Cyber “Hoot” Wednesday: QR Code Scams

QR Code Scam
Image Source

The latest way hackers are breaching your private information is by using malicious Quick Response codes, more commonly referred to as a QR Code. QR codes were first created back in 1994 by the Japanese automotive industry to track inventory more effectively but have since been adopted by multiple industries to capture and share information with consumers.  Today you will find them on billboards, web pages, magazines and even clothing. While most of us are familiar with how to scan these codes with our smart phone to retrieve some vendors information or register a warranty, some folks aren’t aware of the cybersecurity and privacy risks relating to their use and abuse.

How Do Hackers Co-opt a QR Code?

One of the most prevalent and easiest ways hackers steal our information is through phishing attacks. Dive deeply into this topic by reading our previous blog article on Avoiding Phishing Attacks but in summary for this QR Code article, phishing attacks typically use an email or web page to lure you into giving out personal information. Hackers create web pages that look identical to a legitimate business web page whose real purpose is to steal your login credentials and private information.

In one of these QR Code attacks, you receive an email from your bank outlining an amazing Credit Card deal which asks you to “scan the embedded QR Code” to apply. Once you scan the “bank’s” QR code, you’re taken to what appears to be your “bank’s” credit card application web page. But here you must be careful as you might not be on your bank’s actual web page.  The domain name may be slightly off (bestbankofall.com was replaced with bestbank0fall.com) behind the QR Code [notice the zero (0) in place of an O (oh)].

As you complete the credit card application form, even if you don’t submit the form for processing, hackers have secretly captured your data and will use it to open credit cards in your name, steal your identity, or steal your bank login credentials if you provided them.  Beyond these data theft attacks, other QR Code attacks try to convince users to download viruses onto their mobile devices, tablets, and computers.

How Can I Protect myself?

Here are some essential basic tips to avoid QR Code scams:

  • If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double check to ensure the domain name is the perfectly correct watching for look alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
  • If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
  • If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
  • QR Codes are beginning to be used for payments.  At this time, there are enough alternatives for immediate payments that we would not recommend issuing payment through a QR code methodology.  Simply ask for alternatives.

Summary

QR codes are convenient to use for businesses, consumers, marketers to exchange information with us.  However, hackers are stealing our private data because people aren’t aware of the risks or how to validate sites properly. It is important to be on the lookout for these scams. Do not allow the convenience of a QR code to lull you into a false sense of security.  Be vigilant and use your new found knowledge to protect yourself.

Author, Ty Mezquita, Blogger/Social Media – Cyberhoot

Editor, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Three Tips for the Digital Age

CyberHoot received notice today that our Café Press account had been breached along with 23 million other accounts. Fortunately, no password data was reported stolen. However, phone numbers, home addresses, email addresses, and full names were breached. This comes on the heels of Capital One’s 100 Million breached financial records announced last week. The FBI claims there are ONLY two types of companies. First, there are companies that know they’ve been breached while second, there are companies that don’t know they’ve been breached. Every company, not just Capital One and Café Press, should assume it has been, or will be, breached. What are you to make of these breaches?

Breached personal data is part of the new normal in the digital age. It’s a fact that our personal data will be compromised; it will be available in online hacker forums for bad actors to try and take advantage of us with. Recognizing that fact, CyberHoot and all our employees have been preparing for this for many years. We practice the three tips below for the digital age; will you practice them?

CyberHoot believes there are two kinds of people. First, there are people who know their personal data has been breached and do something to minimize the impact. Second, there are those people that know their personal data has been breached but do nothing about it. You’re reading this article to learn how to minimize the impact of breached personal data, right? If so, then take the following three steps.

CyberHoot’s Top Three Tips in the Digital Age to protect yourself Personally and professionally:

  1.  Freeze your Credit. If you haven’t frozen your Credit yet, well, what are you waiting for? Here’s the Freeze your Credit article from CyberHoot.
  2.  Learn a Password Manager: given all our data will be breached, you need to learn this skill. Here’s CyberHoot’s article on Password Managers.
  3.  Enroll in a Cybersecurity Awareness Program: do this for yourself personally and make sure your company does it for all its employees.

It’s too dangerous out there not to provide awareness training to your staff. You can be sure no-one else is. If you don’t, who will?

