How Employees Help Bad Guys Steal Credentials

How exactly do CyberCriminals gain access to a company’s network?

A security researcher decided to see how hard it would be to create a targeted phishing attack on a total stranger.  He went to Facebook and found a guy he did not know personally, and found a wealth of information, including:

• He visited Tapley’s Pub in Whister, BC on Sept. 20
• He visited The Brewhouse in Whistler on Sept. 16
• The names of at least some of the people he was with on Sept. 13
• He visited the 192 Brewing Company on Sept. 12
• He visited the Chainline Brewing Company on Sept. 11
• He visited American Pacific Mortgage on Sept. 9
• He went to a Seattle Seahawks game on Sept. 3

And based on his Facebook profile, it was clear who he worked for, the city in which he lives, his wife’s name, and lots of other information.

If the security researcher was a bad guy trying to get access to this victim’s corporate login credentials, he could easily create an eamil with the subject line “Problem with you credit card charge at Tapley’s Pub” — a subject line that would make him open the email given his recent visit there.

Next, in the email, the bad guy could write a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge.  That link could be to a site that would automatically download a keystroke logger to his computer, and…GAME OVER.

The bad guy can now capture every keystroke of the victim from then on, which would include login credentials and other confidential information.

The moral of this story:  

Do not share all kinds of personal information on social media.  

This is true from the mail room up to the board room.  Shared personal information can come back to you & bite hard!

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

How to be an Easy Hacker Target

One of the most publicized items of the U.S. election (other than Trump’s alleged sexually inappropriateness), is the hacking of Hillary Clinton’s private server.

I’m actually surprised that this hasn’t gotten more press than it has, given the highly sensitive data & emails that have been leaked.  But, that aside, how did this happen?  How was this allowed to happen?

John Podesta is the Chairman of the 2016 Hillary Clinton presidential campaign (he also previously served as Chief of Staff to President Bill Clinton, and Counselor to President Barack Obama).  Podesta fell for simple social engineering.  He fell for one of the most common phishes that we see – a Google credentials phish.  

In Podesta’s case, the bad guys used a bit.ly link – something else we see all the time.  And the landing page for the credentials phish, probably looked similar to the one below:

How To Make Yourself an Easy Phishing Target:

• Use a terrible password.  Use a common, easy-to-remember (ie. easy-to-guess) password.
• Re-use that same password for multiple sites and/or accounts.  
• Share your password with your coworkers, and/or assistants.
• Ask an assistant to email you your password when you forget it.
• Not turning on two-factor authentication
• Not changing passwords after one account was known to be compromised.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

Facebook vs AdBlock Plus           

This story pops up every week or so lately and I find it amusing.  

On the surface the fight looks like a David vs Goliath or a Robin Hood fighting for the goodness of the people.  Not so…

On one hand you have Facebook.  The billionaire giant (2 billion in PROFIT per quarter.  Yes billion) forcing ads upon their users to line the coffers with more dollar bills.

On the other you have AdBlock Plus, which is a free program.  They claim they are trying to block the ads and limit increasing the Facebook giant’s wallet via ad revenue, while freeing the Facebook user of those annoying ads they see while trying to watch their friend’s cat videos.

What I’ve been wondering was why.  Why was this free adblocker fighting Facebook? 

Publicity – sure, makes sense, now I know who they are.  Because they hate the ‘man’ and his ads?  Sure – makes sense, and I guess you have to have a hobby or something to do with your free time right?  Fame and Fortune?  On the surface it doesn’t look like it.  However, when dig deeper, you find out that AdBlocker Plus has launched its own ad exchange called the Acceptable Ads Platform, which essentially lets websites serve ‘privacy-safe’ ads that AdBlocker Plus won’t block from appearing on the 90 million or so users that have their software installed – for a 6% cut.

Ah, there it is!  Knew there was profit to be made somewhere.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

Budgeting for Technology Costs

Budgeting for technology costs is difficult.  We often run into clients that don’t budget for these costs at all.  They are then often caught with tough (and costly!) surprises when a workstation or server goes down.  

For smaller companies, this may work as the cost is lower (due to the lower volume), but for companies with a server and 5 or more workstations, a budget is a MUST.

