Prime Day Phishing Examples

Standard

Yesterday, I posted a warning about scams associated with Amazon‘s upcoming Prime Day on July 11th.  Here are a few examples, to help you remain alert and avoid getting caught by the hackers trying to exploit this popular online shopping day.

AmazonPhish1

AmazonPhish2.jpg

AmazonPhish3

In each of these examples, you will notice the following:

  1. The sender address may look like it’s coming from Amazon, but if you take the time to look at the actual address within the <> symbols, you can clearly see that it’s not.  Some email programs will show you this like in these examples.  Others, you may have to hover your mouse over the “from” name to see what the underlying address is.
  2. The message contains only links.  DON’T CLICK.  These links will bring you to malicious sites that will load malware on your device.
  3. The messages all have an Unsubscribe link at the bottom.  As with #2, DON’T CLICK.

Hopefully these examples and warnings will help you enjoy Prime Day safely!

In case you missed my original post yesterday, about this, here is the link.

With Prime Day Comes Scam Days

Standard

Amazon Prime Day is coming and along with it, hackers are actively trying to scam users of the popular Amazon service.

What is Prime Day?  From Amazon’s web site: “This July 11 is the third annual PrimePrime Day Day. Prime Day is our annual deals event just for Prime members. We want Prime Day to be one of the world’s best days to shop, with awesome prices on everything you’re into. We’re bringing you hundreds of thousands of deals, new deals starting as often as every five minutes, and special offers across everything included with Prime—from music and video to reading and voice shopping.”

This year, hackers are really taking advantage of Prime Day, perhaps in part because Amazon has been more aggressively promoting Prime Day each year.  Prime Day deals are available for several days prior to the 11th.

Be on the lookout for phishing email messages, with subjects and sender names referencing Amazon Prime and Prime Day.  Even if you just placed an order, double check the sender address and hover over any links before clicking to be sure they are really from and going to amazon.com.  And don’t forget, never open an attachment.  Amazon doesn’t send them, so that would be a clear indicator of a potential phishing attack.

I have already seen numerous examples of phishing email messages that say they are from Amazon Prime or reference Amazon Prime Shipping in the subject or other similar names and subjects.  Be careful while enjoying Prime Day!

Self Service Password Resets Save Time and Aggravation

Standard

You know the drill.  IT has implemented another security policy that requires you to change your password every 90 days.  The password must be complex, 12 or more characters and contain upper and lower case letters, at least one number and a symbol, a character like !@#$%&*.  Your password needs to be something like this, fU&s43jm#@l0, to be valid.  You are also not allowed to resuse a password you have used in the past year.  Will you remember it?  Hopefully.  Will you mistype it, almost certainly.  What will you do if you can’t remember it?  Call the Help Desk and have them reset your password.  It stresses you out, doesn’t it?

What if you could easily reset your password, right from your mobile phone without having to call the Help Desk?  You can!  An innovative company named Passportal from Alberta, Canada has what may be the easiest and best solution to the password reset problem.  Their solution is available through partner like Internet & Telephone, LLC and can make the password management problem go away for you and all the computers users in your company.

Here’s how it works:

  1. You get the dreaded message that your password has expired and you need to set a new one.
  2. You create your new password; ih0p3!r3m3mber@.
  3. You return to the login screen and type it in, but it says it’s invalid.  DejaVu sets in and your blood pressure begins to rise.
  4. In the old days, you would call the Help Desk and ask them to reset your password for you.  You wait for the friendly and empathetic technician to login to your network, open your users account and reset your password.  Back to work you go.
  5. Instead of #4, what if this happened:
    1. You pick up your mobile phone and text a keyword to a Blink_Chat_Animationpre-defined number you have saved as a contact.
    2. You immediately get a reply letting you know your password is about to be reset.
    3. Within 60 seconds, you receive another text with a new password.  Something like: 8Fx%$Gsjh3*7.
    4. You return to your login prompt and enter 8Fx%$Gsjh3*7 as your password.
    5. You are asked to set a new password that you will remember this time, right?

That’s how easy it could be to reset your password if you forget it, lock out your account or let it expire and mistype your new password.

This is also how easy it is to make password changes and resets less hassle for your users and less timely to complete.  The user has complete control and the ability to instantly help themselves through this efficient self service password reset system.

If you’re not using self service password reset now, you should be.  Your users will thank you.  So will your Help Desk team.

DocuSign Hacked, Exercise Caution

Standard

DocuSignLast week DocuSign, one of the market leaders in online eSignatures and contract execution and management, announced that it had discovered a data breach.  The result?  A targeted phishing campaign using social engineering gathered from the breached data to trick people into executing a document that is not a real DocuSign document.

