For the past eight years, I have used a software product called Reflexion (from Sophos) to scan my email for threats. The product offered some wonderful features that enabled me to pursue my business without major threats of ransomware and business compromise emails. Regrettably, Sophos decided to retire the product earlier this year. I was not satisfied their replacement had all of the features and functionality I had become used to, so I searched for an appropriate replacement.

I found Proofpoint and, despite a significant effort on my part to transition, really like how this product is helping keep me and my computer network safe from email-based threats.

Proofpoint scans all incoming emails and rates them on a threat score. This cloud-based product holds the suspect emails in quarantine, and I receive an activity summary each morning. When I review this list, I can block or release (and approve) as needed. This functionality gives me great peace of mind that nothing malicious will hit my computer.

Another significant product feature, URL Defense, analyzes and re-writes hyperlink URLs. The feature scans and refactors all URLs to protect people from malicious websites. For example:

https://www.reddit.com/subreddit/article/topic

would become:

https://urldefense.proofpoint.com/v2/url?u=https-3A__click.redditmail.com_CL0.

The other day I received an email that made it through the standard filter. It was for “pre-approval of a $372K loan” for my company. I was surprised it made it through, but there was nothing inherently wrong with the email contents. I looked for and found the link to unsubscribe from their garbage. At this point, I was so grateful to be using Proofpoint because I received a pop-up window (shown below) indicating the link was for a malicious website.

Proofpoint block

Honestly, this is the first time I’ve seen Proofpoint pop up, and I was both thrilled and scared simultaneously. It was obvious that the bad actors had taken advantage of my normal human response to subject my computer to malicious software based on my decision to avoid getting more emails from this organization. I shook my head at the audacity of the threat and how I had circumvented it.

My SonicWall firewall would have prevented malicious code from being downloaded. SentinelOne would have reacted immediately had any unwarranted programs started taking abnormal actions and reaching out to websites out of my ordinary purview. The bottom line is: I dodged a bullet, and my computing environment is still safe.

I have to wonder: What would have happened in an unprotected computer? What might have occurred in a small business that didn’t have a firewall or SentinelOne? I’m guessing the results would not have been good. The business owner would have called some IT person or company asking if they could help recover a computer — because someone thought they were doing the right thing.

I have blocked the sender’s address to ensure I don’t receive any more emails; however, countless other bad actors will continue to attempt to gain access and run roughshod over any willing victim.

My final words on this are simple: If you do not know the sender of an email, you must consider them suspect. In the past, I would have assured you that clicking the Unsubscribe link was sufficient to remove your name from a mailing list. Now, I’m changing that advice. If you don’t know who sent it, delete it. That will save you endless heartache and grief from potential problems.

For small business owners who own their web domain or email accounts, even if you use Google Workspace or Microsoft Office 365, I recommend you add Proofpoint to your existing SHADE subscription. This low-cost, high-value offering is something that could help prevent problems from occurring on your network.

Thanks, and safe computing!

ChatGPT, the artificial intelligence (AI) agent rocking all news channels will be a threat factor very soon. A recent SonicWall webinar stressed IT Security Providers must be aware of, and repel, phishing attacks. The presenters gave examples of several forms of emails that would get by most office administrators and even some high-level employees.

I was curious about how easy it is to create a phishing email from the two available versions of ChatGPT (versions 3 and 4).

My prompt in both cases was:

Write a false pretext phishing email for educational purposes

Here are the two responses the AI software generated:

Subject: Urgent Account Verification Required – Prevent Data Loss!

Dear Valued User,

We regret to inform you that our system has detected some unusual activity on your account. In order to ensure the security of your personal information and prevent any potential data loss, we require your immediate assistance to verify and update your account details.

As part of our ongoing commitment to protect our users from cyber threats, we have implemented a new security protocol that requires all users to verify their account information periodically. Failure to comply with this request may result in a temporary suspension of your account and the loss of important data.
To initiate the verification process, kindly click on the link provided below:

[Malicious Link: example.com/verify-account]

Once you click on the link, you will be redirected to our secure server where you will be prompted to enter your login credentials, including your username and password. Rest assured that this process is completely secure, and your information will be protected.

This step is necessary to verify the authenticity of your account and ensure its ongoing protection.
Please note that this verification is mandatory and must be completed within the next 24 hours. We kindly ask for your cooperation to prevent any potential security breaches and protect the integrity of our system.

