Avoiding scams, phishing and malicious emails (things to watch for, how to report them + more)

November 19, 2014

Scam artists use clever schemes to defraud millions of people around the world each year. People need to learn how to recognize common phishing tactics and malicious emails and what you can do to avoid them.

Scammers typically create emails and messages that look like they’re from real companies, agencies and organizations and even use their logos, fonts, layouts and color schemes.

According to OnGuardOnline.gov, some clues that an email or text message is suspicious include:

  • the message is requesting your personal information — do not respond or click links! Companies, agencies (like the IRS, etc.) and organizations will not request your password, user name, credit card data, account numbers, or other personal or financial data through e-mail or text.
  • the email appears in your junk folder;
  • the sender’s email address does not have that business or agency domain name in it;
  • when you hover over a link or coupon the web address is not that company’s / agency’s website;
  • if you receive a coupon for a free or discounted item, ask yourself if you signed up to get emails from this company. If not, it’s unlikely they’d send you a discount or freebie out of the blue;
  • the email or message has several typos, missing data or poor English.

If you’re not sure an email is legit, DON’T click any links or open any attachments. Instead, look for signs that the email isn’t the real thing or do a search or visit that company’s site to see if there are any complaints from others who received similar emails.

Shipping confirmations or delivery failed messages

Fedex, UPS, USPS and other carriers are often used in fraudulent emails asking users to click on links that more often than not will place malware on the user’s machine. The subject lines typically say things like there was a problem with delivery or they want you to verify information or some important information is missing, etc. The fraudulent email may have an attached file that contains a virus or other malware … or the link may take you to a website that might download a malicious file. Don’t fall for these scams and report it (if you want to) then delete it. Read more about delivery failure phishing scams on Denver’s ABC7 

ups phishing shipping receipt

Receipts

Be on the alert for fake emails posing as online retailers like PayPal, Amazon and others with a subject line similar to a receipt you would see for a purchase on that vendor’s online store, a PayPal payment to someone, etc. These fake receipt emails are sent by cyber criminals — not the retailers — and clicking links contained in a fake receipt email may install malware on your system, in particular spyware used in severe forms of cyber crime such as credit theft, extortion, and identity theft.

For example, just last week I placed a small order on Amazon and received my order confirmation as usual.

The next day I received another Amazon confirmation email for a $1,099 electronic device and the first thing I thought of is someone hacked our account..!

I immediately logged onto Amazon.com and checked our shipping history and it didn’t appear so I went back to the email in my Inbox and noticed several things…

#1 – The “To” line had an email id called “bobrph@…” (my name is Janet);

#2 – The “Hi %USERNAME%” didn’t auto-populate a name;

#3 – When you hover the mouse over a link (DON’T CLICK IT – just hover) it displays a website NOT called “amazon.com/…” but rather “imailsolution.com/…”. << We strongly suggest you not visit this site – just in case!

email phishing1

Note the email has Amazon’s logo and layout, fonts and color scheme are almost identical to a typical order confirmation email from them so you need to be on guard.

#4 – As I scrolled down and hovered the mouse over other links (again without clicking) the same domain / website name kept showing up.

email phishing2

#5 – Whoever designed this email even added a typical footer that Amazon uses on their confirmations. This was just an image (nothing popped up when I hovered over these links), but it sure gives the appearance it is a normal message from them.

email phishing3

If you click a phishing or malicious link…

According to Anti-abuse.org once a victim visits a malicious website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of the legitimate entity’s URL over the address bar, or by closing the original address bar and opening a new one containing the legitimate URL.

In another popular method of phishing, an attacker uses a trusted website’s own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service’s own web page, where everything from the web address to the security certificates appears correct.

A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security, provides a simple-to-use interface that allows a phisher to convincingly reproduce any website and capture any log in details entered at the fake site.

Report Malicious / Phishing / Scam emails

It does help to report suspicious emails to the respective company but it is always best to find out how they want you to report it. Some may ask you to forward an email while others prefer you send it as an attachment.

Below are some examples of common brands we’ve seen in suspicious emails over the years, and it’s easy to do a search on a company name and the phrase “report phishing” to find their preferred method of sending them the data.

