Tech Talk: Sextortion is the Latest Email Scam

Standard

SextortionThe following article was published in today’s editions of Foster’s and Seacoast Sunday.

The headline is racy, Sextortion. It’s the latest email scam circulating the internet and it certainly raises some eyebrows and causes anxiety for many recipients. The good news is it’s an email scam that sounds a lot worse than it is.

Here’s how it works. You receive an email with a subject containing a username and password you are either currently using or have used in the past. The message goes on to say that you recently visited an adult website and while you were there, the sender of this email installed malware on your computer. This malware allowed them to take control of your webcam and record you. Unless you agree to send a ransom in Bitcoin, the sender threatens to release the videos they have of you and the adult websites you have visited to your contact list.

The sender also employs a little odd humor, commenting on your good taste in adult videos you watch. That aside, there is nothing funny about this. This scam plays on your sense of privacy and prudence. It attempts to shame you into paying a ransom to protect your reputation. It’s just the latest example of extortion attempts via email.

So where are the bad guys getting your username and password? The first thing to confirm is whether the password is one you use currently. It may be. It may also be one you have not used for years.

So where are the bad guys getting your username and password?  The first thing to confirm is whether the password is one you use currently.  It may be.  It may also be one you have not used for years.  Most security researchers believe that the usernames and passwords are being obtained from databases on the Dark Web that have millions of compromised credentials, gathered from numerous data breaches that have taken place over the last ten or more years.  The problem is that many people don’t change their passwords often or use a unique password for each site you need a login for.  So, it’s quite likely that the password may still be in use, on at least some of the web sites that you visit.

The good news is there are no reports that anyone has actually had the threats in the email carried out. But the threat is what gets people to take action and in some cases, actually pay the demanded Bitcoin ransom. You should never do this as it just fuels these scams. All indications are this is an automated scam, mining data on Dark Web and crafting these email messages. If the bad guys behind this receive even a small fraction of the ransom they are demanding, they will make out pretty well. Don’t fall for the scam and help them make money.

So, what can you do to help protect yourself against email scams like this? Use a strong password, preferably a passphrase that consists of several words put together to create a strong passphrase that will be very difficult to hack. I recommend a bare minimum of 12 characters, mixing upper and lower case letters, numbers and symbols. Don’t use the same password on more than one website. This is probably the most difficult thing to do, with all the username and password combinations you have. If you struggle with this one, look into a password manager to help you manage all the usernames and passwords you have. If you are not familiar with password managers, Google them and read user reviews to see if one may be good for you. Also, be sure to enable two factor authentication whenever it is an option, to further secure your logins.

Most importantly, if you get one of these messages, don’t panic and absolutely do not reply or send the ransom. The worst thing you can do is engage in an exchange with a hacker like this. Or pay them.

Sextortion, the Latest Email Scam

Standard

sextortion-caution-signHave you received an email with your password in the subject line?  If you have, you may be the latest victim of “sextortion,” the latest email scam making its way around the internet.

Here’s an example of what the email you may receive might look like:

Subject: yourusername – yourpassword
I am well aware yourpassword is your pass. Lets get straight to point. You may not know me and you are probably thinking why you’re getting this email? Not one person has paid me to investigate you.
actually, I installed a malware on the X videos (pornography) web site and guess what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated operating as a Remote control Desktop that has a keylogger which provided me accessibility to your display screen as well as cam. Just after that, my software obtained your entire contacts from your Messenger, Facebook, as well as e-mail . After that I created a double-screen video. 1st part shows the video you were viewing (you have a nice taste : )), and 2nd part displays the view of your cam, & it is you.
You got only 2 choices. Let us explore these types of choices in aspects:
1st solution is to just ignore this email. In this situation, I will send your actual recorded material to every one of your contacts and just consider about the awkwardness you can get. And consequently if you are in a committed relationship, how it will affect?
In the second place alternative should be to compensate me $7000. We are going to call it a donation. Then, I most certainly will asap remove your video recording. You can keep on your life like this never happened and you will not ever hear back again from me.
You’ll make the payment through Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: 1MVikLH1GbsvYa8bXVGScgZLXP1tVNH9o4
[case-sensitive so copy & paste it]
Should you are planning on going to the police, anyway, this email message cannot be traced back to me. I have taken care of my steps. I am not attempting to demand a whole lot, I simply want to be paid. You have one day to make the payment. I have a unique pixel within this e-mail, and at this moment I know that you have read through this e-mail. If I do not get the BitCoins, I will, no doubt send your video recording to all of your contacts including family members, co-workers, etc. Nevertheless, if I receive the payment, I will destroy the recording right away. If you want proof, reply Yea! then I will send your video recording to your 7 friends. This is a nonnegotiable offer and thus do not waste mine time and yours by responding to this e-mail.