If you are not familiar with DocuSign, here is an excerpt from their About Us page on their website.  “DocuSign® is changing how business gets done by empowering more than 300,000 companies and 200 million users in 188 countries to sign, send and manage documents anytime, anywhere, on any device, with confidence.”

The phishing attack, which DocuSign acknowledges, targets those who have used DocuSign to sign and execute contracts in the past.  It is doing this using data obtained from the breach.  Through social engineering techniques, users are tricked into activating macro code in an attached Word document that loads malware onto the victims computers.

An important thing to note is that DocuSign never sends attachments and asks the recipient to open the attached file.  That should be an immediate red flag.  If you have used the system, you know that the document you are being asked to sign in the DocuSign system is presented within your web browser over a secure SSL session.  You “sign” the document online and are then presented the option to download a PDF copy of your signed document.  This should be an easy phish to spot, yet people are falling victim to it.

Here is a recommendation that has been put out in collaboration with KnowBe4, our partner in helping to educate our clients about risks like this:

“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”

Simple, but important advice to always verify the source, especially when you are not expecting something that you have received.

DocuSign maintains a good site regarding their security posture at https://trust.docusign.com.  I recommend you keep watch on this site if you are a regular DocuSign user.

 

 

 

Reflections on Kaseya Connect 2017

Standard

As I’m sitting here in McCarran International Airport awaiting my jetBlue Red Eye back to Boston, I’ve been reflecting on my week here in Las Vegas at the Kaseya KaseyaConnectConnect conference.  Kaseya is one of several technology partners that we have at Internet & Telephone, LLC.  Specifically, we use the Kaseya Virtual System Administrator (VSA) IT management platform as well as AuthAnvil two-factor authentication.  Both are part of our stack of specialized tools that we use to manage our customer infrastructures.

This was my first time attending Kaseya Connect and I’m impressed with the company and their roadmap for the future.  What’s significant about this is that a few years ago, it looked like the company was moving in the wrong direction and was no longer going to be a good partner for us.  That is no longer the case, at all.

We started the week off in the Customer Success Council meeting on Monday.  During this invitation only meeting, Kaseya executives shared details on upcoming product developments and new initiatives, including recent and planned acquisitions.  Following this meeting, Kaseya hosted a focused security symposium.

During the symposium, some interesting statistics were shared from the 2017 Verizon Data Breach Investigation Report.  This report has become the annual standard bearer for the state of cybersecurity in the commercial market space.

Some highlights from the report:

  • 62% of breaches involved hacking.
  • 81% of hacks used stolen or weak passwords.
  • 51% of hacks used malware to steal passwords.
  • Over 1 billion credentials were stolen in 2016.
  • It is recommended to deploy two-factor authentication to all users when feasible.

When considering two-factor authentication, consider that it meets these requirements:

  • HIPAA for healthcare organizations.
  • FFIEC for small banks and credit unions.
  • CJIS for law enforcement agencies.
  • The latest revision of the legal professional code of conduct requires it for remote access.

Following are some updated stats about data breaches, in terms of impact:

  • Every record breached costs a company $158.00, on average.
  • The average number of records breached, per data breach, is 3,000.
  • This is an average cost of $475,000 per data breach.
  • Short term impacts of a data breach are downtime, lost data and business interruption.
  • Long term impacts of a data breach include damage to the company’s reputation, customer loss and lost revenue.

On Tuesday morning, Kaseya CEO Fred Voccola kicked off the event with an engaging keynote that shared interesting stats that you may read more about in my post from Wednesday titled Small and Medium Size Business Stats from Kaseya Connect.

Fred also provided a comprehensive review of what Kaseya calls it’s IT Complete stack.  This includes the core feature set of the VSA platform that we use to manage our customers as well as new or updated modules focusing on network management, identity and access management, backup and disaster recovery, Office 365 management and backup and an impressive Cloud management module that will allow us to help our customers save money on their Cloud subscription costs.

I was also intrigued by some new initiatives around data analytics to help us manage our business better and deeper integration with our customer documentation system.

Kaseya did a very good job outlining the product roadmap and how we will be able to leverage these developments to help our technical team better manage our customers.

We have built our security offerings around the National Institute for Standards and Technology (NIST) Cybersecurity Framework.  I was very excited to see that Kaseya has built their security offerings around this same framework.  This will make aligning our security strategy with what Kaseya is and will be delivering to its partners a compelling benefit for our customers.

