Tag Archives: ebay

Phishing attacks: 5 simple ways you can protect yourself

As a report from the Anti-Phishing Working Group (APWG) revealed earlier this year, there has been a notable rise in the number phishing attacks. It’s a widespread problem, posing a huge risk to individuals and organizations (there were, for example, more attacks in Q1 2016 than in any other quarter in history).

Needless to say, it’s something we all need to be aware of, as these types of attacks are not going to go away anytime soon. But worry not, as our Top 5 guide will help keep these criminals at bay.

Before we go into that, here’s a brief overview of what phishing is (for more detail, check out this expert feature). In short, it’s a vector for identity theft where cybercriminals try to get users to hand over personal and sensitive information (without them knowing it). Interestingly, phishing has – in one form or another – been around for years via phone calls and physical letter scams.

Cybercriminals have typically deployed phishing attacks post-breach. This was the case with the Anthem and eBay data breaches, where criminals sent out warnings to users advising them to change their passwords (but directing them to a fake website in an attempt to harvest their details).

However, some information security pros now believe that cybercriminals view phishing attacks as a successful (and easy) way of getting into an enterprise to launch more sophisticated attacks. Humans are, after all, increasingly seen as the weakest link (insider threats are a big problem) and thus the most effective target for criminals looking to infiltrate an enterprise or SME.

Follow the tips below and stay better protected against phishing attacks.

1. Be sensible when it comes to phishing attacks

You can significantly reduce the chance of falling victim to phishing attacks by being sensible and smart while browsing online and checking your emails.

For example, as ESET’s Bruce Burrell advises, never click on links, download files or open attachments in emails (or on social media), even if it appears to be from a known, trusted source.

You should never click on links in an email to a website unless you are absolutely sure that it is authentic. If you have any doubt, you should open a new browser window and type the URL into the address bar.

Be wary of emails asking for confidential information – especially if it asks for personal details or banking information. Legitimate organizations, including and especially your bank, will never request sensitive information via email.

2. Watch out for shortened links

You should pay particularly close attention to shortened links, especially on social media. Cybercriminals often use these – from Bitly and other shortening services – to trick you into thinking you are clicking a legitimate link, when in fact you’re being inadvertently directed to a fake site.

You should always place your mouse over a web link in an email to see if you’re actually being sent to the right website – that is, “the one that appears in the email text” is the same as “the one you see when you mouse-over”.

Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attack, thus infesting your device with malware.

3. Does that email look suspicious? Read it again

Plenty of phishing emails are fairly obvious. They will be punctuated with plenty of typos, words in capitals and exclamation marks. They may also have an impersonal greeting – think of those ‘Dear Customer’ or ‘Dear Sir/Madam’ salutations – or feature implausible and generally surprising content.

Cybercriminals will often make mistakes in these emails … sometimes even intentionally to get past spam filters, improve responses and weed out the ‘smart’ recipients who won’t fall for the con.

Indeed, it has been rumored that China’s infamous PLA Unit 61398 spends time seeing just how many people would open and interact with their worst phishing emails.

4. Be wary of threats and urgent deadlines

Sometimes a reputable company does need you to do something urgently. For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach.

However, this is an exception to the rule; usually, threats and urgency – especially if coming from what claims to be a legitimate company – are a sign of phishing.

Some of these threats may include notices about a fine, or advising you to do something to stop your account from being closed. Ignore the scare tactics and contact the company separately via a known and trusted channel.

5. Browse securely with HTTPs

You should always, where possible, use a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar) to browse, and especially when submitting sensitive information online, such as credit card details.

You should never use public, unsecured Wi-Fi for banking, shopping or entering personal information online (convenience should not trump safety). When in doubt, use your mobile’s 3/4G or LTE connection.

As a slight aside, it should be easier to spot dodgy, unsecure websites – Google, for example, is looking to crack down on this soon by labeling sites that do not offer appropriate protection.

Author , We Live Security



The fixes needed to fight phishing

Even the most optimistic experts accept that the problem will persist, though much progress is being made on technical solutions.

No amount of training, it seems, will stop computer-users clicking on malicious links or opening booby-trapped attachments in fake emails, so a technical solution is needed to defeat phishing — a tactic that still provides the baseline method of network penetration even for the most advanced hackers.

The good news is, there are solutions available. The bad news? None is a golden ticket to ending phishing on its own. But experts say much progress is being made all the same.

“The right answer is defense in depth,” Phil Reitinger told FedScoop.

A cyber veteran who has worked for Microsoft and the Department of Homeland Security, Retinger is president and CEO of the Global Cyber Alliance, an international non-profit founded by law enforcement and public sector organizations to tackle systemic security issues on the Internet. The group’s top technical priority is combating phishing messages.

By clever use of fraudulent web and email addresses, phishers fool users into entering their login and password details on a fake version of what appears to be a legitimate site. Criminals can then use those stolen credentials on the real site to drain a person’s bank account, clone their phone, install malware, or launch a host of other nefarious activities. The process is now highly automated and scalable and the cash it generates supports a significant proportion of the cybercriminal underworld, according to the Anti-Phishing Working Group.

In spear-phishing, the emails are individually crafted so they appear to come from a target’s colleagues or friends, and carry a piece of malware hidden in an attachment. By downloading such an attachment, the user’s machine — and subsequently, an organization’s network — can be compromised and brought under the hacker’s control.

As seen in a multitude of attacks from the OPM hack to the proliferation of ransomware, hackers can infiltrate an entire network from a single computer by using phishing as a baseline technique.

