Hackers Taken Down by FBI

Operation ReWired Arrests 281 and Recovers $118M

International Cooperation of Law Enforcement

Score 1 for the good guys. The FBI’s project Operation ReWired took down a network of hackers using Business Email Compromise attacks to commit fraud. This resulted in the arrests of 281 alleged hackers on charges of wire fraud ($3.7 million recovered). Additionally, these hackers allegedly committed 250,000 cases of identity theft and 10,000 cases of tax fraud. The Operation seized more than $118 million in fraudulent wire transfers that may now be returned! September 2019 was a great month for cybersecurity!

What is Business Email Compromise?

Business Email Compromise (aka: BEC) is when an email account, usually for someone in finance, is broken into. This is often accomplished through a phishing attack that leads to credential theft as outlined in CyberHoot’s recent article titled the Domino Attack. Credentials are stolen when a victim clicks on a fraudulent phishing email link or opens a bogus invoice. Doing this brings the victim to a malicious website that prompts the user to enter their email and password. These emails are often sent by someone your CFO already knows, meaning the sending email address is actually correct and expected. The other finance person’s email has likely been compromised by hackers who are now targeting your CFO.

This compromise results in a hacker entering the CFO’s email account, reading through their financial transactions emails, and redirecting normal wire transfers by inserting fraudulent wiring instructions into the email based conversations. The success of this scam rests exclusively upon both parties never authenticating these wiring instruction changes outside of email. This results in money being wired into hacker accounts that are mostly untraceable. These fraudulently wired funds are rarely recovered.

International Cooperation Leads to Take Down

Operation ReWire was possible through the combined efforts of law enforcement agencies across 10 countries. Together they unraveled a complex network of hackers, phishing attacks, money mules, and money laundering activities. This operation proves international law enforcement cooperation is possible. It also sends a message to hackers that they will be caught. Cyber Al has witnessed smaller scale BEC from social engineering and phishing attacks that will never be recovered (or reported). That’s because the dollar amounts were too small to involve the FBI or internal law enforcement. The worlds Small and Medium-sized Businesses (SMB’)s are on the front lines of BEC fraud! It’s getting worse year after year with a doubling of financial losses in 2018 alone.

An Important Message sent to Hackers

These enormous losses have led the FBI to make BEC fraud a priority for its agency. In June of 2018, the FBI made 74 arrests and seized 2.4 million in a similar BEC take-down. These take-down events and arrests are putting hackers on notice that you can and will be caught.

Who’s at risk to the threat of BEC ?

Verizon security services division puts out an annual Data Breach Incident Report (DBIR) summarizing cybersecurity attack trends which include who is being hacked and how they’re being hacked. BEC is near the top of their list of attacks. More importantly, they note that SMB’s are successfully attacked 15x more often then smaller and larger firms with less than 10 or greater than 100 employees. This puts SMB’s at the greatest risk of targeted BEC attacks. If you’re a small business owner, do not dispair! There are simple measures you can institute at your company to protect yourself.

What should SMB’s do?

Even with the FBI take down of this criminal network, it is a small drop in the bucket of an FBI estimated 3 year $26 Billion in losses. The FBI still recommends to “Implement an awareness and training program” to safeguard your business. Therefore, you need to prepare yourself for these attacks. Fortunately, with Business Email Compromise, preparations are relatively straight-forward. The single best measure you can take is to review and document your Wire Transfer Process. Cyber Al recommends that ALL changes to wiring instructions be confirmed outside of email, preferably via a phone call. Establish accurate wiring instructions with all parties. Do not dial a phone number supplied in a fraudulent email to validate new wiring instructions. That phone number is likely also bogus. Look-up a known good phone number and contact to verify and validate.

Positive Conclusions

This take-down arrested 281 potentially bad actors and recovered over $118 million in fraudulent wires. More importantly, Operation ReWire proves that international law enforcement agencies can work together. It proves that hackers cannot hide behind computer screens in the dark corners of the Internet. This is an important win. Let’s enjoy this win but also validate our business processes to protect ourselves from BEC and wire fraud.