Once you report an email just delete it so you don’t accidentally click on any links in it later. Realize you probably won’t hear back from the company you reported the malicious email to, but you will get an auto-reply explaining they received it and will be investigating it.

As Amazon.com mentioned in the auto-reply to me, “please be assured that Amazon.com is not in the business of selling customer information. Many spammers and spoofers use programs that randomly generate e-mail addresses, in the hope that some percentage of these randomly-generated addresses will actually exist.”

You can also forward phishing emails to phishing-report@us-cert.gov and/or reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

If you might have been tricked by a phishing email:

Additional resources:

OnGuardOnline.gov
StaySafeOnline
US-CERT
Anti-Phishing Working Group
Protecting your devices from cyber threats

Stay safe out there..! j & B


Get involved with October 2014 National Cyber Security Awareness Month #NCSAM

October 2, 2014

ncsam-logo-2014Did you know October is cyber security month in several countries?

America’s National Cyber Security Awareness Month or NCSAM campaign – under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance – has grown exponentially, reaching consumers, small and medium-size businesses, corporations, educational institutions, and young people across the nation.

Cybersecurity begins with a simple message everyone using the Internet can adopt: STOP. THINK. CONNECT. Take security and safety precautions, understand the consequences of your actions and behaviors online, and enjoy the benefits of the Internet.

The National Cyber Security Alliance has #NCSAM tools, banners and materials to help home users, K-12 Educators, Higher Education, Small Businesses and more get involved at www.staysafeonline.org. You can also follow NCSA on Facebook or on Twitter @STOPTHNKCONNECT and @StaySafeOnline and search #NCSAM to find more cyber safety tips and resources.

Canada’s national public awareness campaign Get Cyber Safe was created to educate Canadians about Internet security and the simple steps individuals can take to protect themselves online. Learn more at www.getcybersafe.gc.ca and follow them on Twitter @GetCyberSafe

And the European Union advocacy campaign European Cyber Security Month (ECSM) aims to promote cyber security among citizens, to change their perception of cyber-threats and provide up to date security information, through education and sharing good practices. Visit http://cybersecuritymonth.eu/ to learn more and follow ‪#‎cybersecawarenessmonth‬ on social media to keep up on activities in Europe.

As NCSA explains… The Internet is a shared resource and securing it is Our Shared Responsibility. Everyone has a role in securing their part of cyberspace, including the devices and networks they use. If each of us does our part—implementing stronger security practices, raising community awareness, educating young people or training employees—together we will be a digital society safer and more resistant from attacks and more resilient if an attack occurs.

Also read and share our Oct 2013 enews article called Protecting devices from cyber threats.

Stay safe out there, j & B

 

 


Shellshock Bash bug impacts Linux, Unix and Mac systems (and hackers are already exploiting it)

September 25, 2014

shellshock bash bugA serious flaw has been found in a software component known as Bash (Bourne Again Shell), which is a part of many Linux / Unix systems as well as Apple’s Mac operating system.

The bug, dubbed Shellshock, can potentially be used to remotely take control of almost any system using Bash, researchers said. The bug, which has gone undetected in the software for at least 22 years, was just disclosed yesterday 24-Sep-2014.

According to Securelist.com … “it is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. Basically it lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables, but not every system is vulnerable since certain conditions must be met. … The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points. They are also vulnerable and, in many cases, difficult to patch.”

Chris Griffith, Senior Technology Journalist @ The Australian writes… “The security hole poses an enormous threat to everything from computers to sewerage treatment plants, pump networks, to web servers, traffic lights, airport lights, SCADA systems and even Apple Mac computers. That’s because the hole has been found in a piece of code that’s fundamental to the running of machines across the internet, along with network infrastructure such as routers, switches, and phone exchanges. It opens the door for hackers to obtain access to computers and other systems through a web browser. From there they can infiltrate and play havoc with machines as well as the corporate computer networks they are part of. …”

According to Trend Micro … “LINUX powers over half the servers on the Internet, Android phones, and the majority of devices in the Internet of Things (IoT) so the reach of this is very broad. Also, because Bitcoin Core is controlled by BASH, this vulnerability can impact Bitcoin miners and other Bitcoin related systems, making them potentially a very attractive target to attackers.”