If you have any questions or concerns, please do not hesitate to contact our support team at support@example.com. Our dedicated professionals are available 24/7 to assist you.

Thank you for your prompt attention to this matter. We value your partnership and remain committed to providing you with a secure and reliable service.

Sincerely,

[Phishing Sender] Customer Support Representative

The second version, from ChatGPT 4, reads as follows:

Subject: Urgent Action Required: Account Security Update

Dear Valued User,

We hope this message finds you well. We are reaching out to you regarding a critical security update that needs your immediate attention. Our system has detected unusual activity on your account, which puts your personal information at risk. To ensure the safety and integrity of your account, we kindly request your cooperation in updating your security details.

To complete this mandatory security update, we need you to follow the steps below:

Step 1: Click on the following link to access the account security portal: [Insert Malicious Link Here]

Step 2: Once you are on the account security portal, you will be prompted to enter your current login credentials. Please provide your username and password to proceed with the security update.

Step 3: After entering your login credentials, you will be asked to update your account information, including your full name, address, phone number, and credit card details. This information is essential to safeguard your account from any potential threats.

We understand the importance of protecting your privacy and are committed to maintaining the highest security standards. Therefore, we assure you that your personal information will be handled with the utmost confidentiality and will not be shared with any third parties.

Please be aware that failure to complete this security update within the next 48 hours will result in temporary suspension of your account. We strongly advise you to take immediate action to prevent any disruptions to your account access.

If you encounter any difficulties during the process or have any questions, please do not hesitate to contact our customer support team at [Fake Customer Support Number].

Thank you for your prompt attention to this matter. We appreciate your cooperation in maintaining the security of your account.

Best regards,

[Phishing Sender] Account Security Department

As you can see, the AI engine provided actionable email templates that are completely believable. Threat actors can use these to send to unsuspecting recipients. In a “spray and pray” effort, tens of thousands of emails could yield dozens of responses. You must always be on alert when you receive emails with links.

Thanks, and safe computing!

If you look at the number of security alerts sent to my Inbox, cybercrime seems to always be on the rise. I certainly know it is here to stay, and near the top of the list of malicious activities are phishing scams. Most believe that only dumb people fall victim to these types of attacks. That is not true. Anyone can fall victim to a phishing scam, making it more critical than ever for me to protect you.

According to the Federal Bureau of Investigation’s (FBI) 2020 Internet Crime Report, phishing was among the top three cybercrimes reported in 2020. Phishing incidents more than doubled between 2019 and 2020. More frightening than that is 90% of incidents that end with a data breach started with a phishing attempt. That FBI report shows US businesses lost more than $1.8 billion last year because of business email compromise (BEC) or spear phishing.

Email is one of the primary vectors by which cyber criminals distribute ransomware. And they often depend on phishing and social engineering to infiltrate an unsuspecting company. Traditional anti-virus software products cannot protect you from these cyber-attacks. Too often, small business owners fail to properly secure their environments because they don’t know any better or because they don’t want to spend money on something they can’t “see.”

One way to mitigate this problem is to increase security awareness. Simply training staff to be alert to what constitutes phishing emails can reduce a business’ chances of having a cybersecurity incident by up to 70%.

Let me give you a theoretical example. Assume there is a dental practice with 15 employees. How many dental practices are willing to pay every three months to certify every employee on security awareness training (which they view as “don’t click on links”)? In real life, the most common response I hear is, “Ah, it’s a pain. I don’t want to do it. No one’s going to come after us. We’re a dental practice.” Well, again, that is not true.

The bad guys know the dental practice is the one that’s probably going to react if threatened, so they’ll ransom them for $10,000 or $20,000. And what makes it hard for someone like me to get that message through to this dentist? I mean, they are probably a wonderful dentist. They’re great at fixing teeth. But they’re like, “Why would these Russians, or these North Koreans, or these people in Silicon Valley who are bad – why would they want to get me?”

The reality is the bad actors are brilliant and relentless. They know if they ransom, or if they attack, a dentist in Fort Lee, New Jersey, for $10,000 or $20,000, no one – other than the local police – is going to investigate. So now, small businesses are being targeted at a much faster rate than large companies. If the bad guys try to ransom ExxonMobil, Walmart, or some other large company, the FBI and Homeland Security will get called in. And they have serious capabilities, and they’re going to get the bad guys. But there are not enough resources to protect small companies down the road who get hit. What I am finding is more small business owners are starting to say, “Oh, maybe I should listen to my IT guy because they’re on to something.” And that thinking helps safeguard their business.