Teach employees about Business Email Compromise and gain access to Wire Transfer Process documents with a free 30-day CyberHoot trial.

Become more Aware to become more secure.

Hacked Charging Cables Send Data Wirelessly

Most of us have tethered our mobile phones to our laptop dozens to hundreds of times.  Have you ever worried about a hacked charging cable? Security researchers have discovered hacked iPhone lightning cables with embedded Wi-Fi chips that were capable of stealing our data.

Hacked Charging Cables Transmit Data Wirelessly
Hacked charging cables can steal data over Wi-Fi
Image Source

Hack a Charging Cable via Wi-Fi?

CyberAl would bet that most people don’t think about getting hacked through their iPhone’s charging cable. People worry about hack attacks from phishing emails as outlined here: Avoiding Phishing Attacks.  Others correctly worry about password security as discussed here: Passwords, Passphrases, and Password Managers. But charging cables?  No way. Hackers have hacked the iPhone lightning cable to insert a tiny Wi-Fi transceiver into the cable itself. When an iPhone, iPod, or iPad is plugged into a computer and syncs your data (pictures, music, apps, etc.) the embedded Wi-Fi device allows a nearby hacker to take full control of your computer. Once connected, the hacker can wirelessly transmit malware onto your device all while siphoning off your data.

A Proof of Concept Wi-Fi Charging Cable

A hacker by the name of “MG” studied and experimented on these Lightning cables. With some excellent soldiering skills, and a weekend’s effort, MG created a malicious proof of conceptcharging cable. MG targeted his own  Mac computer. MG found that when an iPhone was directly connected with the hacked charging cord, he/she could be up to 300 feet away and still control of the MAC computer. Cyber Al theorizes that a directional antenna could enable the hacker to be even farther away! Even more disconcerting, MG stated “the cable can be configured to act as a client to any nearby wireless network. And if that wireless network has an Internet connection, the distance basically becomes unlimited.”

Summary Advice

This tactic is bound to be deployed in many locations by hackers targeting the general public. From charging kiosks at Airports to coffee shops, charging cables may be compromised.  The risk in these locations is mitigated partially by the fact that your charging cable isn’t connecting your smartphone to your laptop.  This prevents the lightning cable from transferring data unless you allow the iPhone to trust the charging station (something you should never ever do). Most people are aware of the dangers of inserting a USB flash drive into their computer. Cyber Al wants you to always think about the risks of a compromised charging cable provided free of charge by a business for its customers use and to remember these tips:

  • Be on the lookout for unusually shaped charging cables.
  • Better yet, always carry your own charging cable.
  • Never use an unknown origin cable from anyone.
By becoming more aware you become more secure. If you like learning about emerging threats or want to address gaps in your employees CyberSecurity knowledge, venture over to CyberHoot and sign your company up for a free 30-day trial.

#cyberhoots #smb #cybersecurity #awarenesstraining #LMS #chargingcablehack

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Editor, Craig Taylor, Co-Founder – CyberHoot

Watershed Moment: Smartphones Targeted by Drive-by Malware

Image result for Malware on Cell Phones

Cyber “Events” that Shape History

Only a few events in the history of “Cyber” and “Security” cause security professionals sit back, meditate, and try to understand the implications of that event.  The earliest such event CyberHoot recalls reading about was the “Morris Worm” which spread across the early internet way back in 1988. Its author was subsequently convicted under the newly passed Computer Fraud and Abuse act of 1986. We can thank the Morris Worm for spurring the Defense Advanced Research Projects Agency (DARPA) to create the Computer Emergency Response Team tasked with coordinating emergency responses activities to critical computing events.

Since then multiple “events” have occurred which directly influenced Cybersecurity programs, protection technologies, and procedures.  The ILOVEYOU virus (2000) and “SQL Slammer Worm (2003)” both taught us about network segmentation and the importance of limiting ports and protocols passing across our internal networks.  Fast forward to 2017 and “WannaCry Ransomware” reminded us on the need for strong backup and restore capabilities.

