On average, participants missed one in four fraudulent emails.

image001

The biggest issue may not be how to spot a phishing scam as much as it is to simply obey that simple rule: Don’t click links inside emails from unknown senders! And don’t download or click on attachments. Now if you’re expecting your aunt to send you vacation photos and her email arrives, it’s probably from her.

But as for emails claiming to be from banks, health plan carriers, etc.…DON’T click on anything! In fact, you shouldn’t even open the message in the first place.

And I can’t say this enough: Sorry, but you aren’t special enough to be the one person to be chosen as the recipient of some prince’s lofty inheritance. And nobody wins a prize out of the blue and is emailed about it.

A few more things to keep in mind:

  • An email that includes your name can still be a phishing scam.
  • Don’t fret about not opening a legitimate message. If it is, they’ll call you or send a snail mail.
  • You can also contact the company directly to see if they emailed you anything.

Want to see how your phishing skills stack up? Take the Intel Security quiz, here.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Hacking Humans: How Cybercriminals Trick Their Victims

Intel Security has compiled a list of the top ways cybercriminals play with the minds of their targeted victims. And the chief way that the cybercriminals do this is via phishing scams—that are designed to take your money.

11DThe fact that two-thirds of all the emails out there on this planet are phishy tells me that there’s a heck of a lot of people out there who are easily duped into giving over their money. I’m riled because many of these emails (we all get them) scream “SCAM!” because their subject lines are so ridiculous, not to mention the story of some befallen prince that’s in the message

I bet there’s a dozen phishing emails sitting in your junk folder right now. Unfortunately, a lot of these scam emails find their way into your inbox as well.

McAfee Labs™ has declared that there’s over 30 million URLS that may be of a malicious nature. Malicious websites are often associated with scammy emails—the email message lures you into clicking on a link to the phony website.

Clicking on the link may download a virus, or, it may take you to a phony website that’s made to look legitimate. And then on this phony site, you input sensitive information like your credit card number and password because you think the site really IS your bank’s site, or some other service that you have an account with.

6 ways hackers get inside your head:

  1. Threatening you to comply…or else. The “else” often being deactivation of their account (which the scammer has no idea you have, but he sent out so many emails with this threat that he knows that the law of numbers means he’ll snare some of you in his trap).
  2. Getting you to agree to do something because the hacker knows that in general, most people want to live up to their word. That “something,” of course, is some kind of computer task that will compromise security—totally unknown to you, of course.
  3. Pretending to be someone in authority. This could be the company CEO, the IRS or the manager of your bank.
  4. Providing you with something so that you feel obligated to return the favor.
  5. “If everyone else does it, it’s okay.” Hackers apply this concept by making a phishing email appear that it’s gone out to other people in the your circle of friends or acquaintances.
  6. Playing on your emotions to get you to like the crook. A skilled fraudster will use wit and charm, information from your social profiles, or even a phony picture he took off of a photo gallery of professional models to win your trust.

In order to preventing human hacking via phishing scams, you need to be aware of them. Aware of the scams, ruses, motivations and then simply hit delete. Whenever in doubt, pick up the phone and call the sender to confirm the email is legit.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

What is a Remote Administration Tool (RAT)?

Ever felt like your computer was possessed? Or that you aren’t the only one using your tablet? I think I smell a rat. Literally, a RAT.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813A RAT or remote administration tool, is software that gives a person full control a tech device, remotely. The RAT gives the user access to your system, just as if they had physical access to your device. With this access, the person can access your files, use your camera, and even turn on/off your device.

RATs can be used legitimately. For example, when you have a technical problem on your work computer, sometimes your corporate IT guys will use a RAT to access your computer and fix the issue.

Unfortunately, usually the people who use RATs  are hackers (or rats) trying to do harm to your device or gain access to your information for malicious purposes. These type of RATs are also called remote access   as they are often downloaded invisibly without your knowledge, with a legitimate  program you requested—such as a game.

Once the RAT is installed on your device, the hacker  can wreak havoc. They could steal your sensitive information, block your keyboard so you can’t type, install other malware, and even render your devices useless. They  could also

A well-designed RAT will allow the hacker the ability to do anything that they could do with physical access to the device. So remember, just like you don’t want your home infested by rats, you also don’t want a RAT on your device. Here are some tips on how you can avoid  a RAT.

  • Be careful what links you click and what you download. Often times RATs are installed unknowingly by you after you’ve opened an email attachment or visited an software in the background.
  • Beware of P2P file-sharing. Not only is a lot the content in these files pirated, criminals love to sneak in a few malware surprises in there too.
  • Use comprehensive security software on all your devices. Make sure you install a security suite like McAfee LiveSafe™ service, which protects your data and identity on all your PCs, Macs, tablets and smartphones.

Keep your devices RAT free!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

How your Brain is affected by Phishing Scams

A recent study says that people are more mindful of online safety issues than what experts had previously believed. An article on phys.org says that Nitesh Saxena, PhD, wanted to know what goes on in users’ brains when they come upon malicious websites or malware warnings.

