The Connection, Inc Blog

On Wednesday, several users found themselves the victim of a convincing phishing attack. The attack was designed to look like an invitation to view and edit a Google Doc, and is designed to steal your Google credentials and spread through your contacts.

Not only does the email look convincing, it’s also often coming from a contact you already know. Even worse, the link takes you to a Google.com URL with a legitimate-looking login screen. However, once you log in with your Google credentials, whoever is behind the attack will have full access to your account.

Once it has them, it sends the same email to your contact list in an attempt to propagate itself. This attack is well-crafted, to the point where the easiest way to catch it before getting snared is to click the small link on the page that Google hosts to check the developer’s information. Since the attack utilizes legitimate Google account functions, however, who would think to check?

Whenever you get an unsolicited email with links or attachments, it’s critical to think before you click!

Fortunately, Google was able to apparently put the kibosh on this attack within an hour of taking action, but there’s still no indication of who was responsible for this attack or if/when they will strike again. Therefore, it is important to understand how to avoid falling victim to emails like this in general.

First, if there’s ever any doubt of an email’s validity, check out some of the indicators that tend to go overlooked. This attack in particular had some oddities--for example, the email was addressed to “hhhhhhhhhhhhhh@mailinator.com.” Secondly, if an email is unexpected, it never hurts to confirm its validity with the sender through an alternate method of communication.

To protect your business, you need to be sure that your staff understands that threats like this could be a major problem. In the meantime, be sure to keep your eyes out for more email-based phishing scams and other threats. If you do come across questionable messages, don’t hesitate to report it immediately, so that everyone on your team becomes cognizant of the threat.

For more information about phishing scams, social engineering tactics, and other attempts to infiltrate your network, contact the IT professionals at The Connection, Inc at (732) 291-5938 today.

Phishing attacks have been around for decades, first being recorded in 1995 where scammers would pose as AOL employees and request a user’s billing information through instant messages. Nowadays, email phishing attempts have tricked users into handing over personal information of all kinds. There are many methods of identifying a phishing attempt, but today we’ll focus on one.

Chances are, you’ve heard of phishing before--emails that promise some benefit or prize if you only click on the included link, that actually only results in trouble for you and your data. Unfortunately, as technology has embraced mobility, so have phishing attempts. This is why you must also be aware of SMiShing scams.

Email is a core component to many businesses. With 124.5 billion business emails being sent and received each day, that doesn’t seem to be in danger of ending. Are the emails that are coming and going from your business secure? That may be another story, altogether. In order to keep your email security at a premium, we have outlined the following tips:

Using Filters
Filters make a lot of things easier to manage and easier to interact with, but since your employees have to stay on top of their company email, having some pretty easy-to-use solutions is important. Spam-blocking can go a long way toward reducing the amount of unimportant emails each employee sees, and a dedicated antivirus software can keep malware and other nefarious entities off of your network.

Be Smarter with Your Email
No spam filter or antivirus will do it all. In order to achieve the best results with securing your email, users have to be well-versed in the best practices of email management. The most important qualification any person can make when trying to secure their personal email from hackers is to ensure that they have the knowledge of what a phishing email might look like; and to make sure that the business’ network security is up to snuff.

Here are few tips to keep your email secure.

• Know what a legitimate email looks like. For every email sent from a vendor or partner, there are two sent that are there to trick end-users.
• If you aren’t going to take the time to encrypt your email, don’t put any potentially sensitive information within the email. This goes for heath, financial, or personal information.
• The less people who have your email address, the more secure your email is going to be. Teach your employees to not give out their email addresses if they can help it.
• The email solution needs to be secured behind solid passwords, and/or biometrics. Two-factor authentication can also be a good solution to secure an email against intrusion.

End Your Session
There are circumstances that people can’t control, so if you absolutely have to use a publicly-accessible device to access your email, you have to make certain that you log out of the email client and device you access your email on. After you log out, you’ll want to clear the cache. Many browsers and operating systems today want to save your password for user convenience. Better to use a password manager than allow the most public points of your workstation to save your credentials.

