Technology by Design

Technology news, reviews, and how to keep your technology running fast and smooth!

ALERT: Nepal Earthquake Scam

by Leave a Comment

ALERT:  

Nepal Earthquake Scam

CyberCriminals will use anything and everything to try to lure people into becoming victims. 

Nepal Earthquake

The devastating earthquake that took place in Nepal is no exception.
More than 5,000 people dead and counting.
 
And you can also count on CyberCriminals to exploit the human suffering.

 

CyberCriminals are using the Nepal disaster to lure people into clicking on links, both on Facebook and Twitter.  

They are also sending phishing emails trying to solicit “charitable giving” for the earthquake.

Some Examples:

1.  Facebook pages dedicated to Nepal earthquake victim relief.  

These pages actually contain links to scam websites.

Nepal Earthquake Facebook Scam

 

 

 

 

2.  Tweets going out with links they state are for “charitable websites soliciting donations”.

In reality, these links result in your computer being infected with malware.

3.  Phishing emails asking for donations to the Nepal Earthquake Fund.

Phishing Email Example

 

 

 

4.  Fake charity website donation pages to trick people into sending them money, thinking they are making charitable donations that will help the people of Nepal.  

One example of a fake donation page is:  www.savenepagl.org.  This is a copy of the website www.actionaid.org.uk, which is a legitimate charity organization currently accepting donations to help the people of Nepal.  (Note:  I have purposely not provided the link to the fake donation page.  I have provided the link for the legitimate charity organization)

SaveNepal Scam

 

 

 

 

 

 Previous disasters have been exploited like this, but CyberCriminals are pulling out all the stops on this one.  
Be very cautious of anything about the Nepal Earthquake in the following weeks.
Please warn your employees, coworkers, friends and family about these scams.

 

If you wish to make a donation for victims of the Nepal Earthquake:

        1.  Go to the website of the charity of your choice and make a donation.  

              Type the address in your browser.  

             DO NOT CLICK on any links in emails, texts, or tweets you might get.

        2.  You can also check out the Canadian Red Cross or American Red Cross.  

              They can tell you different ways you can donate to the Nepal Region Earthquake Fund.  

              **Note:  the Government of Canada will match eligible donations made to Nepal Region Earthquake

              Fund made through the Canadian Red Cross.

 

You can’t stop CyberCriminals from targeting you.
But you can be prepared for their arrival, and have full shields up.

 

Got Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination!

3 Reasons Email Scams Still Work

by Leave a Comment

3 Reasons Email Scams Still Work

 

With the help of movies and other media, our image of the email scam artist has evolved in the past 10 years.  

 

 

 

We used to picture some greasy guy, still living in his mother’s basement, with a thirst for dirty money.  

Now, when we think of email scam artists, we think of young 20-something’s (still living in their parents’ basement), doing it just because they can.  

And this image is somewhat correct – for the common con artist.  If you’re lucky, this is the one that has you in their sites, and the product is of some dubious quality.

GodfatherHowever, the actual picture of the perpetrators of the mass scams (think Cryptolocker), is quite different.

The CyberCriminals of today that let loose the mass email scams are organized, skilled, and informed.  They use family deaths, holidays, or any other ‘in’, where the potential victim may be more vulnerable.

 

Their goal?  

To separate you from your money, or your information (which eventually lands them money).

These CyberCriminals may be behind phishing emails, pretext calling, and emergency queries, all of which are designed to appear normal, and intend for you to take action on them.  The action is designed to appear ‘simple’ and ‘innocent’,  such as clicking a link, answering a question, or providing access to something.  

The technology that can stop them is just one part of the equation.  Your employees can unravel the most secure technology, with a simple answer, a click of the mouse, or other action.

 

3 Reasons Why Scam Emails

and Other Social Engineering 

Remains a Threat to All Companies:

Helpful

 

 

 

 

1.  We Are Helpful By Nature.

One of the most successful social engineering techniques is the “Request for Help”.  Whether it’s on the phone, in person, or email.  The person engaging your employee may be posing as another employee, a customer, vendor, or member of the media.  They are asking for assistance.  They always throw in some urgency, for effect.  Whichever method they contact your employee, they never allude to, or throw any suspicion on the harmful effect your employee’s assistance may have on the company.