When Malware targets Mobile…

A recent revelation has CyberHoot wondering if 2019 will be the year we look back and say: “That was the year Smartphones became vectors for wide-spread worms, viruses, and data theft.”  Until this moment, smartphone hacking cost millions of dollars and was limited to nation state sponsored attacks. That is no longer true and the extent of how “untrue” this is seems like a watershed moment in cybersecurity.

Security researcher Ian Beer, from Google’s Project Zero whitehat hacking team published evidence of widespread smartphone hacking that successfully installed malicious software on Android and iOS smartphones.  Googles researchers showed that by exploiting a series of vulnerabilities together (something the call chaining) hackers could install anything they wanted on your devices, just by visiting their malicious websites. Worse yet, this appears to have gone on for two years without being discovered. Sobering, isn’t it?

What does Cyber Al from CyberHoot suggest you do about this development?  Let’s dive into some suggestions we’ve collected from various articles covering this noteworthy development.

10 Protection Tips for Smartphone Users:

  1. A mobile device is a computer. Do not install any App or Game onto the device unless you absolutely need it. Even then, limit the permissions you give each app.  Does the Facebook really need access to your Microphone?
  2. Always consider how you connect to the Internet on mobile devices.  Be highly suspicious of Free or Public WiFi which is very insecure.  Companies should enforce Acceptable Use Policies requiring the use of Virtual Private Network (VPN) technology on all mobile devices and combine it with two-factor authentication.
  3. Establish and enforce Bring-Your-Own-Device (BYOD) policies at work.  Personal devices are everywhere, but they should never be allowed on your Trusted business networks; that is what guest WiFi was created for.
  4. Block Jail Broken iPhones and rooted Android phones from accessing trusted networks and corporate data including online email services.
  5. Keep mobile device operating systems up to date.  The latest iPhone software 12.1.4 is not at risk to chaining vulnerabilities identifiedy by Ian Beer of Google.  However, given the two-years of dwell time, you can be certain other vulnerabilities have been discovered and are exploiting our phones.
  6. Encrypt your mobile devices and data stores (USB sticks).  All iOS and Android operating systems automatically encrypt their file systems for at least that last 7 years.
  7. Enforce Mobile Device Management policies with solid management tools available from Microsoft, AirWatch, Good Mobile and many other vendors.  You must be able to selectively wipe corporate data of loss or stolen devices.
  8. Install Applications only from Trusted Vendors.  Consider building an Enterprise Store of vetted and approved smartphone applications (this tip is for Large Enterprises with highly mature Cyber Programs).
  9. Provide Cloud-Storage Alternatives for your employees who will use any service that is convenient and free without a second thought.
  10. Install Anti-Malware on your Android device (Sophos has a product).  iOS and BlackBerry do not allow for any such products to be used today.
  11. BONUS: reboot your iOS device periodically.  These chained vulnerabilities did not survive a reboot of the smartphone device. iPhone, please meet Windows 95 where a reboots was the solution to so many problems.  iPhone Reboots, really???

How should we think about and use our Smartphones?

Google’s security researcher Ian Beer writes. “All that users can do is be conscious of the fact that mass exploitation exists and behave accordingly; treat their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

We’ve entered a new era, where our beloved smartphones can be infected just by visiting malicious websites.  Think before you surf the Internet willy-nilly on a trusted corporate devices containing Intellectual Property or Regulated Data. Maybe don’t visit that website!

Call to Action

If your worried about the cybersecurity of your company and want to do something concrete and meaningful to protect it, then visit CyberHoot.com today and sign up for a free 30-day trial.  Email Sales@CyberHoot.com for information and assistance with any questions.

SMB’s Attacked 15x More Often

Small to Medium-sized Businesses (SMB’s) are attacked fifteen times more often than smaller firms (>10 employees) and larger firms (<100 employees).  In 2018 they accounted for 43% of all security incidents. This puts the engine of the world’s economy squarely in harms way.