Come to CyberHoot.com for a free 30-day trial for Cybersecurity awareness training. Our training is quick, easy, and effective! All it takes is the will to act… we’ll handle everything else.

Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Capital One Breach Affects Over 100M

Image Source

On July 29, Capital One announced it experienced a data breach affecting over 100 million customers. While that is an enormous number it represents only 1.4% of nearly 8 billion publicly disclosed account compromises. Considering there are 10 – 20x as many unreported breaches and compromised accounts, 100 Million Capital One breached accounts is only 1/10th of 1% of all breaches. Given this sorry state of Cybersecurity, how can we put this breach into perspective? More importantly, what should we be doing in light of this “financial data” breach at Capital One?

What Was Compromised?

Capital One released a statement saying, “no credit card account numbers or log in credentials were compromised and over 99 percent of Social Security Numbers were not compromised”. What is currently public as compromised data are 140,000 customers Social Security Numbers (Social Insurance for Canadians) and 80,000 linked bank account numbers. That leaves 99.8% of the breached accounts as undisclosed by Capital One. It is still very early in the investigation so expect these numbers to change and be adjusted. We just don’t know the extent of what was stolen or breached and how it will affect us. Yet, even without that information, we can make recommendations to you for what you should do to protect you and your loved ones.

What Can I Do?

Freeze your Credit at all Four (4) Credit Reporting Agencies

This LifeLock article walks you through how to freeze your credit at three major credit agencies. However, know that there are actually four credit agencies you need to freeze your credit at. Hackers know this and will attempt to retrieve your credit from the smaller credit agency known as Innovis.  CyberHoot advises consumers put a full Credit Freeze on your financial accounts using these links: TransunionEquifaxExperion, and Innovis.  Some of the credit monitoring agencies offer additional notification services such as texting you whenever your credit is pinged.  Enable text alerts if possible to keep track of anyone actively touching your credit data.

Besides the Credit Freezes, is there anything else I should do?

Yes.  Following the Anthem and Equifax breaches a few years ago hackers have been submitting fraudulent tax returns before legitimate tax payers could do so using our stolen personal data.  Consumers have lost time and money regaining access to their own tax accounts. Unfortunately, this could happen all over again with this Capital One breach because hackers likely have the data they need to submit fraudulent tax returns from this breach.  The IRS has acknowledged this problem and will provide anyone who has had a false return filed in their name to get a PIN number that is required to submit their taxes. Unfortunately, unless your taxes have been hacked, you can’t get that PIN to protect yourself. Consequently, CyberHoot also suggests that you get your tax documents in order and submit your taxes as early as possible next January to pre-empt any hacker attempt to submit a false return in your name!

If you would like more tips on what you or your business can do to prevent something like this happening to you; read our article on the Quest Diagnostics Breach.

Summary

Anytime static data that cannot be recreated is breached there are long-term consequences which is the case with the above mentioned breaches (Anthem, Equifax, and now Capital One).  Putting a credit freeze on your account will protect you from hackers taking credit terms out in your name, but doesn’t prevent them from submitting fraudulent tax returns.  Freeze your Credit, submit your taxes early, and continue to educate yourself on Cybersecurity topics.

Author, Craig, Co-Founder – CyberHoot

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Cyber “Hoot” Wednesday: Fight Password Fatigue with a Password Manager

Fight Password Fatigue with a Password Manager
Image Source

Remember the last time you had to recover access to an account by resetting your password. Maybe it was last month, week, or maybe it was today.  Now remember what you had to do: use uppercase, lowercase, and special characters. Don’t reuse your favorite root password, don’t use a real word because it is easily guessed. Make sure it’s at least 9 characters in length.  Are you experiencing password fatigue yet?

People have been experiencing password fatigue for years.  When your employees give up on good password hygiene, they give up on best practices and fall back on common bad habits.  This article outlines a free for personal use tool that will improve your security and reduce your password stress. It might even free up enough time to setup two-factor authentication on your most critical online accounts! Let’s start by looking at why passwords matter so much and the problems we all face with them.