For example, a person could pose as the Senior Vice President of the company, call the switchboard (or random employee), and create a situation that elicits  a feeling of urgency, and wanting to help, and wanting to impress your senior:

“My laptop crashed, and I am operating off my tablet, which isn’t configured for the corporate VPN.  So, I can’t get to my corporate email, but I desperately need to reach out to my team.  Would you be so kind as to forward the employee director to my personal email?  I need to contact them right now, my meeting with an important client is in an hour.”

What would your employee do?  Would they deflect?  Have you prepared them for the false escalation that would accompany a denial?  Such as demands for their name, their supervisor’s name and contact information to ensure punishment of the employee?

Have you prepared senior management for this situation?  What if this really does happen to them?  What is the protocol?  Do they know it?

 

What if a man shows up at the side door of one of your company buildings.  He’s wearing a jacket with the company logo and, to the casual observer, appears to be an employee heading into the office via the side entrance.  He’s wearing an ID tag that may, or may not be, real.  What he doesn’t have is the building’s PIN codes or an ID with a valid near-field communication capability to get through the card swipe.  He simply adjusts his pace, or loiters so he may enter behind an employee with legitimate access.  Once inside, he wanders around and collects laptops, smart cards, hard drives, and papers.

How would your employees address someone following them through the door?  Would they hold the door closed, and demand that they swipe their badge or enter their PIN code?  Or would they be polite and hold the door open and go about their daily business?

Curious

 

 

 

 

 

 

2.  We Are Curious By Nature.

Curiosity is encouraged from the time we are in diapers.  We are encouraged to ask questions, try new experiences, read new things and stay current.  The social engineering professionals (and yes, they are professionals), attempting to set their technological hook into your company-issued devices and, by extension, the network, are crafting their emails and social networking posts to entice your employees to act, and click.  They use everything from natural disasters, epidemics, economic concerns, elections, tax time, famous deaths, family deaths, or any absurdity, all designed to pique your employees’ curiosity, so that they will take action, and click.

How would you implement a “No-Click Policy”.

 

MultiTasker

 

 

 

 

 

3.  We Are Multi-Taskers By Nature.

In this always-connected, always-on world of virtual meetings and engagement, employees may be talking on the phone and scanning their inbox at the same time.  Social engineering pros are counting on your partial-attention, when they begin to conduct surveillance prior to mounting an attack.  Multiple innocuous queries can be made across the enterprise via pretext calls about bring-your-own-device policies, or accessing social networks via company networks.  In every instance, the information gleaned, is the base upon which a scam package is created, which appears to be normal and within company policy to the recipient.

 

How Do You Combat Email Scams

and Other Social Engineering?

 1.  If you are using a data loss prevention system, you already know that you have to invest both time and energy to implement a data classification regime, which assists in tuning out the noise or false positives.

2.  You must ensure adherence to the philosophy of least-privileged access (need-to-know).

3.  Include a robust security information and event management process to ensure knowledge of attempts to access information and successful out-of-pattern access to information.

These foundational elements need to be coupled with a comprehensive Security Awareness Program that is provided continuously.

 

You can’t stop CyberCriminals from targeting your company or employees.
But you can be prepared for their arrival, and have full shields up.

 

Got Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination!

ALERT: IRS Refund Ransomware Scam

by Leave a Comment

irs

ALERT:  

IRS Refund Ransomware Scam

 

 

Wait until the last minute to file for Income Tax?

Waiting with bated breath, knowing deep inside that you’ll have to pay dearly, but secretly hoping for a surprise refund?

CyberCriminals are aware of this, and are taking advantage of people while they’re vulnerable.
(That’s what CyberCriminals do best!)

Knowing that people are waiting for official word from their federal tax agency (IRS, Canadian Tax Services, etc.) pending refunds,

CyberCriminals are working overtime, hoping to receive their own ‘bonus’!

CyberCriminals have a massive email campaign, sending emails that reportedly want to inform you of your tax refund.

IRS Refund Scam

 

It will look similar to the email to the left, tailored to your specific location, of course.

 

 

They ask you to click on a link to a Microsoft Word attachment to receive for information.

However, instead of a tax refund, you’ll be opening an infected Word file.

The infected file holds a ransomware payload, and encrypts the files of the PC that opened the attachment.

 

The bonus?

It’ll also encrypt the files on all the connected network drives.

 
IRS Ransom
 
 

And your screen will look similar to the one on the left.

 

 

Once that happens, you’ll be forced to pay the reported $500 ransom by a deadline.