The Connection, Inc can help you set up an email security policy that will work to ensure that your employees are trained, and you have the solutions you need to keep any sensitive emails away from prying eyes. Call us today at (732) 291-5938 to learn more.

Phishing attacks have been in the social consciousness now for a while, and for good reason: it is the predominant way that hackers gain access to secured networks and data. Unfortunately, awareness to an issue doesn’t always result in positive outcomes. In this case, hackers get more aggressive, and by blanketing everyone under a seemingly limitless phishing net, 57 billion phishing emails go out every year. If a fraction of those emails accomplish their intended goal, the hackers on the other end of them really make out.

Unfortunately, one of the most effective defenses against phishing attacks has suddenly become a lot less dependable. This means that you and your users must be ready to catch these attempts instead. Here, we’ll review a few new attacks that can be included in a phishing attempt, and how you and your users can better identify them for yourselves.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are a few different methods that have been leveraged to bypass the security benefits that 2FA is supposed to provide.

On a very basic level, some phishing attacks have been successful in convincing the user to hand over their credentials and the 2FA code that is generated when a login attempt is made. According to Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing, yet fake, page to reset their Google password. In some cases, fake emails like this can look very convincing, which makes this scheme that much more effective.

As Amnesty International investigated these attacks, they discovered that the attacks were also leveraging automation to automatically launch Chrome and submit whatever the user entered on their end. This means that the 30-second time limit on 2FA credentials was of no concern.

In November 2018, an application on a third-party app store disguised as an Android battery utility tool was discovered to actually be a means of stealing funds from a user’s PayPal account. To do so, this application would alter the device’s Accessibility settings to enable the accessibility overlay feature. Once this was in place, the user’s clicks could be mimicked, allowing an attacker to send funds to their own PayPal account.

Another means of attack was actually shared publicly by Piotr Duszyński, a Polish security researcher. His method, named Modlishka, creates a reverse proxy that intercepts and records credentials as the user attempts to input them into the impersonated website. Modlishka then sends the credentials to the real website, concealing its theft of the user’s credentials. Worse, if the person leveraging Modlishka is present, they can steal 2FA credentials and quickly leverage them for themselves.

How to Protect Yourself Against 2FA Phishing

First and foremost, while it isn’t an impenetrable method, you don’t want to pass up on 2FA completely, although some methods of 2FA are becoming much more preferable than others. At the moment, the safest form of 2FA is to utilize hardware tokens with U2F protocol.

Even more importantly, you need your entire team to be able to identify the signs of a phishing attempt. While attacks like these can make it more challenging, a little bit of diligence can assist greatly in preventing them.

When all is said and done, 2FA fishing is just like regular phishing… there’s just the extra step of replicating the need for a second authentication factor. Therefore, a few general best practices for avoiding any misleading and malicious website should do.

First of  all, you need to double-check and make sure you’re actually on the website you wanted to visit. For instance, if you’re trying to access your Google account, the login url won’t be www - logintogoogle - dot com. Website spoofing is a very real way that (as evidenced above) attackers will try to fool users into handing over credentials.

There are many other signs that a website, or an email, may be an attempt to phish you. Google has actually put together a very educational online activity on one of the many websites owned by Alphabet, Inc. Put your phishing identification skills to the test by visiting https://phishingquiz.withgoogle.com/, and encourage the rest of your staff to do the same!

For more best practices, security alerts, and tips, make sure you subscribe to our blog, and if you have any other questions, feel free to reach out to our team by calling (732) 291-5938.

It can be a real head-scratcher when one of your otherwise well-performing employees routinely falls for the simulated phishing attacks that you roll out as a part of your cybersecurity awareness strategy. For all intents and purposes, the person is a great employee, but when it comes to acting with caution, they fail. If you’ve made a point to prioritize your staff’s working knowledge of phishing attacks, do you replace this employee? We’ll take a look at it today.

Any business in operation today needs to keep modern realities concerning cybersecurity at top-of-mind if they are going to successfully maintain the business going forward. One major issue to be cognizant of is the increasing prevalence of phishing attacks.

Did you know that, in 2018, phishing attacks had increased by 269 percent as compared to 2017? Furthermore, phishing was involved in 32 percent of all reported data breaches that year. Businesses located in the United States also seem to have the most to be worried about, as almost 86 percent of phishing attacks were leveraged against American targets.

It’s No Wonder that Phishing is Being Addressed During NCSAM

NCSAM, or National Cybersecurity Awareness Month, is meant to encourage awareness of cybersecurity practices and behaviors in an attempt to promote them. This year’s lessons cover many basic cybersecurity practices - including how to identify and avoid phishing attempts, reinforcing the 2019 theme of “Own IT. Secure IT. Protect IT.”

Of course, we can also help you out by giving you some actionable best practices now.

• Be wary of unsolicited or unexpected messages - One of the biggest clues that something is a phishing message is that it will likely appear out of the blue. If you suddenly get an email “from Amazon” that says suspicious purchases have been made on your account and you need to re-verify your payment credentials, think about it for a second - have you received any other emails from Amazon in regard to these purchases, as in delivery schedules or order confirmations? The same concept applies to emails that come from any sender. Before you interact with one of these emails, try reaching out to the supposed sender through some other means to confirm.
  
  
• Avoid unanticipated links or attachments - Cybercriminals have become irritatingly clever in how they deliver their attacks and malware - not only delivering a convincing argument via phishing, but hiding executable malware inside documents that activate when the attachments are opened or delivered via a bad URL. Unless you were anticipating a link or attachment in an email, you should always be hesitant to click on them - at least until you’ve confirmed their legitimacy through another form of communication.
  
  
• Check the details - Make sure that the email is actually coming from where it should. Cybercriminals will sometimes create fraudulent emails that, at a quick glance, look similar enough to the real McCoy that a user may not spot the difference. Is the address from “contact@gmail-dot-com,” or from “contact@grnail-dot-com”? Look at the second option closely. G-R-N-A-I-L probably isn’t the mail service your contact uses, suggesting that this email is fake.

While this month may be dedicated to improved cybersecurity awareness, it isn’t as though you don’t have to consider it for the rest of the year. The Connection, Inc is here to assist you in keeping your business and its data secure. Give us a call at (732) 291-5938 to learn more about the solutions we have to offer.

Gmail and the applications associated with it seem to have some level of inherent trust among users. We just don’t anticipate threats to come in via something from Google. However, it does happen, as a recent spat of phishing has shown using Gmail and Google Calendar. What’s worse, this particular scam has been around for some time.

The modern cyberattack is more of a slight of hand than it is a direct attack. With encryption protecting a lot of business data, hackers need to find ways to circumvent that technology. They often do this though phishing. This week, we will take a look at some of the warning signs of phishing to help give you a little better awareness. 

As prevalent as cybersecurity threats unfortunately are today, many users tend to overlook major threats that they just aren’t focused on nearly as much: social engineering attacks. Social engineering attacks are just another means for a cybercriminal to reach their desired ends, and therefore needed to be protected against.

In the late 1970s and early 1980s, Bell telephone companies were making a mint off of offering the ability to call your friends and family that lived outside your predefined region, charging up to $2 per minute (during peak hours) for long distance calls. The problem for many people was that these regions kept shrinking. Some people decided to combat this costly system by reverse engineering the system of tones used to route long-distance calls, thus routing their own calls without the massive per-minute charges demanded by long-distance providers. These people were called Phreakers, and they were, in effect, the first hackers.

Spam is a major hindrance when running a business that relies on email, but it’s easy to protect your employee’s time from the average spam messages with the right technological support. Unfortunately, hackers have adapted to this change and made it more difficult to identify scam emails. More specifically, they have turned to customizing their spam messages to hit specific individuals within organizations.

The average business owner may already be aware of what are called phishing attacks - scams that attempt to deceive and trick users into handing over sensitive credentials. However, not all phishing attacks are of the same severity, and some are only interested in hauling in the big catch. These types of attacks are called “whaling,” and are often executed in the business environment under the guise of executive authority.