13DSaxena points out that past studies indicated that users’ minds are pretty much blank when it comes to malware signs. Saxena and colleagues used brain imaging (functional MRI) for their study.

Study subjects were asked to tell the authentic login pages of popular websites from phony replications. A second task for them was to differentiate between harmless pop-ups while they read some news articles and pop-ups with malware warnings.

The fMRI showed brain activity as it corresponded to the users’ online activity: attention, making decisions, solving problems. The images lit up for both tasks, but of course, fMRI can’t tell if the user is making the right decision.

That aside, the results were that the users were accurate 89 percent of the time with the malware warning task. When users were met with malware warnings, the language comprehension area of the brain lit up. Saxena states in the phys.org article, “Warnings trigger some sort of thought process in people’s brains that there is something unusual going on.”

The accuracy rate of telling an authentic website from a phony one was just 60 percent. Saxena believes this might be because users don’t know what to look for. For instance, they don’t know to look at the URL, which can give away the phoniness.

This study also had the participants complete a personality evaluation to measure impulsiveness. The fMRI images revealed differences based on impulsivity. Saxena says there was a “negative correlation” between brain activity and impulsive behavior. The impulsive user is prone to hastily clicking “yes” to proceed, when a malware warning pops up.

There was less brain activity in the key cerebral areas of decision-making in the users who had greater degrees of impulsivity.

This study has potential applications for the improved design of malware warning systems. These results can also assist company managers by identifying impulsive workers who need stronger online security training.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

7 Careful Commerce tips when Shopping this Holiday Season

Frosty the Hackman is teaming up this season with the Grinch to scam people out of their money. Shopping online is a godsend, but it brings with it a pristine opportunity to be ripped off.
http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294

  1. Avoid Phishing Scams. Never click on links inside e-mails even if they’re (allegedly!) from Macy’s, Kohl’s or some other big-name retailer. Scammers can easily make an e-mail appear legitimate. The e-mail inside the message may take you to a website that downloads a virus to your computer.
  2. Thwart Visual Hackers. Planning on doing some online shopping on your lunch break? Some hackers steal data by literally snooping over the shopper’s shoulder and if your credit card number, social security or other personal identifiable information happens to be on display on screen, you will be at risk. If you couple the 3M company’s ePrivacy Filter with their 3M Privacy Filter, “visual hackers” won’t be able to see from side angles, and you’ll be alerted to those peering over your shoulder and from most other angles.
  3. Do Your Research. If you want to buy from an unknown little retailer, hunt for reviews first. Be alert to phony reviews to make them look great; identical reviews across different sites are a bad sign. Check the Better Business Bureau’s rating for retailers you visit.
  4. Be Wary of Free Wi-Fi While it might be tempting to double check your bank account balance or get some emails done while you’re waiting in line for the register, if you’re accessing an unencrypted network you are putting yourself and your personal information at risk for data theft.
  5. Credit over Debit. If you get ripped off, the money is gone the second the card is used. At least with a credit card, you have some time to issue a dispute, and the card company will usually give you a full credit.
  6. Review Your Credit Regularly. Since you’ll be using your credit cards more frequently during the holidays, it’s important to stay on top of your statements to make sure there are no fraudulent charges.
  7. Mind your Passwords. To increase your security across the web, update your passwords during the holiday season in case one of your favorite retailers is hacked. Even if these sites are not infiltrated, right away consider changing your passwords across the board to better protect yourself down the road. And while it is annoying to remember different passwords, it’s important to very them for optimal protection.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

What is Pharming?

I was surfing on YouTube the other day and found this hilarious video mash-up of Taylor Swift’s song “Shake It Off” and an 80s aerobics video. For a lot of kids today, mash-ups are all the rage—whether it’s combining two videos, two songs, or two words.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294Mash-ups have even caught on in the tech world. The word pharming is actually a mash-up of the words phishing and farming. Phishing is when a hacker uses an email, text, or social media post asking for your personal and financial information. On the other hand, pharming doesn’t require a lure. Instead of fishing for users, the hacker just sets up a fake website, similar to farming a little plot of land, and users willingly and unknowingly come to them and give them information.

How does it work? Most hackers use a method called DNS cache poisoning. A DNS, or domain name system, is an Internet naming service that translates meaningful website names you enter in (like twitter.com) into strings of numbers for your computer to read (like 173.58.9.14). The computer then takes you to the website you want to go to. In a pharming attack, the hacker poisons the DNS cache by changing the string of numbers for different websites to ones for the hacker’s fake website(s). This means that even if you type in the correct web address, you will be redirected to the fake website.

Now, you go to the site and thinking that it is a legitimate site, you enter your credit card information, or passwords. Now, the hacker has that information and you are at risk for identity theft and financial loss.