Training doesn’t work

Trying to train employees to suspect any message they get from a colleague can have hurtful effects on productivity and morale, according to research presented at the 2016 Black Hat security conference by Zinaida Benenson from the University of Erlangen-Nuremberg in Germany.

“People’s work effectiveness may decrease, as they will have to be suspicious of practically every message they receive. This may also seriously hamper social relationships within the organization,” she noted.

[Read FedScoop’s coverage of her research here.]

Reitinger countered, however, that “raising user awareness has has a variety of positive effects,” but acknowledged that ultimately it’s not a solution, except to the “low-hanging fruit” of commodity phishing — the easily detectable fake mails claiming to come from eBay or Apple that clog most user’s spam folders.

“There are different technical solutions to the different elements of this problem,” he said.

Containerization or sandboxing is one approach that works by isolating attachments and allowing users to preview or even print them without actually loading their full functionality — and allowing any exploits hidden in them to load as well, and take over the target’s computer.

Other approaches aim at stopping the forgery, or “spoofing,” of email addresses.

DMARC: The cure for spoofing

Because of the way email was designed as an open communications protocol, it’s possible to send email that looks to be coming from an address other than the one it was actually sent by.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is a protocol companies and other network owners can adopt to prevent spoofing of email addresses from their domain, explained Reitinger. But it’s proved slow to get it adopted, especially by small and medium-sized enterprises.

“The good news is that several large consumer email providers, like Microsoft and Gmail, have adopted DMARC,” said Craig Spiezle of the Online Trust Alliance, a non-profit that audits online security for large consumer-facing enterprises.

Google, for instance, announced last week that it would start to warn Gmail users when mail came from unauthenticated domains or contained links to known phishing sites.

Together with other protocols, Spiezle said, DMARC protects consumers by filtering out spoofed email — either placing it in the spam folder or not delivering it at all.

[Read FedScoop’s coverage of the Online Trust Alliance’s “Honor Roll” audit here.]

Reitinger noted that there was often a lack of awareness about DMARC and said “ease of deployment” was an issue.

“We are developing an online wizard,” he said, that can walk any user through “a quick deployment of DMARC and give them feedback on how they are doing.”

He said the effort would “supplement and compliment” the work of OTA and commercial DMARC services.

“We are working to make DMARC a common best practice, at least for critical infrastructure,” he said.

Blocking malicious URLs

Another approach is to target and block the web pages used by phishers, which often rely on common misspellings of genuine domains  — like “appple.com,” for instance. Other domains can quickly be identified as malicious.

Popular browsers all use some kind of blacklist or reputation engine that warns users if they are about to visit a malicious site, said Spiezle, but he added “That protects you against the known bad, but not the unknown bad.”

One solution being promoted by the Global Cyber Alliance, Reitinger said, is a change to the way the Domain Name System, or DNS, is run.

DNS servers, most of which are run by large communications providers, direct Internet traffic by translating the written URL for a website — like Fedscoop.com — into the numeric IP address that actually designates the computer hosting the site.

DNS Response Policy Zones are “a world class means of blocking malicious URLs,” said Reitinger. Essentially, the method allows DNS server owners to incorporate the latest threat intelligence about malicious domains into the software that runs their servers.

“It has an extremely low false positive rate,” Reitinger said, adding that it was “scalable and simple,” and that he hoped it would be widely adopted as soon as this year.

“We hope to have substantial results [on adoption] to report out in November,” he said.

No be-all, end-all

Even the most optimistic experts understand that the problem will persist.

“You can’t patch negligence,” said Spiezle. “The precision and complexity” especially of spear-phishing, makes it difficult to defeat.

“The social engineering that’s possible with just access to open-source social media intelligence is pretty hard to stop” even without spoofing, said Kevin Lancaster, CEO of Winvale, a government contractor that provides ID protection services.

Malicious actors can find out when senior executives are off base through their social media check-ins or activity, he said. “Then you don’t need to spoof their [email] address … ‘Hey, Bill. I’m off base and can’t get to my Outlook, so I’m sending this from my personal account.’ … And they download it and that’s it.”

“There are many solutions,” concluded Reitinger, but “The best solution is not to rely on just any one of them.”



iPhone Users Targeted By Text Message Phishing Scam Stealing Apple ID Credentials

(Photo : REUTERS/Jason Lee) As of now, the scam seems to be only targeting iPhone users in the United Kingdom.

A recently discovered scam is allegedly targeting iPhone users in order to get their Apple ID passwords.

The scam lures in users using text messages from someone claiming to be part of the Apple Support team. This was first reported by Independent UK on Wednesday.

The scammer will inform the user that their Apple ID is scheduled to expire on the same day and that they should open the included link to avoid their account’s termination.

The link will redirect the user to a website that looks very legitimate and might not arouse any suspicion.

The website will ask the user to enter their Apple ID username and password.

If users do enter their Apple ID credentials, they will be informed that their account has been locked for supposed security reasons.

The scam doesn’t stop there. If users want to get their accounts unlocked, they are instructed to enter other personal information like their address, credit card details and even their passport information, according to NBC.

This type of scam is what people would call phishing, which is designed to trick users into willingly handing over their personal information.

Tech-savvy users wouldn’t be easily tricked by something like this, but of course there are still those unaware of this type of scam.

However, phishing usually happens in the form of emails instead of texts so maybe some people might have thought that this was legitimate.

As of now, the scam is only targeting users in the United Kingdom, with no reports yet that it has already reached the United States.

“As a general rule, never send credit card information, account passwords, or extensive personal information in an email unless you verify that the recipient is who they claim to be,” Apple says on its support page regarding phishing.

This general rule is also applicable on other services offered by the likes of Google, PayPal and eBay, as pointed out by Digital Trends.