1. LastPass Breach Risk
You’ve probably seen the recent headlines. LastPass, one of the most popular password management tools, was hacked this past August. The investigation is ongoing, and an update last month revealed that customer information was accessed.
Now, before you say, ‘Don’t you keep telling me to use a password manager?!’ Yes, I do. And I will continue to recommend it over bad habits such as saving passwords to a text file on your computer. Or even worse, using the same password for multiple accounts.
Think of it like this: St. Joseph’s/Candler suffered a massive breach in 2021. But you don’t say, ‘that’s why I don’t use hospitals.’
These hacks are a fact of life and of business now. What’s important is how we protect ourselves through tools, education, and best practices.
Back to the hack, LastPass recommends businesses review and update their passwords, review their security measures, and stay vigilant for social engineering attacks on their accounts.
Why? Because LastPass says that although users’ plaintext passwords were not accessed, the hackers did get the following:
- website URLs for the users’ stored passwords
- end-user names
- billing addresses
- email addresses
- telephone numbers
- company names
- IP addresses from which customers were accessing the LastPass service
- AND LastPass user’s encrypted passwords for each stored logon.
Now the encryption protection is strong as long as the user’s master password for LastPass was strong. Strong meaning at least 12-characters long, contained some complexity, wasn’t an easy-to-guess password, and was not used on any other site or service.
But the unencrypted information means an attacker can specifically target a potential victim using information not known to the general public and other hackers.
For example, with a list of the websites that someone logs onto, a criminal can craft specific emails that pretend to be from that website. They could include the user’s name and address. Add their phone number to that and consider how each additional detail adds to the impression that the social engineering email is real. Each included detail increases the percentage of people who will become victims.
Criminals can also blast entire companies pretending to be the LastPass user who had their information breached. Or they could use IP addresses to find remote workers with lax home computer security to try to gain access to business networks.
There are many ways they can try to use this data. You need to be prepared.
What can you do to protect yourself?
If you’re a LastPass user, check the strength of your master password. If it doesn’t meet the criteria above, then change it AND all the other passwords you were storing in LastPass.
For your business,
- Make sure everyone is aware of this breach. Share with them the importance of strong, unique passwords for their own protection and yours. Let them know to expect targeted attacks.
- Send employee awareness campaigns – test scam emails that employees can respond to in real-time and get immediate feedback to learn from. We offer this for clients and send them to our own team.
- Consider dark web monitoring to be notified of compromised accounts.
- Use your IT team to check any messages you are the least bit suspicious about. We offer a one-click reporting tool in Outlook that makes this simple for everyone, and we’re always happy to check something for you.
- Enable MFA on every account that allows it. I bet you were hoping I would stop harping about MFA this year, but it is too easy and too effective to not use it wherever possible.
2. Cable and Internet Provider Scams
Now, I’m not including this scam because Comcast’s Xfinity is raising prices this month or because my team and I often get mixed up with them. They are, and we do, but that’s not why this is here.
This also isn’t about Clearwave Fiber digging up your yard to lay new cable or newcomer Coastal Communications planning to bring faster Internet to the Islands. You’ve probably seen headlines or social posts about both of those recently, too, but they’re not behind this scam either.
These companies being in the news just means you may be more susceptible to this scam.
The FTC recently issued an alert about provider imposters reaching out with an offer to lower your monthly TV, cable, or internet bill. People across the country have reported calls, texts, and voicemails.
One woman told this story to the radio station:
“We just received a scam phone call yesterday addressing my husband by name and claiming to be Cox Cable. We had just canceled Cox cable TV two or three days before, which this caller [knew] about. They offered a 40% discount if we reconnected. I inquired about the cost, but before he would give me the cost, he wanted to verify our account and asked for my mother’s maiden name. That’s when the red flag went up. I said, ‘May I call you back in 15 minutes’, with the intention of checking out the phone number and calling Cox Cable. The caller replied that he’d call me back. Once I did a Google search of the number and called Cox Cable, I realized it was, in fact, a scam call. The caller didn’t call back. I followed up with a call to my older parents to warn them about these types of scams.”
The FTC shares another example:
“You get a phone call, recorded message, or text with an offer to lower your monthly payments. The caller — or the person who picks up when you call the number they give you — says you need to “prepay” part of your bill to qualify. They tell you to pay using gift cards because they’re partnering with a company for a promotion, and to call them back with the gift card number. Once you do, they collect that and other personal information over the phone.”
It all sounds so tempting and almost reasonable that many people are giving away their information and paying a much higher price.
How can you avoid these scams?
- Never give out your personal, account, or payment information to someone who contacts you out of the blue and asks for it. Legitimate businesses you have accounts with already have this information and don’t need to call you to verify it.
- Don’t implicitly trust caller ID. Scammers can easily fake caller ID so it shows a company’s name or phone number. And never call back a number from a recorded message or listed in an unexpected email or text. Look up the phone number on the company’s official website.
- Remember that gift cards are for gifts. If anyone tells you to pay with a gift card, or to buy gift cards for anything other than a gift, it’s a scam. You’ll lose your money, and you won’t be able to get it back.
- Try not to be fooled by a great-sounding deal, especially if it is urgent. Scammers want you to act without thinking and will try to prey on your emotions. Get in the habit of pausing. Give yourself time to think and consider whether any of the red flags above are there, trying to warn you.
3. SVG and XLL Malware Deliveries
This last one is less about a specific scam and more about the tactics to look out for.
You already know to be suspicious of unsolicited attachments. But you also know from previous scams that criminals can sometimes send messages from people you know, sometimes that even appear to be part of an existing email thread. And that can make you think the attachment is trustworthy.
Please be careful, however. And confirm via phone or chat that any attachment you were not expecting is legitimate before opening.
Criminals are evolving to smuggle malicious HTML code inside SVG files, which are vector, or image, files. They are also using XLL add-ins to deliver malware through Microsoft documents more frequently now since Microsoft has begun phasing out support for VBA macros, which have commonly been exploited.
Without getting into the technical details of how each of these tactics work, essentially the malicious code gets downloaded or activated when the attachment is processed.
Talos, one of the largest commercial threat intelligence teams in the world, explains the SVG angle:
“HTML smuggling can bypass traditional network defenses and is increasing in frequency. Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device.”
They also talk about XLL:
“XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code.”
The attachments used in these attacks can be webpages, pdfs, and nearly any kind of Office document. The messages may be about invoices, budgets, ‘the file you requested,’ or even no description at all, counting on your curiosity to open it.
It is critical that we all train ourselves not to.
So how can you stay safe from this?
- As I said above, the best thing you can do whenever you get an unexpected attachment is to check with the sender before opening it. And checking cannot be via email in case that sender has been compromised. Reach out to the sender via phone call, chat, or text.
- You can also send any questionable messages to your IT team to check. We have the tools to do this safely and are happy to do so.
- Pay attention to any feelings you might have that something is wrong even if you can’t put your finger on it. Many of the hijacked email threads that criminals use to send these attachments are not current conversations. Look at the dates. If the message is a reply to an email from a year ago, be suspicious. If the tone sounds unlike the sender, be suspicious.
- Remember that any attachment has the potential to be hiding malicious code. If you are not 100% sure it is safe, check before opening
