In the last article, I warned you that we  shouldn’t think that identity theft is always “high-tech”, because it can can happen to anyone, even if they don’t have a computer and don’t make use of social media or even own a cell-phone.

In this article I will concentrate on the “high-tech” methods of identity theft. The identity thief’s goal is always to obtain personal information about you, such as your ID Number, your bank or credit card account numbers, information contained in your credit report, or the existence and size of your savings and investment portfolios so they can use it for their own financial advantage.

The identity thief then contacts your financial institution pretending to be you or someone with authorized access to your account. (You have given the thief that information)  The thief may, for example, claim that they have forgotten their chequebook and needs information about their account…

šCredit/Debit Card Theft – Many people believe credit card fraud and identity theft are the same. In reality, they are different crimes. The main difference between credit card fraud and identity theft is that credit card fraud typically involves a single credit account, but if someone steals your identity, the potential for damaging your credit history can be much greater because someone can open numerous lines of credit in your name. Credit card fraud typically occurs when someone steals your credit card information and uses it to make unauthorized purchases. This can be done by stealing your purse or wallet or, if the criminal works at a retail store or in a restaurant, he or she may simply copy your credit card information during a transaction.

Pretexting – If you receive a phone call from someone from a reputable research firm asking you to participate in a survey, asking  seemingly harmless questions like the name of your cellphone provider, bank, and even your preferred shopping center, this is probably a pretexting scam. Pretexting is the practice of getting your personal information, such as telephone records, bank or credit card numbers, or any other information, under false pretenses. A pretexter pretends they are someone else to obtain your personal information claiming they are from a survey firm, and want to they ask you a few questions. Sometimes they will claim to be representatives from other types of organizations – not just survey firms –  but banks, SARS, insurance companies and ISPs.

Skimming – Identity thieves place small machines, or skimmers, in the card slots of ATMs in order to steal credit and debit card numbers and pin codes from their unsuspecting victims. This has also been reported to occur at some petrol stations where you can pay at the pump. It is not easy to look at a card reader and see that it has been altered in some way before you insert your debit or credit card, as some of the skimmers are so advanced that they are virtually undetectable. In some cases, a skimmer may remain in place for months at a time, unnoticed by employees of the “host” store, and it could take months before victims realize that an identity thief has stolen their card number and PIN. Most victims only find out after the thief starts starts making illegitimate purchases or withdrawals from their accounts, often to the tune of thousands of rands.

Man-in-the-middle attacks – Smartphones and tablets has become a major point of access to the internet. There are many WiFi networks that people can connect to from almost anywhere, (like public libraries, airports, shopping malls and government or municipal facilities), but it opens a massive “port of entry” for hackers. This has led to the increase of “Man-In-The-Middle” attacks. A Man-In-The-Middle attack, also known under the acronym MITM, happens when a communication between two parties is intercepted by an outside entity. The perpetrator either eavesdrops on the communication or impersonates one of the two parties, making it appear as a regular exchange of data. A MITM attack targets users of enterprise email accounts, financial applications, and e-commerce websites in order to steal account details, credentials, bank account or credit card numbers and to monitor password changes.

Phishing – The Internet scam known as “phishing” (the “ph” substitution distinguishes the activity from the real “fishing” but the activity is intrinsically the same) is a spam e-mail message that contains a link to what appears to be from a legitimate business, such as your bank, but it is actually a fake website. The e-mail often states that you must update your account information through a bogus link to a phisher’s website and the user, unknowingly, gives out personal information to the fake website.

Pharming – A relatively new Internet scam is “pharming”. Using a virus or malware, the victim’s Internet browser is hijacked without their knowledge. If the address of  a legitimate website is typed into the address bar of a browser the virus redirects the victim’s browser to a fake site.  All identifying information, such as bank passwords and credit card numbers, is collected by the scammers who steal the user’s identity.

Vishing – This is similar to “phishing” which uses e-mail. However “vishing” scams attempt to trick targets into divulging personal information such as credit card, bank account and social security numbers using new telephone technology. Typically, “vishing” targets will receive a phone call from what appears to be a legitimate business, such as their bank or credit card issuer, and the victim is informed the target that their account has been compromised. The “visher” usually requests that the caller enter their account or credit card number or even their social security number to secure their account, thereby compromising the victim’s identity.