Shellshock rates 10 out of 10 on the scale of vulnerabilities. For perspective, Heartbleed rated an 11 but that bug required more work to exploit holes, whereas Shellshock opens the way for hackers to add and manipulate code or data into “shell” commands.

Several exploits have already been identified in the wild (read herehere and here) and some experts are concerned this bug is “clearly wormable” and may get much worse in the coming months.

But not all security experts agree this is “Heartbleed 2.0”. Brad Chacos writes in PCWorld … “Jen Ellis of security firm Rapid7 says the Shellshock bug’s outlook isn’t quite as grim, even if it is rampant. Ellis writes, ‘The conclusion we reached is that some factors are worse, but the overall picture is less dire… there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild.’ …”

No one really knows for sure how bad things could get with Shellshock, but one thing everyone agrees on is system administrators and developers need to patch this Bash bug asap.

PATCH AVAILABLE

There are patches available through the links below and realize there will most likely be a series of patches going forward.

US-CERT recommends administrators and users review CVE-2014-7169 in the National Vulnerability Database as well as the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. As of 24-Sep-2014 GNU Bash patch is also available for experienced users and administrators to implement on all current versions of Bash, from 3.0 to 4.3.

Some security researchers warn that the patches are “incomplete” and would not fully secure systems. Of particular concern to security experts is the simplicity of carrying out attacks that make use of the bug. Read more at RedHat.com

WHAT CAN I DO?

As Mashable explains… “Unlike Heartbleed, which forced users to change their passwords for various Internet services, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.”

Kaspersky Labs’ Global Research & Analysis Team has great Q&A about the “Bash” vulnerability with an easy test on how to check if your system is vulnerable on Securelist.com. There is some geek-speak throughout the Q&A but it could be helpful to some techie users and programmers.

The patching process for Apple users is described over at StackExchange,  but be warned – according to Mashable, it requires a certain level of command line-level knowledge to be applied.

For general home users worried about security, watch for updates (esp. OS X and Android users) and pay attention to updates from Internet providers and manufacturers – particularly for hardware such as broadband routers. Also be wary of emails requesting information or instructing you to click links or run software to “fix” this bug.

Unfortunately this situation is only starting to manifest and metastasize and, as Kaspersky Lab chief executive Eugene Kasperksy said, “the internet should expect a lot of exploits and hacked websites to be disclosed in coming weeks.”

MORE INFORMATION

Some helpful sites and articles with fixes, explanations about various vulnerabilities and more are…

Red Hat’s Security Blog

Red Hat’s original post about vulnerability

“Bash” (CVE-2014-6271) vulnerability – Q&A by Kaspersky Labs’ Global Research & Analysis Team

U.S. Computer Emergency Readiness Team

Everything you need to know about the Shellshock Bash bug by Troy Hunt via TroyHunt.com

What you need to know about Shellshock, aka the “Bash Bug” by Mark Nunnikhoven @ Trend Micro

Bash Vulnerability – Shell Shock – Thousands of cPanel Sites are High Risk by Daniel Cid @ Sucuri Security blog

Shellshock DHCP RCE Proof of Concept by TrustedSec.com

Major Bash Vulnerability Affects Linux, Unix, Mac OS X by Michael Mimoso @ ThreatPost

Worse than Heartbleed? by Jim Reavis @ Cloud Security Alliance

Shellshock: The ‘Bash Bug’ That Could Be Worse Than Heartbleed by Stan Schroeder @ Mashable

Why You Could Be At Risk From Shellshock, A New Security Flaw Found In Linux by James Lyne @ Forbes

Unix/Linux Bash: Critical security hole uncovered by Steven J Vaughan-Nichols @ ZDNet

Shellshock: ‘Deadly serious’ new vulnerability found by Dave Lee @ BBC

Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm by Darren Pauli @ The Register

‘Bigger than Heartbleed’ Shellshock flaw leaves OS X, Linux, more open to attack by Brad Chacos on PCWorld


%d bloggers like this: