This week’s insight from Purple Team

Let us talk about this week’s cybersecurity topic:

How to Detect a Phishing Attempt

We have talked at length about the dangers of phishing. 
Most mail service providers weed out the obvious ones. So what survives to your inbox are the plausible, and therefore pernicious, ones.   Let us learn this week how to identify a possible phishing attempt on you. 

The External Markers

• The old bromide about about something being “too good to be true” is all too true  – if it looks too good, or too urgent, or too important, do not click it. Think about it. 
  And do not forget the emotional attacks  either – scammers can try to play to your political or religious sentiments to get you to click that link or attachment!  Postpone opening that link; most legitimate transactions will give you sufficient time to respond.  Please remember, the scammer can pretend to be your boss too!
• No reputable company sends an email from a ‘free’ account. 
  So, if you get an official looking mail from say, a @gmail.com account, you should be suspicious of it. Please be aware – the mail may look very official and proper, with the correct logo, subject etc.  Looks do not matter. What you are looking for is if the portion after the ‘@’ looks like the company’s address.
• And look very carefully at the domain’s spelling. Do a web search of the company and see how their domain is spelt. It is very easy to overlook a domain spelled ‘citi-bank.com’ or ‘citibank.io’  and assume it is from citibank. Or the legendary ethical hack that spelt the domain gimletrnedia (with a r-n-e-d-i-a instead of m-e-d-i-a) and fooled even the company’s CEO & President into clicking the phishing link.
• Look very suspiciously at any attachment or link on emails.
  Never open an attachment that does not look like it is from a legitimate source. Or if it is too generically named. Or if you think it is odd to receive that attachment or link from that person in the current context. Check with the sender using another channel, like phone, and then open it  if you are fully satisfied about its legitimacy.
• Links can easily be disguised as buttons.
  If you hover over the button or right click on it, it will display the address to which it is linked. Check if that address looks legitimate. (On a mobile, long press the link.) Only then click the link.

If you follow these guidelines, you would be able to filter out most phishing mails. We can can examine how to inspect the internals of an email that passes these tests in a subsequent newsletter.
It would pay you well to remember these tips when you,as an organization, send out emails as well.  Otherwise, you risk getting your mails classified as phishing mails, like this company’s email!  They could not have created a more suspicious looking email even if they deliberately tried to!

– Sridhar Parthasarathy, CEO, Purple Team (www.purpleteam.in)

Quick Links

Learning News this Week

• Company finds it is hacked after its server runs out of space!
   
• The WORST way to check  your password strength!

Interesting News

• Mass Malware Attack
• Facebook Plays Peek-a-Boo
• $5M Ransom – Pemex
• Cybersecurity – A Collective Responsibility
• AWS Suffers 8 hour DDoS attack
• Insider Attack Cheaper than Malware?
• GitHub Launches Security Lab

Threat Intelligence

• Yet Anonther WhatsApp Video Bug!
   
• Android USB/Bluetooth Can Spy on Owners
   
• New Fileless Technique to Backdoor Win10
   
• Web.com breach = More Phishing?
   
• McAfee Vulnerability
   
• Security Firm Check Point’s ZoneAlarm Breached
   
• PSA: Don’t Use Public USB Charging Stations
   
• Intel TPM Chip Vulnerability Fixed After 26 years
   
• Qualcomm Android Exposure
   
• Android PAC Bug Allows Arbitrary Code Execution
   
• NextCry Targets NextCloud Linux 
   
• Unusual PureBasic based PureLocker Malware

Company finds it is hacked after server runs out of space

Back in 2016, an Utah based company figured out, 2 years too late, that it was hacked after one of its servers ran out of space. The hacker had stored the stolen data on the server’s disk. That archive finally grew too big, triggering the detection of the hack.

Learning

There were quite a few errors in how the company set up its systems – there were no means to detect unauthorized access or modification of its files. Nor did it track usage of resources. Nor were costs tracked closely enough to detect anomalies.
The hacker stole around 1 million user records  out of a total of around 12 Million user records.  To make it easier of the hacker, sensitive user information like, SSN, Payment card information, bank accounts, user names & passwords (GASP!!) were stored in clear text 
If you read the story, you will find that the intruder had earlier infected the company’s systems for remote access & control. So, the company’s IT sin is further compounded by the failure to clean out an infection completely – again an outcome of poor logging.
The company is a text book case study of how not to implement cybersecurity.  Learn from their travails!

The WORST way to check your password strength!

FinecoBank, a bank with more than 1.3 million customers in Italy and the UK, suggested an unusual password strategy to its customers: copy and paste the password into Google, and see if anyone else is using it.
This, obviously,  is a very bad idea!

Learning

While it is a good idea to encourage customers to choose unique, or rare, passwords, entering them in clear text in a search engine is wrong – too many actors know your customer’s password.  And after all that risk, the resulting password is likely not very strong as any human generated password is bound to follow some pattern.
A better solution is to use password generators, combined with a password manager.   It is suggested that random phrases with special character modifiers generate stronger passwords in real life.   
When this strategy is combined with multi factor authentication, you can balance security and ease of remembering the password adequately.

Mass Malware Attack

Bad actors are utilizing the interest generated by the US 2020 Elections & the impeachment proceedings to infect systems with malware.

Facebook  Plays Peek-a-Boo

The interwebs were ablaze last week with the news that Facebook switches on the phone camera when you use the app on iPhone. (Thankfully, this ‘feature’ is absent on Android)

$5M Ransom demand from Pemex

Attackers have demanded a $5 Million ransom from beleaguered Mexican State Oil firm Pemex, after making the point that they missed the ‘early bird discount’!

Cybersecurity – A Collective Responsibility

C-suite execs must set an example of good practices while also supporting the IT department with enough budget to protect the organization from next-generation cyberattacks.

AWS Suffers 8 Hour DDoS attack

AWS confirmed a sustained 8 hour DDoS attack on Route 53 & related services.  This news emphasizes the need for multi-cloud, multi-region architecture for your mission critical enterprise class applications, in my opinion.

Insider Attack Cheaper than  Malware?

A fascinating podcast on the economics of using Insider attack vectors over  the external. A discussion on what the top insider threats are, and why departing employees as a threat are pushing companies to update their exit policies.

GitHub Launches Security Lab

GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.