Small business owners must be cautious because cybercriminals constantly adapt their techniques to find a way in. It is an unfortunate way of life in 2022, but maintaining a heightened level of security awareness while reading each email is a requirement of using email to communicate with staff and clients. There is no escaping the threats, so you must remain vigilant and stay alert. Security awareness training can go a long way to ensure your safety.

Thanks, and safe computing!

Imagine receiving an email, delivered to your business email address, offering a “Partnership Affiliate Offer.” Would you open it? Oh, come on, of course you would! Your curiosity invariably gets the better of you all the time. But when you read this email, you pause and then shudder. What the heck? Here’s the offer:

If you can install and launch our Demonware Ransomware in any computer, company main Windows Server, physically or remotely, (there’s) 40 percent for you, a million dollars for you in Bitcoin.

A researcher at Abnormal Security engaged with the bad actor behind this poorly written email offer for several days. The researcher documented how he tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he was building.

Funny, right? Unfortunately, Business Email Compromise (BEC) or CEO Scams in which crooks, mainly based in Africa and Southeast Asia, spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers are bigger business than the blitz of ransomware attacks that have made headlines recently.

The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams increased to more than $1.8 billion in 2020. These extortion attempts have proven to be highly profitable for cybercriminals.

And, of course, it is incredibly humorous that this latest cyber scam is authored by a Nigerian because the classic email scams began decades ago. Referred to as the “419 scam” (because of the area code), the “Nigerian prince” emails requested your assistance because of a will or lottery win. If you were willing to engage in helping the email author obtain the funds, you’d be rewarded with a percentage of the total amount.

What I found amazing while researching this article is that these 419 emails continue in only slightly modified formats to this very day. That someone has taken the initiative (albeit warped) to reboot this for the Bitcoin era is not surprising — but enterprising.

Bottom line: Be extremely careful of unsolicited email offers!

A home user client forwarded an email requesting that I read it and advise him about the contents.

With the subject, “Important: Don’t lose access to your email account,” the email, purportedly from AOL Broadband Member Services, contained a reminder about a change in how the parent company, Verizon Media, was going to handle data. The email urged the recipient to review the new rules and went on to warn, “otherwise you will not [sic] longer have access to new email.” The center of the email contained a bold link to “Review and agree now.”

Of course, this email was a classic phishing attempt; however, anyone would have thought that the page was a legitimate AOL page upon clicking the link. The coding behind that web page was identical to AOL’s own. The only subtle difference would happen after a person entered an email address or user name and a password.

I didn’t take my experiment any further because I could see from the website URL that this was not a valid AOL page. The address was https://aolmaildomain.weebly.com. That was the final clue that convinced me this was not a legitimate email.

Weebly is a web-hosting service that lets you develop your own website. Because it is owned by Square, the payments processing company (Heliotropic Systems uses Square), it is designed to let people build e-commerce sites quickly and easily.

It did not take me long to discover the appropriate division to submit a complaint about this particular abuser’s website. I included a brief description of the problem and sent back a copy of the original email after receiving a confirmation of my case. The good news is, less than 24 hours after receiving the request from my client, the bogus website had been removed from Weebly.

Lesson to be learned: If you think the email you received is suspicious, don’t click anything. Forward it to me for review, and I’ll let you know if it is safe to proceed or delete. Please don’t think, for one minute, that you are bothering me when you do this. I’d rather take a few moments as a precaution than to take hours (or more) later to clean up a mess.

In this case, the consequences for someone who depends on AOL for email would have been a new “silent partner,” diligently reading their emails to harvest personal information — the first step towards identity theft.

Some phishing campaigns work by impersonating well-known organizations or brands. If cybercriminals send an email that looks just like one that comes from a company you are familiar with – and possibly even doing business with – then their hook is set. You can either take the bait or delete the email.

Microsoft is a tempting target for cybercriminals to spoof because it has a large number of subscription-based products, like Office, OneDrive, Outlook, and even Windows.