SMiShing (SMS phishing) – This form of “phishing” specifically targets smartphones. Smishing, uses the scammers’ old favorite—phishing, to sending out email to entice their intended victims to click a link that actually downloads malicious software or virus on the smartphone. As its name implies, smishing comes from “SMS phishing”. A smishing attack goes after the smartphone via text message, and usually occurs when a message is received from an unknown number that offers some sort of incentive. It might be telling you about a free offer, a coupon, something wrong with your account, or even more likely, it might claim that “your friend” has sent you a “greeting card” or message. Unlike viruses of the “old days” that sought to lock up your computer or disable your files, smishing attacks remain hidden and continue to feed information back to the smisher. Information like contacts list, email address books, and passwords are sent to the scammers.

Spear-phishing – Our last method is spear phishing. That term is used because the scammer is targeting you specifically instead of just sending out random “shot in the dark” emails that someone will hopefully fall for. Spear-phishing is very successful (especially within environments like the university) because scammers pay attention to your internet activity and send you requests that look like the real thing, claiming to be from entities within the environment that you actually deal with. Scammers can pull off spear phishing attempts based on the information that you share about yourself, as well as other bad habits like using the same password for multiple websites. As soon as you post updates to social media, especially about accounts, people you interact with, purchases you’ve made, and more, you’re handing over vital information that a scammer can use to target you.

How to protect yourself from Identity Theft:

  • Don’t give out your personal information on the phone, via email or snailmail unless you’ve initiated the contact, or unless you are sure it’s safe. And don’t feel guilty about saying No.
  • Never use your pet’s name (or children’s name) or a nickname as a password.
  • Ask your financial companies about their policies for preventing identity theft.
  • Be VERY careful about answering surveys — and certainly don’t give out any personal information to anyone who calls on the phone or asks via email. If you do answer survey questions, use common sense and don’t give out any information that could be sold or used by identity thieves. In other words “control” the information that you give out.
  • Tell your colleagues, family and friends about the dangers of identity theft. Awareness and sensitization empowers even the most “non-technical” person.

In the next article I will be providing a bit of information about social engineering.

 

 

 

 

 

 

 

 

 

Keep safe out there,

David Wiles

 

Identity Theft takes place whenever a criminal gets hold of a piece of your information, and then uses that information for their own personal gain.

While a lost or stolen wallet, purse or cellphone may simply mean the loss of your cash and credit cards, it may also be the beginning of an identity theft case. The return of the item does not guarantee cards were not copied, or that the your personal information was not used to commit identity theft.

In the previous article I pointed out 5 areas in your world where identity theft could take place that were actually rather low-tech.

  • Old-fashioned letters (including junk-mail)
  • The trash can
  • Flash disks
  • Your drivers license or ID Document
  • Household paperwork.

 

Don’t think that identity theft is always “high-tech”. It can happen to anyone, even if they don’t have a computer, don’t make use of social media or don’t own a cell-phone!

Dumpster diving – literally digging through your trash – remains a popular method for stealing large amounts of your personal information. South Africans receive over 1.2 million tons of junk mail every year and much of this mail – such as pre-approved credit cards, credit card bills, and bank statements – includes your personal information. Dumpster-diving identity thieves root through your trash because they know the documents you discard as garbage contain personal identity information that can be used in a variety of illegal manners, like employment-related fraud, loan fraud, bank fraud, benefits fraud and tax fraud.

Mail Theft – Mail theft is the number 1 white collar crime in the USA today. Mail theft is a crime and is defined as anyone taking any piece of mail, be it a letter or a package, for any purpose. This includes stealing from post ofice workers, from private mail boxes, from collection boxes and even from mail trucks. One of the main motivators in mail theft is to steal that person’s identity and receive access to their private information, including bank accounts and credit cards.

Social Engineering – Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust, than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password. That is why phishing is so successful, often victims willingly give their personal information to the scammers, as they feel they can trust the person asking for the information.