Billions of Breached Passwords exist online

HaveIBeenPwned.com reports more than 8 billion compromised email accounts (often including compromised passwords). In the past, Yahoo lost more than 500 million user accounts and passwords;  DropBox and Linked-In lost millions more. What makes these millions of breaches so damaging, is that so many people re-use their passwords. Alternatively, people re-use predictable password roots, appending a prefix or suffix to that root password. Both practices put you at risky. Hackers exploit the fact that most people re-use passwords or have predictable prefixes and suffixes on common root passwords!

Why are Passwords so Important?

Once a hacker sees your username and password in plain text, can they then log into your online email or Virtual Private Networks (VPN) account? They can if you have a predictable or re-used password on either one.  Once inside your email account, hackers have breached one of the most critical accounts you have.

Your online email account can be used to reset passwords at many other online accounts. It’s simply a password recovery request away from the hacker!  Additionally, email accounts are a treasure trove of social engineering material to attack your friends and family!  Finally, as reported in CyberHoot’s Domino Attack Article, hackers are now crafting exceptional powerful phishing campaigns by targeting users they find inside your email account.  Hackers send phishing attacks directly from your email account or from a look-alike domain name they create. If successful, they then break into your friends, family, and business partner’s email!

Does this all sound hopeless to you? Fortunately, it truly is not hopeless if you learn to use a Password Manager.  Let’s take a look at what a Password Manager is and does.  CyberHoot views this skill as important as knowing how to type!

Learn a Password Manager to Ease Password Fatigue

Every cybersecurity professional will tell you to use strong unique passwords at every online account you own. Unfortunately, most people cannot remember more than 3 to 4 strong passwords. Creating more simply leads to password fatigue. There is a simple solution. This seemingly impossible task becomes easy when using one of the many free (for personal use) password managers.  Many password manager options exist but CyberHoot recommends one of the following as we’ve used and reviewed their features in detail: LastPass, 1Password, and Dashlane.

The Power of Synchronization

Password Managers automatically synchronize all your accounts between smartphones, laptops, and tablet’s.  A web browser plugin monitors your login activity and prompts you to save your credentials whenever you authenticate into a new website. Your username and password for the Domain (or URL such as gmail.com) is stored in an encrypted password vault.  Each tool mentioned includes a random Password Generator you can use to create new, strong, and unique passwords. Over time, you will begin replacing your re-used passwords with randomly generated ones.  Doing so will make you more secure, effective, confident, and efficient.

Call to action: Download and start learning and using a free password manager today.  This skill is as important as learning to type is! Regardless of your technical skill, if you put in even minimal effort, within 3 to 4 months, you will become proficient, secure and much more productive.

Author, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Avoiding Phishing Attacks

CyberHoot Wednesday: Avoiding Phishing Attacks

How
Phishing Attacks Work

An easy example of how phishing attacks work is to take a look
at a case that has already happened; a phishing attack utilizing Google Docs
hit numerous Gmail accounts about a year ago. The phishing email was sent from
compromised Google accounts to other Google accounts for approximately three
hours, after which Google intervened directly and stopped all such emails. The
email contained an invitation to a Google Doc, and if clicked, the link took
users to a fake App that asked for permission to access the user’s Gmail
account. The phishing email was convincing enough to have fooled some Google
users into giving permission.

What Damage may have Occurred?

The primary damage could be significant or benign depending
whether your Gmail account was logged into by the attackers.  The main
attack then automatically resent the same attack to all your Gmail contacts
(secondary damage being social embarrassment from being phished). However,
there was a small potential that the attackers may have logged you’re your
compromised Gmail account to study your emails, reset other online account
passwords, or change account recovery options on your Gmail account! 
There was no known malware in this attack, which infected recipient computers.

What to do if you were (or think you may have been) compromised
in this attack?

Google acted very quickly to reports of this phishing attack,
stopping all related emails within 3 hours of the outset of the attack. 
If you think you may have been compromised here are six steps to take as soon
as possible (Google recommendations):

  1. Go to your Google account management page.
  2. If you see an app called Google Docs, click on it to opt to revoke permission for the app to access your account.
  3. Then change your password [to something unique], just to be safe.
  4. Enable two-factor authentication on your account as an extra precaution. Two-factor authentication is the option to text a code to a phone number on file for your account so only a person with both your password and your cellphone can access your account. If you are unfamiliar with topic, check out our article on Two-Factor Authentication.

CyberHoot’s Additional Recommendations:

  1. Check
    your account recovery options to validate hackers did not change those to
    re-access your account once you changed your password.
  2. Immediately
    change passwords at sites using the same username/password as used on your
    Gmail account.

CyberHoot knows that in the absence of a password manager, people reuse passwords throughout their online accounts!  If your Gmail account was compromised by this attack, hackers might be trying to log into other accounts you have even after you removed the hackers access to your Gmail account.  One of our favorite password managers – LastPass – once populated up with your online accounts, will tell you which accounts reuse your Gmail credentials.  Change those to unique passwords to eliminate this cybersecurity risk now and in the future. If you would like more information on this topic, check out our article on Passwords, Passphrases, and Password Managers.

Event Summary:

This was a simple but highly convincing phishing campaign
designed to steal Gmail account credentials.  Before clicking or opening
anything always be sure to answer these questions affirmatively:

1)      Was I expecting this email?

2)       Was this email…

  • Addressed to me directly by name?
  • From someone I know?
  • Is the sending email address 100% correct?  (watch for slight variants like g00gle.com)

3)       Is the grammar, spelling,
email construction correct?

4)       Does my gut tell me there
is absolutely nothing wrong with the email.

If you answer NO to any of those, pick up the phone and call the
sender to confirm they sent the message to you on purpose; otherwise, delete
the message.

Stay safe online!

Editors Note: There is an article we wrote, Domino Breaches: Get Ahead of this Breach ASAP to stop the Falling Dominos. This article on phishing details another variant of attack similar to the Domino attack article published just over a month ago. Similar attacks have been made against Microsoft’s O365 users. No-one is truly safe online today without adopting the technical protections outlined in this article. Be safe online and remember, “Knowledge is Power!”.

Author, Craig, Co-Founder – CyberHoot

Editor, Ty Mezquita, Blogger/Social Media – Cyberhoot

Microsoft Bug “BlueKeep” May Affect Millions

Microsoft Bug "BlueKeep" May Affect Millions

Overview:

On May 14, Microsoft issued a software update patch for its Remote Desktop Protocol (RDP). These patches fixed RDP vulnerabilities in older Windows operating systems including Windows Server 2008, Windows Server 2003, Windows 7, Windows XP, and Windows Vista. A few weeks ago, the National Security Administration (NSA) put some heat on system admins to patch stating: “Microsoft Windows administrators and users [must] ensure they are using a patched and updated system in the face of growing threats”. The NSA revealed that there are around one million internet-facing machines still vulnerable to this threat, which is now being called “BlueKeep”. If the vulnerability were to be exploited, it would allow the hacker to launch a malware attack that would have the potential to spread through the network to all other vulnerable computers. This vulnerability is expected by many security experts to be wormable and weaponized quickly and in a similar vein to what happened with WannaCry in 2017, which lead to as much as 4 Billion dollars in losses.

Why is it Important?

It is very important to be aware of what systems in your business need to be updated or replaced. It is important to regularly run scans to determine where vulnerabilities are, however, the underlying issue here is that many businesses have old equipment that they believe works perfectly fine. The problem with these systems is that once they reach their End of Life (EOL) or End of Support (EOS), the vendor no longer puts out updates to support the product, resulting in critical unpatchable security vulnerabilities. In the case of the “BlueKeep” RDP vulnerability, Microsoft deemed it so bad, that they took the extra step of releasing patches for EOL and EOS operating systems.

Importance of Patch Management

It is critical for your business to maintain a strong patch management program. But patching may not be enough. The businesses that CyberHoot.com consults with gain access to a Vulnerability Alert Management Process (aka: VAMP) that outlines response priorities to critical patches and vulnerabilities like BlueKeep. Over half of attackers take advantage of the software vulnerabilities as a gateway to the information systems of companies. VAMP allows organizations to take a look at their vulnerabilities, weaknesses, and potential threats and mitigate them on a timetable that everyone has agreed to previously. It’s forced controls on timelines for plans and remediation and lines of responsibilities all codified prior to the pressure situation of a rampant worm or weaponized vulnerability like Wannacry attacking businesses all over the world.