To prevent yourself from a pharming attack, make sure you:

  • Install a firewall. Hackers send pings to thousands of computers, and then wait for responses. A firewall won’t let your computer answer a ping. The firewalls of some operating systems are “off” as a default, so make sure your firewall is turned on and updated regularly.
  • Protect against spyware. Spyware is malware that’s installed on your device without your knowledge with the intent of eavesdropping on your online activity. Spyware can be downloaded with “free” programs so be leery of downloading free software and don’t click links in popup ads or in suspicious e-mails.
  • Use comprehensive security software. McAfee LiveSafe™ service includes a firewall and scans your computer for spyware. It also protects all your smartphones and tablets as well. And make sure to keep your security software updated.

For more tips on protecting your digital life, like Intel Security on Facebook or follow@IntelSec_Home on Twitter!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

How to win the War on Phishing

A phishing attack is a trick e-mail sent randomly to perhaps a million recipients, and the thief counts on the numbers game aspect: Out of any given huge number of people, a significant percentage will fall for the trick.

13DThe trick is that the e-mail contains certain information or is worded in such a way as to get the recipient to click on the link in the message. Clicking on the link brings the user to a website that then downloads malware.

Or, the website is made to look like it’s from the user’s bank or some other major account, asking for their account number and other pertinent information like passwords and usernames; they type it in (and it goes straight to the thief). Sometimes this information is requested straight in the e-mail’s message, and the user sends the information in a direct reply.

The Google Online Security Blog did some analysis of phishing e-mails and came up with the following:

Malicious websites really do work: 45 percent of the time. As for getting users to actually type in their personal information, this happened 14 percent of the time. Even very fake looking sites went over the heads of three percent. Three percent sounds like peanuts, but what’s three percent of one million?

Hasty hackers. Once the hacker gets the login information, he’s into the victim’s account within 30 minutes 20 percent of the time. They may spend a lot of time roaming around in the account, which often includes changing the password to keep the victim out.

Those strange e-mails. Ever get an e-mail in which the sender is a very familiar person, but the message was also cc’d to a hundred other people? And the body message only says, “Hi there!” and then there’s a link? This is likely an e-mail from the victim’s e-mail account (which the hacker knows how to get into), and the thief copied everyone in the victim’s address book. Recipients of these phishing attacks are 36 percent more likely to fall for the ruse than if the attack comes as a single message from an unfamiliar sender.

Fast adaption. Phishing specialists are good at quickly changing their strategies to keep up with changes in security.

The Google Online Security Blog recommends:

  • Not all “spam blockers” block 100 percent of all the phishing e-mails. Some will always slip through to your in-box. Never send personal information back to the sender of e-mails requesting personal information. Never visit the site through the link in the e-mail.
  • Use two-step verification whenever an account setup offers it. This will make it difficult for the hacker to get into your account.
  • Make sure your accounts have a backup e-mail address and phone number.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Ways to Tell If It’s a Fake

Unfortunately in today’s world, scammers are coming at us from all angles to try and trick us to get us to part with our hard earned money. We all need to be vigilant in protecting ourselves online. If you aren’t paying attention—even if you know what to look for—they can get you.

9DThere are numerous ways to detect fake sites or emails, phishing, etc. Here are 10 you should know about:

  1. Incorrect URL. Hackers use fake sites to steal your information. Watch to make sure the URL is actually the one you want to be going to— if you notice the URL is different, that’s a good indication that the site is fake and you should NOT enter your information. There’s a number of ways you can protect yourself from this:
    1. If you’re on a computer, hover your mouse over the link to see a preview of the link URL in the status bar. Then check to see if the link site matches the site that it should be from. So for example if your email comes from North Bank or you type in North Bank into the Google search bar and the link is not going to www.northbank.com but something like www.banking-north.com you should not click.
    2. If you’re on a mobile device, use a link preview to see the actual URL before you click.
    3. You can also use McAfee® SiteAdvisor® on both your computer and mobile device to make sure the links you are going to are not bad links.
  2. Nosy Requests. Your bank won’t ask via email for your PINs or card information. Be suspicious of sites (or emails) requesting your Social Security number, identification number or other sensitive information.
  3. Sender’s Email Address. You can also check who sent the email by looking at the send address. It may say it’s from North Bank, but the email may be something strange like northbank@hotmail.com. The sender’s email should not be using a public Internet account like Hotmail, Gmail, Yahoo!, etc.
  4. Your Name. A legitimate email from your bank or business will address you by name rather than as “Valued Customer” (or something similar).
  5. Typos. Misspellings or grammatical errors are another sure sign that the message or site is fake.
  6. Fake Password. If you’re at a fake site and type in a phony password, a fake site is likely to accept it.
  7. Low Resolution Images. A tip-off to a false site is poor image quality of the company’s logo or other graphics.

Additionally…Hit delete. How about just hitting the delete button whenever an email comes to you from an unfamiliar sender? After all, if any legitimate entity needs to contact you about something urgent or crucial, they would have your phone number, right? They know your name, too. Remember, “just say no” to opening unfamiliar or suspicious looking emails.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.