Posts

Phishing Alert: 10 Tips To Protect Your Business From Attacks

It’s becoming too easy for criminals to get their hands on your banking information, due to your employees’ ignorance of phishing scams.

13DMalware attacks have soared recently, targeting banks for the purpose of stealing online banking information. Over 200,000 new infections occurred between July and September 2013—the highest jump in the past 11 years, according to a TrendsLab Security report. Cyber-criminals are ubiquitous on this planet, and phishing is a favorite among their arsenal of attacks, a way to gain access to computers, as well as infecting a computer.

ZeuS (aka Zbot) is a common malware planted on websites. If a website is infested with ZeuS, or other malware, and you visit that site, your computer will become infested with ZeuS. Once settled in, ZeuS steals online banking credentials, and then transmits these details to a remote server, where the cyber-criminals can access it. But for ZeuS to spread, that means someone is opening a phishing email and clicking on the link that leads to the virus-inhabited website.

Who’s clicking on these links? Unfortunately, some of your employees probably are. According to a recent eWeek article, 18 percent of phishing messages are opened in the workplace—and yes, this includes clicking the accompanying malicious link.

That’s not all—sometimes the numbers can go even higher. According to the report, one particular phishing campaign yielded a 72 percent clicking response on the link.

Furthermore, the report states, 71 percent of users’ computers have a higher susceptibility of infection due to having outdated versions of popular software such as Microsoft Silverlight and Adobe Acrobat.

How To Stop Your Employees

Monthly training of employees to avoid suspicious emails helps knock down the percentage of clicks to 2 percent, much better than quarterly training does (to 19 percent). The report adds that cleaning recipients’ invaded computers costs the company, even though 57 percent of companies rated phishing attacks as “minimal.” However, even “minimal” impact still means a lot of cleanup for a high volume of attacks, involving IT staff response and employee downtime during system restoration.

Those who take the bait are costing you money, and the potential risk to your business is enormous. The Anti-Phishing Working Group recommends the follow tips. Share them with your employees ASAP.

  • A big red flag should go with emails that request personal financial information. If the name of the company bank is mentioned, arrange a phone call to that bank regarding the suspicious email.
  • Be leery of exciting or worrisome statements designed to rattle emotions rather than sink in logically; think before you click!
  • Be highly suspicious of a message asking for a password, username, credit card information, date of birth or other very private details of yourself or your company.
  • If you don’t recognize the sender’s name or address, or have no idea what the message could pertain to, simply ignore it altogether. It’s never urgent to click a link; you won’t get fired if you don’t.
  • Never enter confidential financial (or personal) data in a form inside the email.
  • A special toolbar, installed in the Web browser, can help protect you from fraudulent sites. The toolbar compares online addresses with those of known phishing sites and will provide a prompt alert before you have a chance to click or give out private information.
  • The latest versions of Chrome, Firefox and Internet Explorer have optional anti-phishing protection.
  • Bank, debit and credit account statements should be regularly checked for suspicious transactions.
  • If any transactions look suspicious or unfamiliar, alert appropriate personnel to contact the relevant financial institution.
  • The computer browser should always be kept up-to-date. Security patches should be installed.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Strong Passwords Aren’t Enough

I’ve said it before, use upper and lower case, use number and letter combinations and when possible, if the website allows it, use special characters. It has been documented that “Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

It is great advice to strengthen your passwords. It is just as important is to make sure your PC is free of malicious programs such as spyware and key-loggers.  Beware of RATS a.k.a “Remote Access Trojans.” RAT’s can capture every keystroke typed, take a snapshot of your screen and even take rolling video of your screen via a webcam. But what’s most damaging is RATs gaining full access to your files and if you use a password manager they have access to that as well.

RAT’s covertly monitor a PC generally without the user’s knowledge. RAT’s are a criminal hackers dream and are the key ingredient in spyware. Common RAT’s are the LANRev Trojan and “Backdoor Orifice”.

Installing RAT’s can be done by full onsite access to the machine or remotely when the user opens an infected attachment, clicking links in a popup, installing a permissioned toolbar or any other software you think is clean. More ways include picking up a thumb-drive you find on the street or in a parking lot then plugging it in, and even buying off the shelf peripherals like a digital picture frame or extra hard drive that’s infected from the factory. The bad guys can also trick a person when playing a game as seen here in this YouTube video.

An unprotected PC is the path of least resistance.  Use anti-virus and anti-spyware. Run it automatically and often.

A PC not fully controlled by you is vulnerable. Use administrative access to lock down a PC preventing installation of anything.

Many people leave their PC on all day long. Consider shutting it down when not in use.

Robert Siciliano personal security expert to Home Security Source discussing Digital picture frames with built in viruses on Fox News. Disclosures.

Please Hack Me. My Password is 123456

Robert Siciliano Identity Theft Expert


Is this you? Are you a hackers delight? Are you a lazy lima bean begging to be hacked? Recently, there were 32 million passwords stolen last month from a social media site. Upon observation, researchers determined 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

In another breach thousands of email addresses and their passwords were phished by identity thieves and posted in an online forum. Researchers parsed the hacked passwords and broke them down into categories based on their level of security. For example some of the passwords were very weak “111111” “123456” “1234567” “12345678” “123456789” made the top list. Many of the stolen passwords were people’s first names which of course could be kids, spouses, etc. Obviously, anyone who uses an insecure password like this is more likely to get hacked due to their laziness and less than sophisticated approach to security. 60% of the passwords contained either all numbers or all lowercase letters.

Beefing up passwords using a password manager is much easier. Combine uppercase and lowercase letters, as well as numbers and characters. Don’t use consecutive letters or numbers, and never use names of pets, family members, or close friends. Instead use the first letters of phrases: Full moons on Saturday bring out whackos @12am!: is FmoSbow@12am! That’s a strong password that no sane person will enter manually. But a password manager makes it possible.

I’ve tried every possible password manager on the planet. There is only one that I have found to be incredibly efficient and secure. Roboform. This thing works great. I have it on 5 PCs and the iPhone and they all sync automatically.

Robert Siciliano personal security expert to Home Security Source discussing Hacked email on Fox News