Shoulder-surfing – Shoulder surfing occurs when someone watches over your shoulder to steal valuable information such as your password, ATM PIN, or credit card number, as you key it into a device such as an ATM or tablet. When the shoulder-surfer uses your information for his financial gain, the activity becomes identity theft.

Theft of personal items – When a personal item like a handbag, a wallet or purse, a cellphone, or a laptop is stolen, all the information in that item can potentially be used for identity theft. The value of the stolen items is often not much, and replacement is more of an inconvenience to many of us, however your personal information can never be recovered, and is intrinisically more valuable than the item that was stolen!

What can you do to minimize “low-tech” identity theft?

  • Never give out personal or financial information over the phone or in an email.
  • šPassword-protect your cellphone.
  • šShred credit card receipts, junk mail, and other such documents with sensitive personal or financial information.
  • Be aware of your surroundings at all time.
  • Tilt the screen of your cellphone screen away from the person next to you and stop working in crowded airplanes, trains, airports, cafes, hotel lobbies and other public spaces
  • Work with your back to a wall preventing others from getting behind you and looking over your shoulder.

Next time we will look at the modus operandi of high-tech identity thieves.

Keep safe out there,

David Wiles

 

In the last article I provided you with a few tips on how to create strong passwords, in order to make the hackers job harder at accessing your personal data, in other words, “How do scammers get your information?”.

But where do scammers get your information?

The graphic below depicts the world where most of us find ourselves, and where scammers might obtain important snippets of our personal data that, in many cases, is there for the taking:

Your personal information is in places beyond your control!

The cellphone has become a indispensable communications tool in the 21st century. According to the Pew Research Centre, South Africa is placed 24th on the world list with a smartphone usage of 37% of the total population. However according to a recent global survey by McAfee and One Poll, 36% of those smartphone users have no form or password, pin or fingerprint protection on their devices. This means that if their phone falls into the wrong hands, they risk opening up all sorts of personal information such as bank details and online logins to whoever finds or steals the smartphone.

How much of your personal information have you placed out there on the internet?

  • šOver 30% of South African Internet users share at least 3 pieces of personal information posted on their social media profiles that can make stealing their identity easy.
  • 60% of South African Internet users have revealed they had no idea what their privacy settings are and who could see their personal information on those sites.

Old-style junk mail, invoices, receipts and ordinary letters can still provide scammers with a wealth of information. Dumpster-diving  can reveal documents with your ID Number, old bank statements with your account details, old credit cards, unwanted junk e-mail, payslips and tax forms. Even old prescriptions & medical aid claims can provide scammer with a wealth of information from your personal information.

The modern equivalent of a filing cabinet, a flash disk poses a huge risk to the security of your personal data. Flash disks are small and cheap and can often be forgotten plugged into computers, fall out of pockets and be stolen, providing scammers with all the data stored on that device.

Your bank, your employers and SARS all store and work with your personal information. You have placed a tremendous amount of trust in these organizations to keep your personal data safe. How many people at your bank, for instance, have access to your personal data, who can they potentially give that data to?

Your drivers license has a lot of information on it, including fingerprints, date of birth and ID number. The new style “smart” licenses will hold even more information, and if the license gets int the wrong hands it can be used for identity theft. For instance, in order to open up a cellphone contract, you would need an ID document or driver’s license, bank account details and proof of address, almost all of which can be obtained by dumpster-diving or someone rifling through your paperwork.

Finally your computer (at work or at home) or your laptop holds a huge amount of your personal information. If stolen, the hard-drives can easily be trawled for personal information. If there is no password or a weak password on the laptop it makes stealing this information so much easier!

…This is your world!

  • šSince 2007, more money has been made from trafficking financial data acquired by identity theft, than money made from drug trafficking.
  • š8.8 million South Africans were victims of identity theft in 2015.
  • š1 in 3 South Africans do not have a password on their cellphones or computer.
  • š70% of South Africans change their passwords after being compromised. (So 30% of South Africans don’t do anything even after they have been compromised)
  • š1 in 3 South Africans admit sharing passwords with other people

There are 4 areas where we all neglect the security of our personal information:

  1. IndifferenceLack of Feeling
  2. IgnoranceLack of Knowledge
  3. InabilityLack of Training or Education
  4. InactionLack of Respect

During a recent information session I was asked to suggest to people what they could to to improve their personal data security and to prevent identity theft:

When someone comes and knocks on your front door, do you just open the door and let them in? No, you check who it is and then you decide if you want to open your door to them or not. The power of access is in your hands because you control the door!