In mid-July, Abnormal Security, which specializes in preventing email fraud, discovered two different attacks designed to trap unsuspecting victims with subscription renewal. The crooks impersonated actual email notices from Microsoft. Their goal was to steal sensitive information from the recipients by convincing them that they need to renew their Microsoft Office 365 subscription.

The first campaign consists of an email telling the recipient that Office 365 is now called Microsoft 365 and that they should renew their subscription by a specific due date. The email contains a “Click to Renew” link that takes the recipient to a submission form requesting certain sensitive data, such as name, address, and credit card number.

In the second campaign, the email warns the recipient that their Microsoft 365 subscription has already expired and that by a particular date, they must renew it. A “Renew now” link takes the person to a PayPal page that prompts them to enter their PayPal payment details. (I had to look this up, but I learned that Microsoft does accept PayPal.) Typically, the transaction is processed directly, but in this case, it goes to the criminal’s PayPal account.
In both cases, anyone who took the bait will eventually find their PayPal payment information misappropriated and their Microsoft credentials compromised by the attackers.

Why These Attacks Work

A convincing phishing attack incorporates a variety of elements to trick its recipients. These two campaigns adopt several familiar tactics.

  • Official source. By pretending to look like an automated notice from Microsoft, the email gives the appearance of coming from an official source. As such, the recipients may be more likely to follow the instructions in the email.
  • Sense of urgency. Like any effective marketing campaign, the emails conveyed a sense of urgency by warning the recipient that their Microsoft 365 subscription needs to be renewed or has already expired. Further, both emails gave the recipient only a couple of days to renew before the deadline was up. Because Microsoft Office is considered an essential service by many individuals and small businesses, people may overlook the suspicious signs and quickly click on the link to try to renew.
  • Convincing landing page. Hosted on a web site called “office365family.com,” the landing page for the first campaign uses the Microsoft Office 365 name and branding to appear legitimate. The page also borrows images, links, and a website footer from Microsoft’s actual site. However, there are telltale signs that the page is not legitimate. The fonts are inconsistent and many of the header links are broken.
  • Real URL. The second campaign links to an official PayPal page. Yet, there’s no verification as to the product being purchased, no specific entity or individual as the payee, and no guaranteed transfer of goods.

How to Protect Yourself

To guard yourself against these types of phishing campaigns, take the following steps:

  • Double-check the sender’s name and email address to ensure that they’re coming from legitimate sources – don’t just trust the display name.
  • Double-check the webpage’s URL before signing in. Attackers will frequently hide malicious links in redirects or host them on separate websites that can be reached by safe links. This technique allows them to bypass link scanning within emails by traditional email security solutions.
  • If the web site name looks suspicious, do not enter your credentials! Instead, contact me if you have any questions.
  • Verify the information with your office administrator or IT solutions provider for cloud-based subscriptions.

Analysis

If you ask why anyone would do this, the answer is simple: these campaigns generate significant revenue for little effort. One result is straight-forward, because PayPal provides funds directly to the cyber criminal’s account. The one that gains access to a business’ email account is another way. How? Well with those credentials, they now have a list of all of their contacts. They can see who works for which business and can then craft a third, and more disconcerting scam: Business Email Compromise (BEC) or CEO fraud.

A follow-up campaign will be sent to those contacts attempting to claim missing accounts, or asking for wire transfer payments, or various “we need this funding by this time” emails that use social engineering to convince office administrators and in-house bookkeepers to send money to the stated claimant. Only, these emails are not from who they say they are. According to the FBI’s Internet Crime Complaint Center (IC3), businesses in the United States lost more than $1.7 billion in 2019 to BEC scams.

Protecting your business from this kind of malicious email threat follows similar rules to those I stated above. And I’ll add one more factor to keep yourself and your business safe: If you get an unexpected email that asks you to send funds, CALL the person who is requesting it to confirm they sent it. It takes one minute to make a call. It could save you and your business tens of thousands of dollars.

Thanks, and safe computing!

Look, I know that as a business owner, office administrator, or practice manager you get emails from people that you don’t necessarily immediately recognize. It happens to everyone.

By the same token, you’d be hard pressed to ignore an email that was sent in response to one of yours.

That is unless, of course, you didn’t send the original email.

I was quite surprised to see an email from Ronald Perez telling me about an invoice. More so because he included my text regarding a call I was going to make to him.

Unfortunately, the “original” email is fake.

I always close with the word “Thanks!” and have a closing email signature. Neither of which appear in this email.