Despite the dire warning, this is a harmless scam.  The sender is trying to intimidate you into sending them a Bitcoin payment, plain and simple.  Numerous, credible security researchers have determined that the hackers of getting your username and password from databases on the Dark Web that sell stolen credentials.  In some cases, these passwords may be years old.

You can check to see if your information has been exposed on the Dark Web by checking the Have You Been Pwned? web site.  The link is to a post I wrote about that some time ago.

If you get a message like this, delete it and ignore it.  This is just the latest email scam going around, but due to its selatious nature, it’s garnering a lot of concern.

The following is an email alert the Onepath, my employer, put out earlier today on this matter.  There are some prudent recommendations in this message, to help maintain your online safety.  Stay Safe Online!

Onepath Alert

We have become aware of a new scam making the rounds that we want to alert you to.  You or your colleagues may receive an email that includes a password that you may currently use or have used in the past. This email may make reference to you having visited an adult web site or that the hacker sending the email may have installed malicious software on your computer. In some instances, the email may also state that the hacker has activated your webcam and captured video of you. The email will ask you to pay a ransom, in Bitcoin, to avoid any embarrassing information about you being leaked to your contact list. Rest assured that this is a scam. At this point in time, Onepath is not aware of this being a valid threat.

Research suggests that this is just the latest type of automated email scam that seeks to scare the recipient in to making a payment. Onepath urges you to never make payments to hackers as a result of an email like this. Multiple security researchers feel that the password emailed to you was obtained from a database of hacked passwords that were obtained from one of the large hacks that have taken place over the last several years. In other words, this is not a current threat. That said, we still recommend you do the following, to help ensure that your accounts are as safe as possible:

  1. Do not use the same password across multiple online accounts.
  2. Instead of a password, consider using a passphrase, a collection of words and make them complex, replacing letters with numbers and symbols and mixing upper and lower case.
  3. Where you can, enable two factor authentication to further protect your account.
  4. Consider use of a password manager to make managing your online accounts a bit easier and more secure.

Onepath recommends that our clients have an information security game plan that focuses on the following:

  1. Take steps to protect your company, customers and suppliers data.
  2. Regularly discuss data protection and system access with your employees.
  3. Implement incremental steps to mitigate data breach and system access risk in your environment.

Your Onepath Client Engagement Manager can help evaluate your present security posture and recommend testing and training solutions to help your employees maintain a proactive defense against many threats. Onepath’s Information Security Division also provides a full suite of services that can assist you with the development of a more complete security game plan. If you have any further questions please contact your Client Engagement Manager.

logo-onepath
978.683.9100
www.1path.com

Roundup of Informative News

Standard

Here’s another roundup of some really informative articles that have been published on the Onepath web site.  I hope you will check them out as there is some truly great content here from some real industry luminaries.  Let me know what you think of these pieces.  We love feedback and knowing what we’ve done well and what you are interested in learning more about.  Enjoy!

The Business Side of Cybersecurity – Keynote Presentation to Georgia Construction Conference
Given by Greg Chevalier

InfoSec

With all the big companies in the news for data breaches or other cyber security “incidents,” does the average mid-size business really need to worry about cybersecurity?  In his keynote presentation to the 2018 Georgia Construction Conference at the Cobb Energy Centre in Atlanta last week, Greg Chevalier helped a group of finance and operations executives understand the answer is a definitive “yes,” and not just to protect yourself directly, but also indirectly through your trading partners.