There was also a very interesting session on improving the user experience with IT.  Using something called persona modeling, it’s an intriguing model of better understanding the needs of IT users based on their role in the organization from an individual, departmental and overall company mission point of view.  I’m looking forward to testing this out to see what opportunities for improvement it may bring to the surface.

The conference wrapped up on Thursday with the entire Kaseya executive team sharing their thoughts on where the industry is moving, based on their individual areas of responsibility.  This touched on all aspects of the solutions that Kaseya brings to its partners.  I was particularly pleased to gain some insight into the companies Internet of Things (IoT) strategy.  These are the myriad of devices that now have an IP address and connect to the network.  As these devices become more prevalent and important to a company’s success, it is very important that they be managed, like every other device on the network and right now, there is no consistent model for accomplishing this and organizations need to be careful about deploying unmanaged devices onto their corporate networks.  As we saw several times in 2016, these devices, left unprotected and unmanaged, can be taken over and used to carry out a data breach or attacks on other organization.

We also had the opportunity to have a private meeting with several members of the senior team to discuss our business plans and the status of our partnership.  I was very pleased with the level of transparency and candor from everyone at this meeting and I am looking forward to working more closely with everyone at Kaseya to deepen our partnership for the benefit of our customers and our two companies.

 

 

What About Corporate Password Managers?

Standard

Following up on Wednesday’s post Why You Need a Password Manager, let’s talk about corporate password managers.  These are systems designed for use within a company, to manage the passwords across the enterprise.

Some of the password managers I mentioned in my Wednesday post also offer a business version, that allows you to share and manage passwords across groups of users.  Corporate password managers are a little bit different as they are typically geared more toward the IT user, not the average business user.

I divide corporate password managers into two categories, those for use within corporate IT departments and those for use by Managed Service Providers (MSP’s).  These are organizations, like Internet & Telephone, LLC, who provide IT services to their customers.

The features are designed for these environments and include all the basics you would expect from a robust password manager.  When I evaluate products like this, I look for several key features, among them appropriate encryption, identity management, user assurance auditing, change tracking, secure deployment and discovery, compliance, access control, least privileged access, self-service password reset, automatic password rotation, automatic password injection and more.  It all depends on defining your requirements and finding the solution that meets your needs.

In terms of my business, the solution I prefer most is Passportal.  This was built from the ground up by an MSP who understood the requirements most other MSP’s would have.  It also allows MSP’s to offer the service to their customers.  I find the feature set of Passportal to stand above the competition.  Consider this list of features:

Passportal.jpg

  • 1-Click Website Logins
  • Drag & Drop Data Imports
  • PSA Integrations
  • Multi-Factor Authentication
  • Personal Password Vaults
  • Role-based Permissions
  • Active Directory 2-Way Sync
  • Password Generator
  • Mobile Optimized Access
  • Password Data Analytics
  • Prebuilt Reports
  • Global Search
  • Co-Managed IT Password Collaboration
  • Password History Retention
  • Technician Disable Workflow
  • Password Rotation Management
  • Client and Password Access Requests
  • Windows Directory Services Control
  • Custom Security Groups
  • Temporary Access Rights
  • Scheduled Automated Data Exports
  • White Labelled / Rebrandable

Other worthy corporate solutions include BeyondTrust, ManageEngine Password Manager Pro and Thycotic to name just a few.

If you want to be absolutely, positively certain as to who accessed what password when and who used what password when and where, a corporate password management solution is a must.  Otherwise, you are simply leaving it to chance and trust that none of your employees will misuse a password or worse.  In today’s world of nearly daily breaches and cyber security issues, I believe these systems are a must in order to keep your passwords safe and in control.

UPDATE: Google Docs Phishing Scam

Standard

UPDATED THURSDAY, MAY 4

While the news continues to talk about this scam, you may rest assured that Google has stated publicly that they have secured their systems against this attach.  I still recommend following the steps below, to be certain your account was not impacted.  I also recommend never clicking a link to open an online document of any form, without first verifying with the sender that they actually sent this to you and that the document is legitimate.

May the 4th Secure You!

Today, many users are reporting receiving an email from a trusted sender that is asking them to click a link to open a Google doc online.  This is a scam and it is being widely reported.

The good news is that Google has implemented safeguards to stop the attack.  For those who may have already clicked the link, the bad news is that the hackers behind this now have access to your Google email and contacts.

Here’s how to check if you are at risk.

  1. Login to your Google account.
  2. Go to My Account.
  3. Click on Connected apps & sites.
  4. Review the list and if there is one called Google Docs, remove it, change your account password and be sure you have enabled two-step authentication.

GoogleDocsScam