SMB’s are attacked more often because of:

  • weaker technical protections;
  • they have items of value (money) to steal;
  • untrained employees,
  • less supervision and controls around insiders, and
  • sometimes for the access they have to other businesses.

Training employees on how to spot attacks is the best “returns-on-investment” SMB’s can make to reduce the likelihood of a successful attack.  SMB employees have typically never received any Cybersecurity education in school or from previous employers.  Arm your employees with the knowledge and skills to fight back!

Our school system graduates high-school, post-secondary, and even doctoral program students with little to no cybersecurity training. This is why we have  witnessed a dramatic rise in cyber-attacks over the last few years. For example, 60-minutes ran a 12 minute story last week on 22 towns and government agencies breached by ransomware.

Hacker attacks come from many different groups of people today.  Organized crime hacks to steal our money while nation states hack to steal our Intellectual property.  Hacktivists target special-interest groups to make a point while disgruntled employees may be out for money, revenge or both. All these groups are hanging around our business front doors using the Internet both as their super-highway to you and their invisibility shield to hide their attack tracks with impunity.

What makes them so dangerous and successful is the availability of advanced, sophisticated hacking software purchased easily on the dark web. These hacking tools can encrypt your files and hold you out for ransom without writing a single line of code.

Protection Starts with Education

Start pulling your cybersecurity program together by educating employees on cybersecurity topics such as cyber-policies, training videos, and technical cybersecurity tools such as password managers. The more you know, the better you can fight back.

If you’ve been on the fence about addressing this risk in your business, now is the time to make a decision and give CyberHoot a free trial run for 30 days.  Start a CyberHoot free trial to jump-start your cyber-program protection today. In under an hour your employees can begin training, delivered by a fully-automated tool so simple there is no manual.

Give us a try, you’ll be glad you did.

Privacy Regulations May Cause Data Breaches in Addition to Protection

Image Source

Privacy legislation has expanded significantly in the last two years with the publication and enforcement of the EU’s General Data Privacy Regulation (GDPR). In Jan. 2020, the California Consumer Privacy Act (CCPA) will go into effect, with similar requirements to GDPR, in CA. Other states including Texas, New York, Washington, and Massachusetts are following suite. EU and CA privacy legislation attempts to protect our private data by granting certain rights. These rights allow one to manage the data businesses keep on us through “Data Privacy Requests”. These requests can include but are not limited to the right to have businesses:

  • forget my private data;
  • correct my private data;
  • prohibit my private data from being sold; and importantly,
  • request a business provide me my private data.

Unfortunately, businesses have not prepared properly for these requests.  World wide, businesses are scrambling to accommodate GDPR data privacy requests being made by EU residents.  US businesses with private data on Californians are hurrying to build processes to accommodate data privacy requests from CA residents beginning January 1st, 2020.

Wouldn’t it be ironic if the next wave of privacy breaches stemmed from data privacy requests made by hackers under these legislative acts? This is the very problem CyberHoot sees with these acts.  Businesses have not yet built robust, multi-factor “Data privacy request” processes that verify the identity of each requester!

A Horse named “Black Irony” has Left the Stable

Surprise, surprise, a British researcher name James Pavur, reported in this Black Hat briefing in Aug. 2019, that after making 150 “data privacy requests” for his wife’s private data, businesses sent him her:

  • Social Security Number;
  • current and previous home addresses;
  • credit card numbers;
  • School grades;
  • Hotel Logs; and
  • whether she used certain dating websites or not.

Importantly, Pavur did not forge any documents, signatures or email addresses.  He used his own credentials, signature, and email account in every case to request these items.  Businesses simply did not verify his identity.  Now, imaging what a hacker who forges signatures, documents, and breaks into your email account could do?  CyberHoot has some predictions for you.