Network traffic has grown rapidly; your cybersecurity needs to evolve with it.  Network traffic has grown exponentially over the last 20 years, driven not just by the adoption of smartphones and laptops for personal use, but by the explosive growth of machines on the network.  Not just servers, but firewalls, edge routers, webcams, wireless access points, vending machines and thermostats.  Each of these devices presents something that needs to be either protected or potentially defended.  In the ‘90s, intrusion prevention systems were largely sufficient to deal with the individuals who may be bad actors trying to attack a manageable number of machines using fairly common security frameworks.  But with the rise of so many different machines on the network, the number of security frameworks has grown just as fast.  This means your cybersecurity has to now solve for an exponentially greater number of potential issues than 10 years, or even 5 years ago.  As a business executive, you have to consider when was the last time you made a meaningful update to your IT security infrastructure?  In response, various industry groups and regulatory bodies have developed security regulations such as PCI (payment cards), HIPAA (healthcare), GLBA (banking), FINRA (financial services) as well as industry standards such as ISO 27001/2, SOC Type I/II,III, and NIST CSF to help companies keep their data and their networks secure. [Continue reading…]


MeetingSpace.jpg
10 Ways to Improve Your Conference Room Meeting Experience
By Michael Lane

The first 10 minutes of a 30 minute meeting all-too-often look like this:

“How do we connect my laptop to the TV?”

“Can someone get Sarah? She knows how to turn on the projector.”

“I think I have the wrong meeting link; here let me find that in my email.”

“While I’m looking, can someone go ahead and dial us in on the speakerphone?”

“There we go. Can everybody hear me? No? Here, I’ll slide over closer to the microphone.”

By the end of the meeting, you may not even realize you’ve run out of time until someone pops their head through the doorway because they’ve booked the room for the next block of time, and now you’re delaying the start of their meeting.

$37 billion dollars is lost annually to poor meetings, according to the U.S. Bureau of Labor Statistics.

Audiovisual (AV) has changed from a speciality area to a business-critical application. Businesses need to interact with remote workers, remote clients, and remote vendors, so presentation and collaboration technology is increasingly part of how we communicate. AV equipment is therefore becoming as central to running your business as other communications like phone or email. The shift to AV being business-critical in nature has in turn created a demand for reliable, sustainable, and repeatable AV solutions. [Continue reading…]


AtlantaAttack.png

Q&A: What Can We Learn from the Atlanta Cyberattack?
By Patrick Kinsella

In light of the recent and ongoing ransomware cyberattack affecting the City of Atlanta’s IT systems, we sat down with Onepath’s Senior VP of Engineering and Technology Patrick Kinsella, to get his perspective on the events of the last week. The ransomware attack began on Thursday, March 22, and affects almost half of the city’s systems, from Municipal Courts to Watershed Management. On Tuesday, March 27, city employees were advised to turn their machines back on. By Friday, a few systems were slowly starting to come back online, but a couple were still not back up.

Q: What is ransomware?

A: It’s the information technology version of someone breaking into your home, locking you out of it, and demanding a ransom to regain entry; all the while you hope your belongings are intact when you’re able to return. In the IT world, the items behind held captive could be personal health information (PHI), or other personally identifiable information (PII), which may actually belong to your business’s customers or stakeholders.

Q: When a ransomware cyberattack happens, what are the first things a business, or in this case a city, usually does to respond?

A: The first thing is, do everything you can to stop the bleeding. You determine what you need to shutdown, and what backups need to be stopped from running to avoid poisoning the last good copy, assuming you’ve been diligent in running backups. In a different incident, for example, Hancock Health shut everything off after being hit with ransomware—computers, backup scripts—within 90 minutes. For the City of Atlanta, they seem to have followed that procedure as well. [Continue reading…]


CSSAT.png

Onepath Launches Cybersecurity Self-Assessment Tool
Created by our Web Dev Team

Onepath has created a cybersecurity self-assessment tool to help businesses establish a baseline of their current security level and posture. The questions are around the basics – the blocking and tackling needed to establish an information security foundation. It may be just a start, but it could be that critical first step you take to get your business on a path toward cyber protection. [Take the assessment…]

Onepath Cybersecurity Self-Assessment Tool

Standard

Today, Onepath released our new Cybersecurity Self-Assessment Tool.  This simple, 20 question, tool will help you determine your organizations cyber-security posture, in plain English.

This was created by our marketing team, with expert oversight from Greg Chevalier, our VP, Information Security Practice.  Take the assessment and let me know what you think.  We think it’s a great tool to help our clients and friends understand the ever changing cybersecurity landscape and where they may be vulnerable.