If you miss the 1st deadline, the ransom will go up.

 

Pass this post on to friends, family, and coworkers.
The more people that are educated about this type of attack, 
the less effective the attack will be!

 

Got Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination!

 

 

What is PCI Compliance?

by Leave a Comment

What is PCI Compliance?

 

PCI compliance is a term that has been in the news a lot over the past couple years.  

 

But what is it?  

 

PCI Compliant

 

 

 

 

 

‘PCI Compliance’ or ‘PCI Security Compliance’ is Payment Card Industry Security Compliance.  It addresses any business that accepts credit card or debit card for payment, and is a standard that has emerged as the ‘bench test’ for whether or not your retail operations are a security risk for credit card information theft.

The rising incidence of stolen cardholder account data is a major concern for all businesses that accept payments by credit or debit card.  As a result of these thefts, merchants and financial institutions suffer fraud losses and unanticipated operational expenses, and consumers are inconvenienced significantly.  

 

What Does It Mean To Me?

If you collect or store credit card information, and if it is compromised, you may lose the ability to accept credit cards at your business, or you may face higher processing rates.  In the U.S., you may also be libel, not only for the credit card information compromised, but for non-compliance for new Security Awareness Training guidelines if your employees have had little or no security awareness training.  If you store credit or debit card information, no matter what country you are in, you are required to follow PA-DSS Compliant Applications (Payment Application – Data Security Standards)

To protect your business, your customers, and the integrity of the payment system, each of the card companies has in place a set of requirements governing the safekeeping of account information.  

  • Install and maintain firewall to protect cardholder data.
  • Do not use vendor-supplied default system passwords.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across network .
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security.

PCI levels

 

There are 4 different levels of PCI Compliance, depending on the number of eCommerce and regular transactions your business does annually.

 

 

 

 

PCI Security Council

 

 

To check if you are following the compliance standards, visit the PCI Security Standards Council – the organization that manages these standards.  This is an excellent website that also allows you to perform a self-assessment.  

So that covers the legalities of the electronic safekeeping of your information.

 

But..
Being PCI Compliant Does Not Ensure Safety

PCI checklist - editedTo rely solely on the PCI DSS checklists to secure cardholder data is similar to a pilot relying only on the pre-flight checklist before takeoff, then colliding with another plane during takeoff.

In reality, the goal of effective security controls is to prevent security breaches from occurring, and when they do, allow quick detection and recovery.

This requires not only following a checklist, but understanding the organization’s compliance and security objectives, understanding what the top risks to achieving those objective are, having adequate situational awareness to identify where you need controls to mitigate those risks, and then implement and monitoring the correct production controls.  

 

The Human Factor Typing

The U.S. Department of Health and Services has stated that bad or no security awareness training is a main cause of compliance failures.  This is true not only for health care, but all industries such as banking, finance, manufacturing, and technology.

Your employees are your company’s biggest asset.  They can also be your company’s weakest link.

Trend Micro reports that 91% of successful data breaches started with a spear-phishing attack.
Make sure your employees are up-to-date in their security awareness training.

 

Don’t Know What to Look For In Suspicious Emails:  http://tbyd.ca/email-red-flags/

For all the latest virus/malware alerts go to:  http://tbyd.ca/category/alerts/

Got Bugs In Your System?

Call 1-204-800-3166

For Cyber-Extermination!

ALERT: How to Help Prevent Cyber-Infection

by Leave a Comment

Trojen malware

ALERT:  

How to Help Prevent Cyber-Infection

 Think you’re immune?
So did thousands of banks and other organizations!

 

Last week, IBM Security report an active CyberHeist campaign using a variant of the Dyre Trojan that has successfully stolen more than $1 million each time, from targeted enterprise organizations.    

Since it emerged in June 2014, Dyre has grown even more sophisticated and easy-to-use, spreading the malware through a mall mailing of victims’ contact lists, and targeting organizations instead of individuals, enabling CyberCriminals to go for the bigger payday.

Dyre Trojan

 

The IBM Trusteer team reported in October 2014, an increase of the infection rate of the Dyre malware from 500 to a startling 3,500 in just 5 months.

 

The Dyre campaign targets organizations
that frequently conduct wire transfers with large sums of money. 