The same principle applies to your personal data. Be careful and vigilant and be the gatekeeper of your personal data! Control what data is given out and who receives it. You have the control!

Next time we will look at the modus operandi of identity thieves.

Keep safe out there,

David Wiles

Earlier this week I pointed out that most people still underestimate the importance of having a secure password, and still make the mistake of using simple words and numbers as a password.

Keep in mind that your e-mail and social network accounts contain very personal information about you. You must have a strong password to keep your personal life personal, and not become a victim of identity theft. (In 2015, 1 out of every 6 South Africans were victims of identity theft)

  • Using e-mail or your profile on Facebook, Whatsapp or Google, hackers can, and do, extract a huge amount of personal data of your personal “online” life.
  • If you use the same password for multiple online accounts, you run the risk, if this password is hacked, of all your online accounts being compromised.
  • Using a personal name for an online account, the name of the city that you live in, the names of your children or your date of birth, give hackers vital clues for attempting to access your personal data.
  • For an average expert hacker, it is always easy to find passwords that are made up of words from the English vocabulary or other languages, using a basic technique called “brute force” or “dictionary” attacks.

What makes a password safe?

  1. A password that is at least 8 characters long.
  2. The password does not contain information that is easy to find online such as the date of birth, the telephone number, your spouse’s name, the name of a pet, or a child’s name.
  3. The password does not contain words found in the dictionary.
  4. The password contains special characters like @ # $% ^ &, and numbers.
  5. The password uses an combination of uppercase and lowercase letters.

A trick that the experts use to create secure passwords:

Think of a phrase and use the first letters of the words in the phrase.

  • For example: “In South Africa a barbecue is called a Braai!”
  • Take the first letters of each word and the password that is created is: ISAabicaB!
  • This will be very difficult to guess, but easy to remember.
  • At this point you can decide to make your the Google password is ISAabicaB!-G,  and Facebook ISAabicaB!-F and your university account  ISAabicaB!-US and so on.
  • There is already a capital letter and a special character (!), so you just need to add a number to finish off a good password like 9-ISAabicaB!-US (9 could be the month you created the password in – for example)

You will have already made your password a lot more difficult to hack, and it can be a lot of fun to create!

Next time, I will show you where hackers get your personal information. Be prepared to be shocked!

Keep safe out there…

David Wiles

Oct
03

The past two years have been particularly devastating for data security world-wide, with a number of well-publicized hacks, data breaches and extortion attempts.

Annually SplashData publishes a list of the most common passwords. The list is created using data from more than five million passwords that were leaked by hackers in 2018 and with a quick glance at the list, one thing is clear – we do not learn from our mistakes.

People continue to use easy-to-guess passwords to protect their information. For example, “123456” and “password” retain their top two spots on the list—for the fifth consecutive year and variations of these two “worst passwords” make up six of the remaining passwords on the list.

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password – 123456.

Here is the list of the top 10 passwords of 2018:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou

Despite this risk, some people think that they are very clever with their passwords:

There is one that is used by a lot of personnel at the university

1q2w3e4r5t

it looks very cryptic, but when you look at a computer keyboard it is easy to spot:

 

 

 

 

 

 

 

 

 

It is a sobering fact that most people still underestimate the importance of having a secure password, and still make mistake to use simple words, numbers as a password.

“Passwords are the only control you have to secure your data with most systems these days. If your password is easily guessed by someone, then the person essentially becomes you. Use the same password across services and devices, and they can take over your digital identity.” Shaun Murphy, CEO of SNDR.