Privacy Regulation Predictions/Suggestions for Businesses:

  • Hackers will exploit privacy regulations through weak verification mechanisms to steal the very private data these acts are meant to protect.
  • While CCPA is aware of verification challenges and promises to publish clarification on what constitutes verifiable requests through CA’s Attorney General (AG), business cannot afford to wait. Businesses should create their own verification measures, possibly following measures adopted by Banking (see below) to prepare in time for January 1st, 2020.
  • Banks have the verification process figured out.  When CyberHoot calls its bank, the IVR asks for our 16 digit card number just to speak to an agent.  The Bank agent then sends a 4 to 6 digit code to CyberHoot’s mobile device to require a second factor to verify our identity (something we know and something we have).
    • Businesses would be wise to adopt similar two-factor authentication measures for all privacy data requests.
  • Some businesses CyberHoot consults with don’t collect the requisite data (Account numbers, Email addresses, and/or Mobile phone numbers) to properly verify an individuals identity.  Hopefully the CA AG will exempt these companies from complying with data privacy requests rather than force them to collect more of our private data just to comply with these data privacy requests.

What might Private Citizens do to Protect themselves?

CyberHoot is not suggesting Google and Facebook will be easily fooled into giving your private data away. However, other companies who have your data are not yet prepared to handle these requests.  CyberHoot challenges businesses to build secure verification processes before hackers exploit you in this novel and horribly ironic way.

Author, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: QR Code Scams

QR Code Scam
Image Source

The latest way hackers are breaching your private information is by using malicious Quick Response codes, more commonly referred to as a QR Code. QR codes were first created back in 1994 by the Japanese automotive industry to track inventory more effectively but have since been adopted by multiple industries to capture and share information with consumers.  Today you will find them on billboards, web pages, magazines and even clothing. While most of us are familiar with how to scan these codes with our smart phone to retrieve some vendors information or register a warranty, some folks aren’t aware of the cybersecurity and privacy risks relating to their use and abuse.

How Do Hackers Co-opt a QR Code?

One of the most prevalent and easiest ways hackers steal our information is through phishing attacks. Dive deeply into this topic by reading our previous blog article on Avoiding Phishing Attacks but in summary for this QR Code article, phishing attacks typically use an email or web page to lure you into giving out personal information. Hackers create web pages that look identical to a legitimate business web page whose real purpose is to steal your login credentials and private information.

In one of these QR Code attacks, you receive an email from your bank outlining an amazing Credit Card deal which asks you to “scan the embedded QR Code” to apply. Once you scan the “bank’s” QR code, you’re taken to what appears to be your “bank’s” credit card application web page. But here you must be careful as you might not be on your bank’s actual web page.  The domain name may be slightly off (bestbankofall.com was replaced with bestbank0fall.com) behind the QR Code [notice the zero (0) in place of an O (oh)].

As you complete the credit card application form, even if you don’t submit the form for processing, hackers have secretly captured your data and will use it to open credit cards in your name, steal your identity, or steal your bank login credentials if you provided them.  Beyond these data theft attacks, other QR Code attacks try to convince users to download viruses onto their mobile devices, tablets, and computers.

How Can I Protect myself?

Here are some essential basic tips to avoid QR Code scams:

  • If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double check to ensure the domain name is the perfectly correct watching for look alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
  • If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
  • If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
  • QR Codes are beginning to be used for payments.  At this time, there are enough alternatives for immediate payments that we would not recommend issuing payment through a QR code methodology.  Simply ask for alternatives.

Summary

QR codes are convenient to use for businesses, consumers, marketers to exchange information with us.  However, hackers are stealing our private data because people aren’t aware of the risks or how to validate sites properly. It is important to be on the lookout for these scams. Do not allow the convenience of a QR code to lull you into a false sense of security.  Be vigilant and use your new found knowledge to protect yourself.