 

The campaign includes a successful spear-phishing campaign which results in an infection (via Upatra malware).  Once the infected PC tries to log into one of the hundreds of bank websites that they Dyre Trojan monitors, a new screen appears (instead of the corporate banking site).  The new page explains the website is experiencing issues, and requests the victim to call the number provided to get help logging in.  This all results in successfully duping their victims into providing their organizations’ banking credentials.  As soon as the victim hangs up the phone, the wire transfer is complete.  

The targeted organizations sometimes also experience a Distributed Denial-of-Service (DDos) attack.

Dyre Trojan work

 

 

Unfortunately for us, Social Engineering still works extremely well for CyberCriminals.

 
How to Help Prevent Cyber-Infection:
  1. Train Your Employees.  Your organization is only as strong as the weakest link.  And your employees have the most exposure, and are usually the most targeted, of your organization.  Train them on security best-practices and how to report suspicious activity.
  2. Have I.T. Conduct Periodic Mock-Phishing Exercises.  Have your I.T. department send employees mock-phishing emails, where employees receive emails or attachments that simulate malicious behaviour.  Metrics can be captured on how many potential incidents would have happened had the exercise been a real attack.  Use these findings as a way to discuss the growing security threats with employees.
  3. Offer Security Training.  Security Training is essential to help employees understand threats, and measures they can take to prevent infections and protect the organization.
  4. Provide Regular Reminders.  Regular reminders for employees about phishing and spam campaigns, and to remind them not to open suspicious attachments or links from both work and personal emails.
  5. Train Employees in Charge of Corporate Banking.  Train them to never provide banking credentials to anyone.  The banks will never ask for this information.

Got  Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination

 

Definition: Social Engineering

by 2 Comments

Definition:  Social Engineering

A method of intrusion CyberCriminals use that relies heavily on human interaction.  It often involves tricking people into breaking normal security procedures, and providing confidential information.

It often involves emails that look legitimate, and request the victim to click on a link or to enter confidential information.  The email usually asks the victim to ‘confirm’ their identity by entering confidential information (either by replying to the email, or by clicking on a provided link to an official-looking website), or to prevent negative consequences (avoid fees/penalties, jail time, legal charges, etc).

The emails usually target the end-user (any computer user in an organization), and relies on the lack of Social Engineering training for end-users.

It is the greatest threat that organizations encounter.

Definition: Dyre Malware

by Leave a Comment

Since its 1st appearance in June 2014, the Dyre Trojan has reportedly been used in a succession of phishing campaigns across the globe, including attacks against major brand names such as the Royal Bank of Scotland, Citigroup, JPMorgan Chase, and Bank of America.  The current target list now includes more than 100 banks, with new banks being targeted on a weekly basis.

Dyre Trojan has created industry-wide concern.

At the heart of the Trojan’s successful man-in-the-middle (MitM) attacks is a technique called “browser hooking”.

This technique allows the malware operators to route unsuspecting customers to fake banking websites, where their PC is infected with malware, and the user is tricked into surrendering their login credentials.  The stolen credentials are then used to conduct an account takeover (ATO) from a spoofed device, through a proxy, or directly from the infected PC, by use of remote access tools.

Attempts to stop Dyre attacks with traditional fraud controls (antivirus, authentication, statistical risk engines, and device IDs) have proven ineffective.

April 2015 TechTips Newsletter

by Leave a Comment

3-D Printer Prints 7-Year-Old New Hand!

 

APRIL 2015

TECHTIPS NEWSLETTER

 

 

Technology news, information and interesting stories.  Published monthly for Geeks and non-Geeks!

  • 3-D printer prints 7-year-old girl a new hand!
  • Toy Story 2.  The good guy lost…almost.
  • Turn dead animals into art…and sell it on the internet!
  • Selfie Stick is banned.  Selfie Shoes are in!
  • Get motivated by some of the most motivated people!
  • Strategies to keep hackers away!
  • Affordable, reliable computers!
  • Urgent computer security warning!

You don’t want to miss this issue!

Get your newsletter HERE!

Comments?  Let me know what you think at marketing@tbyd.ca

Keep Up-To-Date on the Latest Threats To Your Computer Network!

Regular weekly ALERTS on the latest security threats to your computer network

Check out the ALERTS here.

Do you have a question for our Resident Geek?  Email it to:  geek@tbyd.ca!

Like us on Facebook!

Follow us on Twitter!

EXPIRATION NOTICE:

An urgent security warning for businesses running Windows XP, Office 2003, and Microsoft Windows Server 2003!