Here’s the email announcement that went out this morning:

obe_email_banner_general24e2

There are many steps that companies need to take to defend themselves, their systems and their data. Those steps, however, and the degree of cybersecurity protection required depend on a number of factors, including the individual business’s risk assessment and tolerance.

Going through these processes can be complicated and overwhelming, leaving many businesses not knowing where to start. Even companies that have programs in place, and have taken steps to improve their information security position, are now left wondering if what they’ve done is right, or is enough.

Onepath has created a cybersecurity self-assessment tool to help businesses establish a baseline of their current security level and posture. The questions cover the basics – the blocking and tackling needed to establish an information security foundation. It may be just a start, but it could be that critical first step you take to get your business on a path toward cyber-protection.

startbutton28e2

Cyber Supply-Chain Attacks

Standard

I recently attended a webinar sponsored by the FBI‘s InfraGard program, which I am a member of.  I wanted to share some useful information from this webinar.

weaklink1-600x293Do you know what a cyber supply-chain risk is?  If not, you should.  Simply stated, a cyber support-chain risk is the risk of a hack or data breach from a 3rd party that you allow to access your secure computer network.  This could be anything from a consultant that works for you to your air conditioning or security system vendor, if they connect remotely into your network to manage these systems.

Here is some thought provoking informatin regarding cyber supply-chain risks:

  • 50% of data breaches are attributable to a 3rd party vendor.
  • 83% of organizations do nothing to manage third party risk.
  • 80% of data breaches are discovered by someone outside the breached organization.

So, what are some of the things you can do to mitigate your risk?

  1. Assess the risk before you allow a vendor access to your network.
  2. Understand your level of risk.  Is a large company a large risk and a small company a smaller risk?  Not necessarily.
  3. Perform an independent security assessment to understand your level of risk.  This assessment should include, at minimum:
    • Network/Perimeter Scan.
    • DNS Resilience.
    • Email Security.
    • Web Application Security.
    • Hacker Threat Analysis.
    • Breach Metrics
    • Patching Candence.

Keep in mind that doing an assessment is just the start.  It’s important to have the tools and processes in place to manage the assessment results.

If you life in a regulated world, you have even more to worry about.  If you take credit cards, you need to comply with PCI 12.8.  If you are in healthcare, you are governed by HIPAA and if you do business in or have employees who are residents of the EU, you much comply with GDPR.

It’s not a matter of if you will be at risk, it’s a matter of when.  You need to have a plan for dealing with a breach caused by a vendor.  Understand your communication and reporting responsibilities and develop your plan now, not after you have an incident.

Remote Workers Pose More Risk

Standard

Shred-it, the world leader in document destruction, has released their 2018 State of the Industry Report and it includes some interesting findings with regard to remote workers.  You may click on the link to request a copy of the full report from Shred-it, if interested.

us-sec-trackerThe stat that is most striking is that 86% of C-Suite executives believe that remote workers increase the company’s risk of suffering a data breach.  When looking just at small business owners, that number is 60%.

Employee negligence and a lack of information security is cited as the number one reason for this concern.  When employees work remotely, they may not be as careful as they are when working in the office.  This could be a result of using public WiFi or using devices other than company issued assets.

If you allow employees to work remotely, you should insist on several simple steps to help keep your business safe.  While not all inclusive, the following are six basics that should be considered a must for anyone who works remotely.

  1. Only allow company work to take place on company issued or managed devices.  While many companies now support a “BYOD”, Bring Your Own Device policy, those devices still need management, to ensure that company data is not stored inappropriately in locations that the company has no visibility to.
  2. Public WiFi should be avoided.  With nearly all mobile plans now supporting unlimited data, employees should use their mobile hotspot feature when not at their home or remote office.
  3. Only access company resources via HTTPS connections or over a company managed VPN.
  4. When in public spaces, be mindful of wandering eyes.  Whether at a cafe or on an airplane, nose neighbors and people sitting behind you are in easy sight of confidential information you may have on your screen.  Consider a privacy protector for these instances or sit in a location that prevents others from viewing your screen.
  5. Never let a friend of family member use a company issued or managed device.  You never know what they may expose you to.
  6. Report a lost or stolen device immediately!  If you suspect you may have exposed company data in any way, report it immediately!