Looking very closely at the link, it goes to some confabulated address that I’m sure would attempt to ask for a user ID and a password – if it didn’t first attempt to download a key logger to track my future movements over the internet.

It is the very start of the holiday season, so please look carefully at the emails that you receive – BEFORE you click on the link.

And if someone is asking you to pay for something you didn’t order, simply delete it.

I think that I know my client base well enough to know that the majority of you don’t use Twitter, although you probably do know someone who does (no, I don’t mean that guy who seems to be in the news every day for his posts). Unfortunately, what is happening now with that venue is getting out of control.

In the past few weeks if someone in politics, or in the news media, tweets something that is antithetical to another group’s beliefs, that person’s inbox will be filled to the brim immediately with targeted opposition posts. There are these things called “bots” (short for robots) that are now spewing out antagonist tweets at an unprecedented rate. And they are using Twitter to attempt to change the course of political and social discussions.

We all realize now that the 2016 presidential race was subject to Russian cyber-meddling. Some analysts say that the recent ferocity of the latest assaults is but a mere preview of what could be coming in the 2018 elections. The purpose of these bots is to sow discord, and so far, they are succeeding. While top Russian officials have repeatedly rejected accusations of meddling, the top U.S. intelligence agencies are telling us otherwise.

I’ll certainly bet you never thought the information you got on your mobile device came from a robot programmed to serve up garbage, but it is happening. And now, more than ever before, you now have to question the integrity of the information that you receive. On the one hand, ever since the election Twitter has taken steps to counter false news and kill off fake accounts. On the other, unfortunately, the bots are also getting savvier at dodging detection.

In a recent article about ransomware and the affect it has on small businesses, the author states that “security experts say the first thing to do after a ransomware event is to upgrade security and backup processes.”

I had to read that twice before I realized how true it was and how erroneous the statement is.  If an IT consultant is taking these steps after the fact, then they have failed to adequately protect their client.  I cannot see working that way – it is backwards, last generation thinking.

You want to engage with an IT consultant who prepares an entire range of security measures for blocking the possibility of ransomware from affecting your small business in the first place.  Implementing heightened security and backup after the fact won’t cut it; security measures have to be implemented before a calamity occurs.

A new proverb in our industry states that “there’s at least one employee in the office that will click on anything.”  And because that is more often true than not, you need more than the standard list of preventative measures in place, which consist of:

  • Making sure you are running a robust security solution (Internet security, anti-virus, and anti-malware)
  • Keeping the operating system up-to-date
  • Avoiding the use of plug-ins (such as Java, Adobe Flash, and Silverlight) in your web browsers
  • Being careful with email attachments and links in emails from people you don’t know

While those steps are usually issued to help safeguard home users, a small business owner also needs to include the following elevated measures:

  • Employing an advanced Unified Threat Management device (firewall)
  • Enabling server and desktop back-up to a local device and the cloud

These additional factors should help obviate the statement made by the sources for the article’s author.

However, the most important step any security-conscious IT consultant must take is to ensure that appropriate employee education takes place on a regular basis.  This is because the ransomware threat landscape is constantly evolving. Cybercriminals have found a highly effective and lucrative approach to illegally making money.  As new forms of socially engineered threats appear, employees must be reminded and their awareness must be sharpened to distinguish between a valid email and a new phishing threat.

If you want this kind of training for your staff, contact me for further information.  Don’t be a victim to ransomware!

The last thing in the world I want to hear from a client is, “I did something really stupid,” because sometimes I am inclined to agree with them.  This was the case the other day.  I received a very distraught call in the middle of the afternoon. My client sputtered, “I should have known better, but I just wasn’t thinking.”  She went on to tell me that she received a phone call from someone who alerted her to the fact that something was wrong with her computer and that he had to remote in to fix it.

What makes this situation a bit puzzling is that she uses a Mac, and most of these fake callers say they are from Microsoft.  Now for the truly terrifying part:  She proceeded to let a complete stranger remotely access her computer for about an hour.

I won’t go into the recriminations she must be feeling.  While I tried to offer as much comfort as possible, I am quite embarrassed that one of my clients would not think to call me, or at least tell the person calling that “I already have a computer guy who takes care of this for me.”  But that is not the point of this security brief.  I need to concentrate your attention on what has to happen after this atrocious event.

Read More →