Author, Ty Mezquita, Blogger/Social Media – Cyberhoot

Editor, Craig, Co-Founder – CyberHoot

Update:  Naked Security – one of CyberHoot’s required reading blogs wrote more on this topic here:  QR Codes Need a Cybersecurity Revamp

Cyber “Hoot” Wednesday: Three Tips for the Digital Age

CyberHoot received notice today that our Café Press account had been breached along with 23 million other accounts. Fortunately, no password data was reported stolen. However, phone numbers, home addresses, email addresses, and full names were breached. This comes on the heels of Capital One’s 100 Million breached financial records announced last week. The FBI claims there are ONLY two types of companies. First, there are companies that know they’ve been breached while second, there are companies that don’t know they’ve been breached. Every company, not just Capital One and Café Press, should assume it has been, or will be, breached. What are you to make of these breaches?

Breached personal data is part of the new normal in the digital age. It’s a fact that our personal data will be compromised; it will be available in online hacker forums for bad actors to try and take advantage of us with. Recognizing that fact, CyberHoot and all our employees have been preparing for this for many years. We practice the three tips below for the digital age; will you practice them?

CyberHoot believes there are two kinds of people. First, there are people who know their personal data has been breached and do something to minimize the impact. Second, there are those people that know their personal data has been breached but do nothing about it. You’re reading this article to learn how to minimize the impact of breached personal data, right? If so, then take the following three steps.

CyberHoot’s Top Three Tips in the Digital Age to protect yourself Personally and professionally:

  1.  Freeze your Credit. If you haven’t frozen your Credit yet, well, what are you waiting for? Here’s the Freeze your Credit article from CyberHoot.
  2.  Learn a Password Manager: given all our data will be breached, you need to learn this skill. Here’s CyberHoot’s article on Password Managers.
  3.  Enroll in a Cybersecurity Awareness Program: do this for yourself personally and make sure your company does it for all its employees.

It’s too dangerous out there not to provide awareness training to your staff. You can be sure no-one else is. If you don’t, who will?

Come to CyberHoot.com for a free 30-day trial for Cybersecurity awareness training. Our training is quick, easy, and effective! All it takes is the will to act… we’ll handle everything else.

Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Capital One Breach Affects Over 100M

Image Source

On July 29, Capital One announced it experienced a data breach affecting over 100 million customers. While that is an enormous number it represents only 1.4% of nearly 8 billion publicly disclosed account compromises. Considering there are 10 – 20x as many unreported breaches and compromised accounts, 100 Million Capital One breached accounts is only 1/10th of 1% of all breaches. Given this sorry state of Cybersecurity, how can we put this breach into perspective? More importantly, what should we be doing in light of this “financial data” breach at Capital One?

What Was Compromised?

Capital One released a statement saying, “no credit card account numbers or log in credentials were compromised and over 99 percent of Social Security Numbers were not compromised”. What is currently public as compromised data are 140,000 customers Social Security Numbers (Social Insurance for Canadians) and 80,000 linked bank account numbers. That leaves 99.8% of the breached accounts as undisclosed by Capital One. It is still very early in the investigation so expect these numbers to change and be adjusted. We just don’t know the extent of what was stolen or breached and how it will affect us. Yet, even without that information, we can make recommendations to you for what you should do to protect you and your loved ones.

What Can I Do?

Freeze your Credit at all Four (4) Credit Reporting Agencies

This LifeLock article walks you through how to freeze your credit at three major credit agencies. However, know that there are actually four credit agencies you need to freeze your credit at. Hackers know this and will attempt to retrieve your credit from the smaller credit agency known as Innovis.  CyberHoot advises consumers put a full Credit Freeze on your financial accounts using these links: TransunionEquifaxExperion, and Innovis.  Some of the credit monitoring agencies offer additional notification services such as texting you whenever your credit is pinged.  Enable text alerts if possible to keep track of anyone actively touching your credit data.

Besides the Credit Freezes, is there anything else I should do?