Let’s say the average lifetime of a workstation and/or server is 3-5 years.  If a company has 10 workstations and 1 server, the total replacement cost would breakdown as follows:

(please realize I’m using these numbers for ease of example.  Actual costs may vary)

Workstation:  $1,000 + $200 cost of transferring to a new PC = $1,200 x 10 = $12,000

Server:  $5,000 + $1,000 cost of transferring to a new server = $6,000 x 1 = $6,000

Switches/Printers/Misc. Hardware = $2,000

So we have a total replacement cost for the company of $20,000

3-Year Replacement Plan

If you want to go with the 3-year replacement plan, you are looking at a total of $6,666.66/year.  You could spread out the costs by simply replacing workstations, and some networking equipment over the first 2 years.  You then replace the server in the 3rd year.  You then start the replacement plan (by replacing the workstations again) in year 4

5-Year Replacement Plan

By choosing the 5-year plan, you can plan on replacing the workstations and networking equipment spread over years 1-4.  In year 5, you then replace the server.  With this plan you can budget to spend approximately $3,500 in 4 of the years, and $6,000 in the 5th year.

By spacing out your technology purchases, you are potentially decreasing your downtime, and also working it into an affordable cost-space, making it easier on your company’s cash-flow.

Want help with your technology budget?  Call Technology by Design at 1-204-800-3166.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

network server room routers and cables

Why Replace An Old Server?

This is one question we get a LOT.  If an old server is doing the job, clients often wonder why they should bother replacing it.

The 3-Year Rule

Servers generally don’t last longer than 3 years.  This is due to many factors within the server.

Operating System (OS):  The older the OS, the less likely it is still going to be ‘protected’ (receive security updates from the manufacturer).  Still running Server 2003?  It’s already expired.  OSs expire or get old, and are more vulnerable to exploitation by CyberCriminals, and are more at risk for loss of data and/or information, identity theft, etc.

Hard Drive:  Hard drives will fail, on average, after 3 years.  Sometimes sooner, sometimes a little later, but it will happen.  AND, when it does, your company will shut down completely until the server is rebuilt and restored from a backup (that assuming you have a good backup…).

Power Supply and Fan:  Power supplies fail, fans fail (which could lead to motherboard failure).

Replacement Parts:  After 3 years, manufacturers are busy pushing the newer models, so parts become harder to find, and the likelihood of a major catastrophe increases immensely.

Performance

Once a server is running at 70% capacity or more (in plain language:  it’s basically 70% full when all operations are running), it slows down immensely.  And a funny thing about performance that we’ve noticed:  Unlike vehicles, and appliances, people tend to accept poor performance and slowness from their computer.  After a while, they don’t even realize that are doing it.  

How many of you start up your computer, or open a file, and start doing something else because it takes so long?  If you do, you’re not alone.  Many people do just this, and think nothing of it.  Consider the loss of productivity this is costing you & your company.  

Lots of potential for fails after 3 years.  What would a server failure cost your business, and how quickly could you recover?

We often notice people replace their vehicles far more often than their servers and other technical equipment.  A new truck runs upwards of $50,000++.  A new server:  a few thousand.  Is the new truck making you money?  Your server is your business’ lifeblood, and without it you may not be able to afford the payments on that shiny new truck.  

Make it a priority to replace your server.  Your business depends on it.  

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks

You’ve Been Scammed:  Now What?

It’s a dreaded “aha” moment…when you realize that you’ve been scammed.  

A flurry of emotions rush up, all at once:  embarrassment, rage, embarrassment again, fear, etc, etc.  Then the thought comes…

“Now what?”