Shred-it also released a great infographic that summarizes their report, which you may access here.

Stay safe out there!

It’s Internet Safety Month #CyberAware

Standard

Happy June!  Did you know that June is Internet Safety Month?  Well now you do.

The National Cyber Security Alliance, NCSA, has declared June Internet Safety Month and this year, the focus is on mobility.  I recommend reading the NCSA press release “Stay #CyberAware on Mobile Devices during Internet Safety Month and All Year Round” for a wealth of informational resources.

This years theme centers around kids getting out of school and families taking summer trips.  It’s all about mobility and your online presence.  Major topic areas cover “Be Smart About Socializing”, “Stay in the Game Safely”, “Getting Ready to Go”, and “While on the Go.”  There are also links to virtual events that you may be interested in participating in.

Enjoy the month of June and the entire summer.  And do so safely.

NCSA

FBI VPNFilter Cyberattack Warning

Standard

The FBI has issued an urgent advisory that will impact many, if not most, home users of the Internet.  The specific threat, which is felt to be State sponsored, is known to have infected over a half million home and SOHO router devices.

VPNFilter

Specifically, if you own a home or SOHO router or NAS (network attached storage) device made by Linksys, MikroTik, Netgear, TP-Link or QNAP, the advisory recommends rebooted the device as soon as possible.  Rebooting will disrupt a portion of the malware.  If the malware has already embedded itself in to the device, there may still be a risk after the reboot.  To ensure maximum safety, you may wish to perform a factory reset on your device and set it back up with a secure password and wireless passphrase (if your device doubles as a wireless access point) that is different from what you had previously.

While not likely that you, individually, are the target of the hackers, your device may be being prepped to help execute a broader cyberattack that could, theoretically, put your data at risk.  An abundance of caution is warranted given the urgency of the FBI advisory.  It is also recommended to be sure your device is running the latest manufacturer firmware version and that you disable all Internet accessible remote managment of your device.

You may read the FBI advisory here.

GDPR Insight from Onepath

Standard

Our awesome marketing team at Onepath put together the following informational piece to help our clients and friends understand GDPR and its potential impact on you and your business.  There are some excellent resources below, which I encourage you to read.

onepath-banner00bb

The GDPR goes into effect tomorrow. Does it apply to you? Are you ready?
Here are five hand-picked articles from around the web that will tell you everything you need to know.


webp.net-resizeimage1a816What is the GDPR?

So what is the GDPR exactly? Here’s an overview that includes the key elements of the far-reaching and complicated European Union legislation.
1path.com

 


Yes, The GDPR Will Affect Yourwebp.net-resizeimage26285
U.S.-Based Business

What about companies that have no business operations in the European Union? Read about the homework they need to do.
Forbes.com

webp.net-resizeimage3294bA Practical Guide to the European Union’s GDPR for American Businesses

American businesses operating or serving customers in the EU need to understand what they need to do to prepare for a new reality.
Recode.net

 


How might GDPR affect your website?blur-blurred-background-communication-908287e097

If companies are affected by this new regulation, they need to continue to research GDPR policies, and create a plan.
1path.com

 


arachnid-close-up-cobweb-27634710b60GDPR in Real Life: Fear, Uncertainty, and Doubt

Why are most organizations still not ready for GDPR? And what are the implications and mechanisms of applying GDPR provisions for companies, individuals, and regulators?
ZDNet.com

 

Beware GDPR Scams

Standard

Yesterday, I posted What’s With All The Privacy Updates?  I was referring to all of the messages being sent this week, updating privacy policies and asking you to confirm email subscriptions as a result of GDPR going in to effect on Friday.

To no surprise, the scammers are right on top of this, sending their own messages, seeming to be related to this, but trying to trick you into revealing your credentials to sites you visit.

GDPRPhishIf you get a message from a company asking you to confirm their privacy policy or your email subscriptions or anything related to your identity, DO NOT click on the links in the message.  Go to the actual website and look for the places where you would normally update your settings and see if you are being asked to do so.  Otherwise, you may find yourself landing on a fake site that’s sole purpose is to get you to enter personal information and credentials that will compromise your identity.