Top Cybersecurity Scams

Special Notice for our South Carolina Neighbors

Be on your guard. Our partners at the Department of Homeland Security shared a report with me on Friday about expected threats to South Carolina state, local, and critical infrastructure networks for the foreseeable future.

The report states that a “vulnerability scan of 14 South Carolina organizations revealed over 35,000 vulnerabilities in 2020, including over 6,000 vulnerabilities listed as ‘critical,’ according to a state report.” And it specifically points out ransomware and opportunistic and widespread targeting through emails and exploiting unpatched vulnerabilities as the 2 main threats.

The report’s conclusions came from studying incidents reported to the state, field rep information, and media coverage from October 2019 through April of this year. You may remember hearing about the Georgetown County network getting infected this past January. Or maybe you were one of the people who had to go in person to pay or pick up your license plate decal.

The bottom line is that “malicious cyber actors targeting South Carolina networks will continue to evolve tactics and develop effective business models to maximize the chance for financial gain.” If your network improvements have been on the back burner for a while, now is the time to make them a priority.

Microsoft Warns of ‘Password Spray’ Attacks

Last week, Microsoft published a blog by their Detection and Response Team (DART) and threat intelligence teams detailing an uptick over the past 12 months of ‘password spray’ attacks. These are “authentication attacks that employ a large list of usernames and pair them with common passwords in an attempt to ‘guess’ the correct combination for as many users as possible. These are different from brute-force attacks, which involve attackers using a custom dictionary or wordlist and attempting to attack a small number of user accounts.”

The article explains how attackers have changed their approach. “Previously, threat actors focused on attacking computers to gain access into an environment. As software becomes more intelligent at detecting abnormal programs and vulnerabilities, attacks against our customers are rapidly becoming more focused on breaking into identities rather than breaking into a network.”

And one of the 2 methods used in a password spray attack, they call “Availability and Reuse: With a new breach being announced publicly every month, the amount of compromised credentials posted on the dark web is rising rapidly. Attackers can utilize this tactic, also called ‘credential stuffing,’ to easily gain entry because it relies on people reusing passwords and usernames across sites.”

The US Sun puts it a little more simply. “Hackers can plug these combinations into other websites in the hope that you’ve reused them across multiple online accounts.”

What does all this mean?

Google estimates that over 4 billion username and password combinations have leaked in recent years.

And a recent survey by PCMag found that 70% of people over 18 use the same password for more than one account, if not every login.

So if you or any of your employees reuse a password that is included in that estimated 4 billion, then your network is at risk.

How can you protect yourself?

• First, stop reusing passwords for more than 1 account or login, especially any passwords you use for work. Second, see if your email has been exposed at haveibeenpwned.com. Third, change any passwords shown in the results and close any accounts that you don’t actively use anymore.
• Get a password manager. There are quality free and paid tools that can store and even create strong, unique passwords for you. Many of them have apps or plugins for your browser so you can log in seamlessly once you’re set up. It can take time to add in your existing accounts and create stronger passwords, but putting in the effort now will better protect you and everyone in your network.
• Consider disallowing any password policy exceptions you may have made at work over the years. As Microsoft points out, “identities with a high profile (such as C-level executives), or identities with access to sensitive data are also popular targets” [in addition to administrator accounts], and those roles are typically where exceptions are made and therefore where weak spots can be introduced.

Craigslist Notifications Scam

Hearing about this one made me feel like I was back in the year 2000. But apparently Craigslist is still alive and well and being actively used. Maybe even by you.

According to INKY, this is what’s happening: “Craigslist, that old-fashioned website people still use to find things locally — and urgently — has become the latest [attack] vector. In the service of safety and anonymity, Craigslist lets people seeking or offering things send an email through the system to anyone else. Craigslist knows the identities of everyone, but unless a correspondent discloses details, they are perfectly anonymous to others on the system. [So criminals] can shoot their poisoned arrows from behind a local mail proxy. And shoot they did — a number of times in early October.”

The scam is a real-looking notification email sent from the Craigslist domain. It claims that your listing has inappropriate content or has violated the terms and conditions, and it includes instructions on how to avoid having your account deleted. The instructions are false, directing you via link or a button to download the form you need to fill out.

But if you click on the link, you go to a OneDrive page with an ‘online version not available’ error message and a download link. If you download the zip file and extract what’s in it, you will install malware on your computer.

So how can you stay safe from this?

• This example, while specific to Craigslist, is an attack type we’ve seen used effectively on other platforms and one we can all learn from. Get familiar with the ways your platforms communicate official information. Researchers believe Craigslist was compromised, which is why the emails came from their domain, but Craigslist users should know that a real message would have had the form attached to it, not linked.
• Always be suspicious when you are directed to OneDrive from another company’s ‘official’ message. It doesn’t make sense for Craigslist to send you to OneDrive when they could host whatever they need to on their own site
• Also be suspicious when extra steps are involved, i.e., when a link does not take you directly where it says it will take you. This message claimed the link went to the form. But clicking the link led to OneDrive where there was a separate link for downloading the form. And that download wasn’t a form, it was a zip file which can contain any number of things. These ‘extra steps’ have become a common tactic for criminals since you can store nearly anything in a zip file or on OneDrive or Google yet use their legitimate links to bypass security filters.