What to do if You’ve Been Scammed:

1. If you used your credit card to pay, call the credit card company.  Tell them that you did not authorize the charges, and that you were scammed.  They will most likely reverse the charges, especially if you do this soon.
2. Cancel your credit card if you used it to pay.  If the Criminals were shady enough to scam you out of money the first time, there will be no moral dilemma for them to keep the credit card information and charge it up.
3. If you’re in Canada:  Report the fraud to the Canadian Anti-Fraud Centre.  Phone toll-free 1-888-495-8501 Monday to Friday 830am – 5pm (Eastern).  Or log into their online Canadian Fraud Reporting System (FRS).  However, to do this you will need a “GC Key” (User ID/Password) or “Sign-In Partners” (banking credentials).
4. If you’re in the United States: a) Email/Internet Scams:  Go to the FBI Internet Crime Complaint Center and file a report.  b)  Phone Scams:  Contact the Federal Trade Commision (FTC) or use the Online Complaint Assistant to report most types of frauds.  For more details on how to report scams and fraud go to:  https://www.usa.gov/stop-scams-frauds.
5. If you have been tricked into signing a contract or buying a product or service:  Contact your provincial/territorial/state consumer affairs office, and consider getting independent advice to examine your options – there may be a “cooling off” period, or you may be able to negotiate a refund.
6. If you think someone has gained access to your online account, telephone banking account, or credit card details:  Call your financial institution immediately so they can suspend your account and limit the amount of money you lose.  Credit card companies may also be able to perform a “charge back” (reverse the transaction) if they believe that your credit card was billed fraudulently.
7. If you sent a cheque, contact your financial institution immediately.  If the criminal hasn’t already cashed your cheque, you may be able to put a “Stop Payment” order on it.
8. If you sent money through a wire service (eg. Western Union, Money Gram), contact the wire service immediately.  If you are very quick, the may be able to stop the transfer.
9. If you were scammed using your computer, it is possible that a virus or other malicious software is still on your computer.  Run a full system check using reliable security software.  Or contact reliable computer professionals, such as Technology by Design 1-204-800-3166, to ensure your computer is clean of all malicious software.
10. If you do not have security software (such as virus scanners and/or firewall) installed on your computer, a computer professional, such as Technology by Design 1-204-800-3166, can help you choose the correct products for you.
11. CyberCriminals may now have access to your online passwords.  Change all of your passwords using a secure computer.

Common Scams:

1. Advance Fee Scams:  Scams that claim you’ve won a lottery, prize, or can invest in a “great” opportunity…IF you pay a small fee in advance.
2. Chain Letters:  These letters promise to help you get rich quickly if you participate and forward the letter/email on to you friends and family.
3. Charity Scams:  Criminals exploit current disasters, and take advantage of your willingness to help people in need and charitable causes.  They may collect your donation and keep it for themselves.  If you want to donate, please go directly to the charity’s webpage, or call the charity directly (from a phone number that you look up – Do NOT call any phone numbers you received in emails).
4. Coupon Scams:  Coupons can be a great way to save money.  But beware of illegitimate offers.  If it sounds too good to be true…it usually is!
5. Dating Scams:  Criminals often create fake profiles on dating sites and express interest in you, just so he/she can convince you to send them money.
6. Debt Relief Scams:  Criminals hope that you are as eager to get rid of your debt as they are to scam you out of your money.  Know the warning signs, so you won’t be their next victim.
7. Free Security Scans:  Don’t be tricked by messages on your computer (usually a pop-up) that claim your machine is already infected with a virus.  The legitimate-looking (but FAKE) security alerts exploit your fear of online viruses and security threats.
8. Government Grant Scams:  Despite ads that say you qualify for a government grant, these are often scams.  Be wary about responding to offers, emails, or claims that use government agency names.
9. Health Product Scams:  Be wary of trusting all claims.  Take time to get the facts about a product first.
10. International Financial Scams:  A variety of scams offer entries into foreign lotteries or international investment opportunities.
11. IRS-Related/Canada Revenue Agency Scams:  Be careful of trusting emails that are supposedly from the IRS or the CRA.  Criminals try to gain access to your financial information in order to steal your identity and assets.
12. Jury Duty Scams:  Be wary of phone calls from supposed “court officials” who threaten that a warrant has been issued for your arrest because you failed to show up for jury duty.
13. Phantom Debt Scams:  Beware of letters and calls, supposedly from “debt collectors” or “court officials”.  These criminals make threatening claims requiring you to pay money that you don’t owe.
14. Pyramid Schemes:  These investments offer big profits, but really aren’t based on revenue from selling products.  Instead, they depend on the recruitment of more investors.
15. FBI/CIA Scams:  Avoid falling victim to schemes involving unsolicited emails supposedly sent by the FBI and/or the CIA.  The emails appear to be sent from email addresses such as mail@fbi.gov, post@fbi.gov, admin@fbi.gov, and admin@cia.gov.
16. Service Member or Veteran Scams:  Criminals target bogus offers of government resources or financial services to trick active duty military personnel and veterans out of their hard-earned money.
17. Smishing, Vishing, and Phishing:  All 3 of these scams rely on you replying to an email, phone call, or text with personal information, such as your bank account or credit card information.
18. Subpoena Scams:  Criminals send bogus emails, supposedly from a court, stating that you have to come to court.  These emails are fake and may contain links that are harmful to your computer.
19. Text Message Scams:  Not only can text message spam be annoying and cost you money on your mobile phone, but the messages are also usually part of scams.