Yes.  Following the Anthem and Equifax breaches a few years ago hackers have been submitting fraudulent tax returns before legitimate tax payers could do so using our stolen personal data.  Consumers have lost time and money regaining access to their own tax accounts. Unfortunately, this could happen all over again with this Capital One breach because hackers likely have the data they need to submit fraudulent tax returns from this breach.  The IRS has acknowledged this problem and will provide anyone who has had a false return filed in their name to get a PIN number that is required to submit their taxes. Unfortunately, unless your taxes have been hacked, you can’t get that PIN to protect yourself. Consequently, CyberHoot also suggests that you get your tax documents in order and submit your taxes as early as possible next January to pre-empt any hacker attempt to submit a false return in your name!

If you would like more tips on what you or your business can do to prevent something like this happening to you; read our article on the Quest Diagnostics Breach.

Summary

Anytime static data that cannot be recreated is breached there are long-term consequences which is the case with the above mentioned breaches (Anthem, Equifax, and now Capital One).  Putting a credit freeze on your account will protect you from hackers taking credit terms out in your name, but doesn’t prevent them from submitting fraudulent tax returns.  Freeze your Credit, submit your taxes early, and continue to educate yourself on Cybersecurity topics.

Author, Craig, Co-Founder – CyberHoot

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Cyber “Hoot” Wednesday: Fight Password Fatigue with a Password Manager

Fight Password Fatigue with a Password Manager
Image Source

Remember the last time you had to recover access to an account by resetting your password. Maybe it was last month, week, or maybe it was today.  Now remember what you had to do: use uppercase, lowercase, and special characters. Don’t reuse your favorite root password, don’t use a real word because it is easily guessed. Make sure it’s at least 9 characters in length.  Are you experiencing password fatigue yet?

People have been experiencing password fatigue for years.  When your employees give up on good password hygiene, they give up on best practices and fall back on common bad habits.  This article outlines a free for personal use tool that will improve your security and reduce your password stress. It might even free up enough time to setup two-factor authentication on your most critical online accounts! Let’s start by looking at why passwords matter so much and the problems we all face with them.

Billions of Breached Passwords exist online

HaveIBeenPwned.com reports more than 8 billion compromised email accounts (often including compromised passwords). In the past, Yahoo lost more than 500 million user accounts and passwords;  DropBox and Linked-In lost millions more. What makes these millions of breaches so damaging, is that so many people re-use their passwords. Alternatively, people re-use predictable password roots, appending a prefix or suffix to that root password. Both practices put you at risky. Hackers exploit the fact that most people re-use passwords or have predictable prefixes and suffixes on common root passwords!

Why are Passwords so Important?

Once a hacker sees your username and password in plain text, can they then log into your online email or Virtual Private Networks (VPN) account? They can if you have a predictable or re-used password on either one.  Once inside your email account, hackers have breached one of the most critical accounts you have.

Your online email account can be used to reset passwords at many other online accounts. It’s simply a password recovery request away from the hacker!  Additionally, email accounts are a treasure trove of social engineering material to attack your friends and family!  Finally, as reported in CyberHoot’s Domino Attack Article, hackers are now crafting exceptional powerful phishing campaigns by targeting users they find inside your email account.  Hackers send phishing attacks directly from your email account or from a look-alike domain name they create. If successful, they then break into your friends, family, and business partner’s email!

Does this all sound hopeless to you? Fortunately, it truly is not hopeless if you learn to use a Password Manager.  Let’s take a look at what a Password Manager is and does.  CyberHoot views this skill as important as knowing how to type!

Learn a Password Manager to Ease Password Fatigue

Every cybersecurity professional will tell you to use strong unique passwords at every online account you own. Unfortunately, most people cannot remember more than 3 to 4 strong passwords. Creating more simply leads to password fatigue. There is a simple solution. This seemingly impossible task becomes easy when using one of the many free (for personal use) password managers.  Many password manager options exist but CyberHoot recommends one of the following as we’ve used and reviewed their features in detail: LastPass, 1Password, and Dashlane.

The Power of Synchronization

Password Managers automatically synchronize all your accounts between smartphones, laptops, and tablet’s.  A web browser plugin monitors your login activity and prompts you to save your credentials whenever you authenticate into a new website. Your username and password for the Domain (or URL such as gmail.com) is stored in an encrypted password vault.  Each tool mentioned includes a random Password Generator you can use to create new, strong, and unique passwords. Over time, you will begin replacing your re-used passwords with randomly generated ones.  Doing so will make you more secure, effective, confident, and efficient.