Windows XP and Office 2003 are no longer supported by the manufacturer.

Server 2003 will no longer be supported by the manufacturer after April 2015.

If your business or organization is currently running Windows XP, Office 2003, Microsoft Server 2003, or Exchange 2003 on any computers or servers in your office, you need to know about a dangerous security threat that must be addressed NOW!

PLEASE TAKE A MOMENT TO READ THIS IMPORTANT SECURITY ANNOUNCEMENT!

As your local Microsoft Partner, we are aggressively reaching out to all local businesses that use any of these programs to alert you to this serious security risk and inform you about what you need to do NOW to protect your company or organization!

WINDOWS XP AND OFFICE 2003 REPLACEMENTS MUST BE MADE NOW

WINDOWS SERVER 2003 AND EXCHANGE 2003 REPLACEMENTS MUST BE MADE BY JULY 14, 2015

Microsoft has officially announced that it retired all support for Windows XP and Office 2003 April 2014, and on the Server 2003 operating system on July 14, 2015.

This means any business or organization still running any of these programs will be completely exposed to serious hacker attacks, aimed at taking control of your network, stealing data, crashing your system, and inflicting a host of other business-crippling problems you do NOT want to deal with.

This is such a serious threat that the U.S. Department of Homeland Security has issued an official warning to all companies still running these programs, because firewalls and antivirus software will NOT be sufficient to completely protect your business from malicious attacks or data-exfiltration.  Running some of these programs will also put many organizations out of compliance.

CALL 1-204-800-3166

for a FREE QUOTE

 

 

ALERT: Scam 911 Threat

by Leave a Comment

911 Scam

ALERT:  Scam 911 Threat

 

Currently, residents of Ohio are being ‘beta tested‘ by CyberCriminals for an email scam.

Once they’re done with Ohio, you know it’s going to quickly spread throughout the U.S. and Canada, so here’s your heads-up.

Alert Your Friends, Family, Neighbors, and Colleagues About This Scam…

People are receiving phone calls and emails from a fake 911 emergency number.  The message states, that unless you call the Attorney General’s Office, at the supplied phone number (which is fake) and pay a fine, or be arrested shortly.

*  DO NOT phone the ‘Attorney General’s Office’ number that they supply.  
 
*  DO NOT click on any supplied links in the emails.
 
*  DO NOT comply with the demands for money through the phone or email messages,
even if it appears legitimate.

 

911 does not send phone or email messages like this.

Now, scams that trick people into paying money isn’t new.  However, the ‘sophistication’ of this scam would be impressive, if it wan’t so evil.

For the phone calls, ‘911’ actually appears in caller ID.  For the emails, ‘911 Emergency’ actually appears as the sending address.

Both are fake.

The Office of the Attorney General in Ohio has received complaints since the beginning of March, regarding these scam phone calls/emails.

How To Protect Yourself From Phone Scams:

This information applies to emails as well.

  1. Be skeptical of the phone number that appears on caller ID.  It could be spoofed, or fake.
  2. When in doubt, hang up or don’t answer a call.
  3. Don’t respond to suspicious calls.  Even if the call prompts you to dial a certain number to avoid arrest, or asks you to press a button to “opt out” – Don’t do it.  This could cause you to receive even more phone calls, because it signals to the sender that yours is a legitimate phone number.
  4. Never provide money or personal information to someone who calls you unexpectedly and demands payment, even if it appears to be an emergency call or a call from the government.
  5. Don’t trust someone who says you have to pay off a debt or fine by using a prepaid card or wire transfer.  These are preferred methods of payment for Criminals, because once the money is sent, it is difficult to trace or recover.

 

Got Cyber-Bugs?

Call:  1-204-800-3166

For Cyber-Extermination!

Definition: Beta Test

by Leave a Comment

Definition:  Beta Test

1.  Software Development:

A beta test is the 2nd phase of software testing in which a sampling of the intended audience tries the product out.  This is to give the ‘product’ a “real-world” test, and partly to provide a preview of the next release.  In software, they usually use customers who volunteer to test the product.

2.  CyberScam:

A beta test is the ‘test’ phase of the scam, in which a small sampling of the intended population (usually on 1 or 2 states of the U.S., since they are abundantly populated).  This is to test the effectiveness and response to the scam, and to highlight any changes to the scam that may need to be done prior to the real release of the scam on the entire intended population.