How To Protect Yourself:

1. Protect Your Identity:  Treat your personal details like money – don’t leave it lying around, and don’t give it out to just anyone.
2. Destroy personal information, don’t just throw it out.  Cut up or shred old bills, statements, or cards (credit cards or ATM cards – anything with a black or grey magnetic stripe on the back contains personal information).
3. Never send money or cheques to anyone that you don’t know and trust.  
4. Never send money or pay any fee to claim a prize or lottery winnings.
5. Never transfer or wire any refunds or overpayments to anyone you do not know.  
6. If you receive a phone call from someone you do not know, always ask for the name of the person you are speaking to and who they represent.  Then verify this information by calling the company yourself (by looking up the phone number yourself.  NEVER trust a phone number that someone else provides).
7. Never give our personal, credit card, online banking/account, usernames or password details over the phone or in a response to an email, unless you made the phone call or initiated contact, and the phone call and/or email came from a trusted source.
8. Do not respond to text messages or missed calls that come from numbers you do not recognize.  Be especially wary of phone numbers beginning with “1-900”.  These may be charged at higher rates than other numbers and can be extremely expensive.  
9. Never reply to a spam email (unsolicited email), even to unsubscribe.  Often, unsubscribing serves to “verify” your email address to scammers.  The best thing to do it to delete any suspicious emails without even opening them.
10. Turn off the “viewing pane” as just viewing the email may send a verification notice to the sender that yours is a valid email address.
11. Legitimate banks and financial institutions will never ask you for account updates or details in an email, or ask you to click on a link in an email to access your account.
12. Never call a telephone number, or trust any other contact details that you see in a spam email.
13. Install software that protects your computer from viruses and unwanted programs, and make sure it is kept current.  If you are unsure, seek the assistance of a computer professional, such as Technology by Design 1-204-800-3166.
14. If you want to access a website, use a bookmarked link to the website or type the address of the website into the browser yourself.  Never follow a link in an email.
15. Check website addresses carefully.  CyberCriminals often set up fake websites with addresses that are very similar to legitimate websites.
16. Beware of websites offering “free” downloads (music, adult content, games, movies, etc.).  Downloading these products may install harmful programs onto your computer without your knowledge.
17. Avoid clicking on pop-up ads – this could lead to harmful programs being installed on your computer.
18. Never enter your personal, credit card, or online banking  or account information on a website that you are not 100% certain is genuine.
19. Never send your personal, credit card, or online banking  or account information through an email.
20. Avoid using public computers (at libraries or Internet cafes, etc.) to do your Internet banking or online shopping.
21. When using public computers, clear the history and cache of the computer when you finish your session.
22. Be careful when using software on your computer that auto-completes online forms.  This can give CyberCriminals easy access to your personal and credit card details.
23. Choose passwords that would difficult for anyone else to guess.  For example, passwords that include letters and numbers.  Change your passwords regularly.
24. When buying anything online, print out copies of all transactions, and only pay via a secure site.  If using an Internet auction site, note the ID numbers involved and read all the security advice on the site first.

You can’t stop CyberCriminals from targeting your company or employees.

But you can be prepared for their arrival, and have full shields up.

Got CyberBugs?

Call 1-204-800-3166

For Cyber-Extermination!

#itthatworks