In our next post we look at how to create a strong password you can remember…

Keep safe out there…

David Wiles

Aug
21
Filed Under (Editorial, Tips) by David Wiles on 21-08-2018

FacebookThe FBI have issued a warning about cyber-criminals using Facebook Messenger to trick people into opening malicious links that harvest their personal data by circulating a message that urges people to open a link.

The message reads ‘Hey I saw this video. Isn’t this you?’ coupled with a URL. other variations use phrases such as “someone is saying bad things about you” or “someone is spreading rumors about you.”.

The most common version of the scam takes the user to a fraudulent website designed to resemble the Facebook login page.

The webpage is forged and is controlled by a fraudster who is able to steal any details inputted by users mistakenly believing they’re logging into their Facebook account.

If people use the same email address and password combination on other websites, hackers can use the stolen details to login to those as well.

This can allow criminals access to online banking, or frequent flyer miles.

The best way to spot and avoid these scams is to avoid clicking on any links that you receive from friends or family until you contact the sender outside of app to verify that he was the one who really sent the message.

The key to the scam is the seeming familiarity of the sender: a friend, family or relative.

Scammers use two rules of thumb to lure victims.

  • The first is to gain the confidence of their target through the credibility of a friend, authority figure, or organization that the victim is likely to trust.
  • The second rule of thumb scammers use is to create a sense of urgency or threats to get victims to act immediately without stopping to think!
Nov
20
Filed Under (Editorial, Tips) by David Wiles on 20-11-2017

All of us suffer from e-mail overload. Our inboxes fill daily with a clutter of “important” mails, so it is often hard to determine which emails are legitimate, and which are phishing emails that have been designed to steal your personal info or inject malware into your computer.

I am a member of the Identity Theft Resource Center and they often provide me with valuable information and resources to combat phishing scams.

In a recent report they provided some shocking statistics, about the success of phishing attacks worldwide:

  • For instance daily, worldwide, one in every 2000 emails is a phishing email, meaning around 135 million phishing attacks are attempted every day!
  • Many of the phishing attacks try to trick you into a clicking a link that takes you to a fake webpage to fool you into entering personal information – it’s estimated that an average of 1.4 million of these websites are created every month – that is over 46 000 phishing websites that are created dailyover 1900 every hour!
  • Last week the Identity Theft Resource Center reported a new fake Netflix email about a suspended account. With many South Africans now moving away from satellite and cable subscription movie channels like MNET and DSTV, and subscribing to NetFlix, this poses a risk.
  • There is a new fake Amazon email asking you to verify your account.  Just think about this for a moment: It is very easy to purchase books, DVD, and thousands of other goods from Amazon, just at a click of a button. (you can even get a parrot to do it!) If phishers can get access to your Amazon account, then they have access to your credit card details!
  • Of course don’t forget the “classic” PayPal phishing email about unauthorized/suspicious account activity. I make use of PayPal and recieve several of these fake phishing mails every month.

According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90% chance that at least one person will fall for it! Considering the fact that there are a little under 2000 personnel working at Tygerberg Campus, daily there is a chance that at least 20 people will be caught by phishing scams!

Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations, like the university. Instead of trying to get banking credentials for ordinary consumers, the attacker may find it more lucrative to target an enterprise like Stellenbosch University.

Spear phishing attacks can extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a pay increase, that a recipient may have just received or sending a malicious attachment where the filename references a topic the recipient is interested in.

What can we do about it?

A good general rule: Don’t give out personal information based on an unsolicited email request.

Learning to recognize and avoid phishing emails and sharing that knowledge with your colleagues, is critical to combating identity theft and data loss.

Here are a few basic tips to recognize and avoid a phishing e-mail:

  • It contains a link. Scammers often pose as the IRS, financial institutions, credit card companies or even tax companies or software providers. They may claim they need you to update your account or ask you to change a password. The email offers a link to a spoofing site that may look similar to the legitimate official website. Do not click on the link. If in doubt, go directly to the legitimate website and access your account.
  • It contains an attachment. Another option for scammers is to include an attachment to the email. This attachment may be infected with malware that can download malicious software onto your computer without your knowledge. If it’s spyware, it can track your keystrokes to obtain information about your passwords, Social Security number, credit cards or other sensitive data. Do not open attachments from sources unknown to you.
  • It’s from a government agency. Scammers attempt to frighten people into opening email links by posing as government agencies. Thieves often try to imitate the IRS and other government agencies.
  • It’s a “suspicious” email from a friend. Scammers also hack email accounts and try to leverage the stolen email addresses. You may receive an email from a “friend” that just doesn’t seem right. It may be missing a subject for the subject line or contain odd requests or language. If it seems off, avoid it and do not click on any links.
  • It has a lookalike URL. The questionable email may try to trick you with the URL. For example, instead of www.irs.gov, it may be a false lookalike such as www.irs.gov.maliciousname.com. You can place your cursor over the text to view a pop-up of the real URL.
  • Use security features. Your browser and email provider generally will have anti-spam and phishing features. Make sure you use all of your security software features.
    Opening a phishing email and clicking on the link or attachment is one of the most common ways thieves are able not just steal your identity or personal information but also to enter into computer networks and create other mischief.
Aug
17
Filed Under (Editorial, Tips) by David Wiles on 17-08-2017

“Hi. Just writing to let you know my trip to Manila, Philippines with my family has been a mess…I need you to loan me some money. I’ll refund it to you as soon as I arrive home.”

or…

“How are you and your family doing? hope this email find you all in good health and spirit. I am currently in Burkina Faso on vacation but i will return back as soon as possible due to my poor health. I have tried calling you severally but didn’t get through, please can you call me on … as soon as you get this email? I have something urgent i need to talk to you about.”

That is the kind of fake e-mail thousands of university employees get every year. It appears to come from a friend or a colleague, but is actually from a scammer on the other side of the world.

All these scams have the same story, they were out of the country, they’ve been robbed and they need assistance now, or they are ill, or in some sort of trouble and need your help… This trick relies on good natured people willing to help a friend.

The Stranded Traveler scam is a way to profit from hacking into someone’s webmail account – like Yahoo!Mail, Hotmail or GMail.

This usually happens when somebody has a simple, easily guessable password on their webmail account, or they have left their details on a phishing site.

Once the scammer has gained control of the “mule’s” email account, they log into the webmail account and:

  • Change the webmail password so the real user can’t login.
  • Grab a copy of all the contacts either from the contacts list or individual messages.
  • Filter out non-personal messages to target friends/acquaintances only.
  • Send the ‘stranded traveler’ message out to the contacts and hope for replies with money transfer details.
  • Meantime the real owner of the webmail account is probably unaware there’s a problem until they try to login to their email. Even then, they probably think they’ve forgotten the password rather than being hacked. It’s only when a friend contacts them directly that the scam is revealed – usually far too late.

How to protect yourself: There are various things you can do to prevent being a victim of this scam, either having your webmail hacked or receiving scam emails.

  • Don’t click on attachments in emails from strangers, or if they are from someone you know but look suspicious.
  • Have a complex, hard to guess password. Dictionary words aren’t enough. Preferably a mix of upper and lower case letters plus digits and other characters like (!@#$%^&*)
  • Don’t reveal the password to anyone, and be careful of email messages that pretend to come from the webmail provider. Phishing messages are the most common way that people giveaway their passwords.
  • If you get an urgent email from a friend, especially one asking for money, check with them using other means. Try to call them or check with mutual acquaintances to see if the story is true beyond what you’ve learnt in the email. At worst, you could reply and ask for some information only the real sender would know (keep in mind that the scammer can read/search the hacked webmail account).

So how do scammers get your email password?

  • Phishing websites: Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message are clicked onby the victim and they are directed to a malicious website set up to trick them into divulging personal information, such as usernames & passwords.
  • Trojan programs: If you click on an attachment in an unknown email, it can trigger your computer to download a “Trojan” program that then allows cyber criminals to see every key stroke you make –including your email password.
  • Password breaker program: Often called a “brute force program,” this is software bad guys use to try every combination of numbers and letters until they hit on your password.
  • Email addresses used as logons: You know how many websites have you set up an account using your email address as your User ID? If you then use the same password for that account that you use for email, criminals have what they need: your email address and your password.
Aug
07
Filed Under (Editorial, Reviews & Opinions) by David Wiles on 07-08-2017

According to the South African Banking Risk Information Centre (SABRIC), South Africans lose in excess of R2.2bn to internet fraud and phishing attacks annually!