Call to action: Download and start learning and using a free password manager today.  This skill is as important as learning to type is! Regardless of your technical skill, if you put in even minimal effort, within 3 to 4 months, you will become proficient, secure and much more productive.

Author, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Avoiding Phishing Attacks

CyberHoot Wednesday: Avoiding Phishing Attacks

How Phishing Attacks Work

An easy example of how phishing attacks work is to take a look at a case that has already happened; a phishing attack utilizing Google Docs hit numerous Gmail accounts about a year ago. The phishing email was sent from compromised Google accounts to other Google accounts for approximately three hours, after which Google intervened directly and stopped all such emails. The email contained an invitation to a Google Doc, and if clicked, the link took users to a fake App that asked for permission to access the user’s Gmail account. The phishing email was convincing enough to have fooled some Google users into giving permission.

What Damage may have Occurred?

The primary damage could be significant or benign depending whether your Gmail account was logged into by the attackers.  The main attack then automatically resent the same attack to all your Gmail contacts (secondary damage being social embarrassment from being phished). However, there was a small potential that the attackers may have logged you’re your compromised Gmail account to study your emails, reset other online account passwords, or change account recovery options on your Gmail account!  There was no known malware in this attack, which infected recipient computers.

What to do if you were (or think you may have been) compromised in this attack?

Google acted very quickly to reports of this phishing attack, stopping all related emails within 3 hours of the outset of the attack.  If you think you may have been compromised here are six steps to take as soon as possible (Google recommendations):

  1. Go to your Google account management page.
  2. If you see an app called Google Docs, click on it to opt to revoke permission for the app to access your account.
  3. Then change your password [to something unique], just to be safe.
  4. Enable two-factor authentication on your account as an extra precaution. Two-factor authentication is the option to text a code to a phone number on file for your account so only a person with both your password and your cellphone can access your account. If you are unfamiliar with topic, check out our article on Two-Factor Authentication.

CyberHoot’s Additional Recommendations:

  1. Check your account recovery options to validate hackers did not change those to re-access your account once you changed your password.
  2. Immediately change passwords at sites using the same username/password as used on your Gmail account.

CyberHoot knows that in the absence of a password manager, people reuse passwords throughout their online accounts!  If your Gmail account was compromised by this attack, hackers might be trying to log into other accounts you have even after you removed the hackers access to your Gmail account.  One of our favorite password managers – LastPass – once populated up with your online accounts, will tell you which accounts reuse your Gmail credentials.  Change those to unique passwords to eliminate this cybersecurity risk now and in the future. If you would like more information on this topic, check out our article on Passwords, Passphrases, and Password Managers.

Event Summary:

This was a simple but highly convincing phishing campaign designed to steal Gmail account credentials.  Before clicking or opening anything always be sure to answer these questions affirmatively:

1)      Was I expecting this email?

2)       Was this email…

  • Addressed to me directly by name?
  • From someone I know?
  • Is the sending email address 100% correct?  (watch for slight variants like g00gle.com)

3)       Is the grammar, spelling, email construction correct?

4)       Does my gut tell me there is absolutely nothing wrong with the email.

If you answer NO to any of those, pick up the phone and call the sender to confirm they sent the message to you on purpose; otherwise, delete the message.

Stay safe online!

Editors Note: There is an article we wrote, Domino Breaches: Get Ahead of this Breach ASAP to stop the Falling Dominos. This article on phishing details another variant of attack similar to the Domino attack article published just over a month ago. Similar attacks have been made against Microsoft’s O365 users. No-one is truly safe online today without adopting the technical protections outlined in this article. Be safe online and remember, “Knowledge is Power!”.

Author, Craig, Co-Founder – CyberHoot

Editor, Ty Mezquita, Blogger/Social Media – Cyberhoot