Potluck of Scams

With Thanksgiving coming up later this month, think of this last item as more of a cornucopia of miscellaneous warnings. Instead of one detailed scam, this is an assortment of recent threats to look out for beyond email attacks. You can think of them as your side to the feast: mashed potatoes, green beans, cranberry sauce, etc.

And I want to say Thank You as well. Cybersecurity is not always something people want to think about. With the frequent headlines of hacks and breaches, we can get overwhelmed by it all. But it is absolutely vital to us, professionally and personally. So thank you for reading these emails, for being vigilant and asking questions. Thank you for your trust in my team and for all you do to help us keep you protected. I appreciate you.

~ ~ ~

Experts are warning Facebook and Clubhouse users to be especially vigilant of malicious texts, social engineering scams, and profile hacking. Supposedly, a user on the dark web has taken the 3.8 billion phone numbers scraped from Clubhouse in July and matched it with Facebook information, creating a sort of “goldmine for scammers,” according to CyberNews senior information security researcher Mantas Sasnauskas. It gives contextual information about the owners of the leaked phone numbers, including usernames, locations based on phone number suffixes, their Clubhouse network sizes, and Facebook profiles.

If it’s genuine, this means that it would be much easier for scammers to run localized mass campaigns and craft personalized scams based on the data gleaned from the potential victims’ Facebook profiles.

“People tend to overshare information on social media. This could give insights for scammers on what vector to employ to run their scams successfully by, for example, calling people with the information they learned from their Facebook account,” says Sasnauskas.

It’s also important to note that you wouldn’t have to have a Clubhouse account in order to be on this list. Clubhouse used to insist subscribers shared their address book, so those contacts could be in the scraped information and this newly compiled database.

What can you do against this?  

• Be careful of connection requests and messages on Facebook, especially if they include links. See if your email or your phone number has been exposed at haveibeenpwned.com. Be on the alert for spam texts, and be especially vigilant of social engineering attempts. You may also want to consider dark web monitoring so you will be notified if your information shows up for sale on the dark web. 

Android apps that have been downloaded more than 10 million times have been found to be part of a premium SMS scam. The apps cover a wide variety of fake purposes including photo editors, games, custom keyboards, call blockers, and more. But when you download and open them, you are prompted to enter your phone number and sometimes email, which is used to subscribe you to a premium SMS service. Once you submit the info, you may see subscription options or the app may stop working. The sole goal is to sign you up for charges you may not even notice on your cell phone bill. As of the last week in October, 151 apps had been identified and removed from the Google Play Store, but experts believe others are still available.

Avast researchers share how to avoid this:

1. Remain vigilant when downloading new apps, especially apps advertised in short and catchy videos. Children may be particularly vulnerable to this type of scam.
2. Disable the premium SMS option with your carrier. While there are legitimate uses for premium SMS, such as donating to charities, it is an easy avenue for malicious actors to abuse. Disabling this option will nullify the UltimaSMS scam. Based on some of the user accounts that left negative reviews, it looks like children are among the victims, making this step especially important on children’s phones, as they may be more susceptible to this type of scam.
3. Carefully check reviews. Scam apps often have boosted review averages, but written reviews may reveal the true purpose of an app. Checking the developer’s history and profile may also be useful.
4. Don’t enter a phone number unless you trust the app. Being careful with personal details, including phone number and email, goes a long way to avoiding similar scams.
5. Read the fine print before entering details. Legitimate apps will have Terms of Service and a Privacy policy alongside a statement of how they intend to use your data and entered details.
6. Stick to official app stores when downloading apps. Although the known apps have been removed from the Google Play Store, they are still available for download elsewhere on the internet.

This one isn’t a scam, but it’s another threat worth being aware of. A WordPress plugin had a bug, known about for nearly a month, that allowed subscriber-level users to wipe an entire site’s content. Hashthemes Demo Importer is the plugin that has since been patched, but the implications are concerning.

What can you do against this?  

• An estimated 455 million websites use WordPress, and plugins are constantly being updated and added. Keep your plugins up-to-date, and back up your website regularly so you can recover from an unexpected situation like this. Also keep an eye on your backend activity so you can see when something irregular happens.

Another set of bugs has recently been addressed by Adobe in 14 of their products. The company says there is no evidence of any of these vulnerabilities being exploited in the wild, but I mention it here to encourage you to update any of their design products you may use. Adobe PDF programs were not included in this group, so you may not need to update anything, but programs like InDesign and Illustrator were included.

• Software patching seems like a never-ending hassle, but it is critical. Bug bounty hunters and white hat hackers look for vulnerabilities so they can be addressed before they become a risk to end users. Our team stays on top of system updates for exactly this reason and will push out Windows and Microsoft patches automatically when they become available, but every business uses a variety of programs. So if you ever receive notices from industry-specific software or programs that only you or a handful of employees use, be sure to share that with your IT team. Let us help keep you up-to-date and protected.