This gives South Africa the embarrassing status of having the third highest number of cybercrime victims worldwide!

South Africa has suffered more cybercrime attacks than any other country in Africa.

Antonio Forzieri, Cyber Security Practise Lead: EMEA at Symantec, is quoted as saying that “one in 214 emails sent in South Africa during 2014 was a spear-phishing attack.”

This morning’s attack on the University of Stellenbosch was a spear-phishing attack. (“spear-phishing” is not a new water sport!)

Phishing emails target a broad group of users in hopes of catching a few victims but spear-phishing emails are far more focussed.

SPEAR-PHISHING is where the perpetrator targets a specific person or organisation – like the university. This takes the form of emails addressed to you, ostensibly from within the organisation using an internal e-mail account. It looks familar and appears legitimate!

This morning’s attack came in the form of an e-mail, disguised as being sent from a trusted source, (a known university e-mail address) and tried to fool victims into voluntarily disclosing sensitive information such as usernames and passwords, by encouraging people to open a link that took them to a site that was disguised to look like the university’s webmail login page.

Most spear phishing emails have a “call to action” as part of their tactics, which an effort to encourage the receiver into opening a link or attachment or suffer some consequence: “We have detected your mail settings are out of date…Sign in and automatically update your mailbox…”

What was concerning about this morning’s attack, was that the perpetrators had registered a South Africa domain name (which can only be done South Africa) using a name very similar to Stellenbosch, and by including the university’s network acronym, SUN in the domain name! This was not a random attack. It was focussed and judging by the amount of e-mail addresses it was sent to, was specifically engineered to compromise the university network.

What can we do?

  • Prevention always begins with educating all employees about the new reality of spearphishing attacks. By now, everyone should know about the old-style phishing emails, full of typos and promises of unearned millions – they are no longer your main worry. New spear-phishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone that your colleagues trust.
  • Always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today.
  • Report anything suspicious. If you accidentally executed anything that you later became suspicious about, you should report it as well. It is important to remove the stigma and embarrassment of being fooled. Anyone, even security experts, can be tricked today, given the sophistication of the attacks.
  • Start to aggressively test employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past.
  • Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
  • Lastly, if a spearphishing attempt is successful in your institution, then use the actual phishing email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons into focus is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

Aug
07
Filed Under (Editorial, Reviews & Opinions) by David Wiles on 07-08-2017

As if the recent ransomware scares and cleverly disguised phishing scams weren’t enough to keep you up at night, password breaches continue to make news.

Although “online safety” feels more and more like an oxymoron these days, there are still steps you can take to protect yourself when breaches like this occur. It all starts with getting rid of those overly used, poorly designed passwords you know are terrible but you use anyway.

The most secure password in the world is useless if a hacker steals it, but the real problem comes if it is the same password you use for every single log-in.

In other words, it’s essential that you employ a different password everywhere you conduct online affairs.

The well-known data breach repository “Have I Been Pwned”, has recently released a database of over 306 million passwords contained in multiple data breaches.

Previously I used the “Have I Been Pwned” website, by entering my work email address to check if one of my accounts had been compromised by hackers in a data breach.

I was shocked to find out that two of my online accounts, one with Adobe and another with vBulletin, had been compromised by a data breach. My username, passwords and other personal information had been obtained and made publically available by hacker groups.

Embarassing!

Last week, the process for checking the safety of your passwords was given a helping hand by the creator of the Have I Been Pwned site:

A dedicated Passwords page  has been added to the website, allowing users to check a password against a database of 306 million passwords.

The passwords contained in the list were compromised in various data breaches, making them accessible to hackers and other attackers.

While you may be tempted to enter your current passwords into the Have I Been Pwned website, you should never enter current active passwords into any third-party service.

The Passwords page allows you to compare potential new passwords against the database of compromised keys to determine their security. I found it very useful, giving me the peace-of-mind that my current method of creating passwords was relatively safe – for now!