Call to Action

CyberHoot helps businesses like yours build and enhance cybersecurity programs to include critical processes like VAMP and Patch Management, while also automating governing and training employees with robust cybersecurity policies and awareness programs.

As employers and resellers, we need to be perfect at protecting our critical accounts and critical data; hackers only have to succeed once for a costly cyber incident or breach. Improve your odds of success by visiting CyberHoot.com and signing up for a free 30-day trial to begin closing the Cybersecurity skills gap by training your employees. Our 5-min Cyber “Hoots” teach your staff about Passwords, Passphrases, Password Managers, Two-factor Authentication, WiFi Insecurities, and dozens of other important cybersecurity topics. Are you doing everything you can to reduce your risks?

Head over to our CyberHoot Website and sign up for a free 30 day trial.

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Editor, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: Cybersecurity Training is a School Curriculum Necessity

Cyber "Hoot" Wednesday: Cybersecurity Training is a School Curriculum Necessity

Editors Note:

This is a reprint of an article I wrote for New Hampshire Business Review in June 2017 outlining the need to make cybersecurity education part of our school curriculum.

With so many Cities and Towns across the US paying hefty ransoms this year and more than 1900 breaches reported as of May 31st, 2019 for this year alone, preparing our students with some rudimentary Cybersecurity skillsets has never been more critical and provided the potential for a strategic advantage. Historians will look back at the 21st century as a transitional period where traditional Brick and Morter businesses redefined themselves with eCommerce, online goods and services or they went the way of the buggy. Will the US be known for the quality of employees it produced prepared for the 21st century challenges we all face or will we be left behind as nothing more than a footnote to some other country that does better?

Finally, be sure to tune into the Enterprise Security Weekly podcast today when CyberHoot Co-Founder Craig Taylor is interviewed by Matt Alderman on the topic of Cybersecurity Awareness Training.

Students Must Learn How to Protect Themselves Online

Do you think about cybersecurity training in your son or daughter’s K-12 school? If not, you should be.

Take it from a cybersecurity veteran, we are not preparing our kids to spot and defend against online attacks, nor are we educating them on the best protective measures either.

Schools do a decent job teaching children about some cybersecurity topics including:

— The harm of cyber bullying

— Why you should never sext (send nude photos by text)

— Understanding important privacy issues on Facebook and other social media platforms

It is important to learn about these topics, but schools mostly fail to educate students on the fundamentals of 21st century online cybersecurity risks. Passwords, password management and password tools are rarely, if ever, discussed. Learning the fundamentals of a phishing or social engineering attack are woefully absent from our basic computer curriculum.

Why is it Important?

Why is it important to educate young students about these threats and to teach them necessary habits of online protection? Learning online protective habits early matters a great deal. From a cybersecurity perspective, the internet is the great equalizer for all nations, peoples and groups. It is cheaper and easier than ever before in the history of the world for an anonymous attacker to target anyone, any business, located anywhere in the world.

Whether you’re a cybersecurity expert like myself, youngster playing online games or parent checking their bank account, the risks we all face come in many shapes and sizes. For all its conveniences and efficiencies, the internet has no borders or boundaries. For criminals it has become a revival of the Wild West – a frontier where policing and the law are usually one or two steps behind emboldened and very smart hackers.

A Pew Center study on cybersecurity in 2017 highlighted a troubling dichotomy among adults. The study found that while most Americans have directly experienced some form of data theft or fraud, many admit they “are failing to follow digital security best practices in their own personal lives, and a substantial majority expects that major cyberattacks will be a fact of life in the future.”

While teaching our children as early as possible is imperative, the good news is we’re not talking rocket science. The rules of cybersecurity are as easy to learn as it is to drive a car, and just as safe driving is tied to defensive driving, so too is the need to defensively operate our computers today.

Fortunately, schools and students are beginning to recognize this need. A series of investigative stories on the IT website FedScoop.com highlighted the challenges and opportunities of integrating cybersecurity literacy into school technology curriculum as early as possible. “Using technology is one of the three ‘Rs’ of the 21st century,” said Michael Kaiser, executive director of the National Cyber Security Alliance, referring to the traditional subjects of reading, writing and arithmetic. “If you don’t graduate from high school knowing how to use technology, it’s going to be a hindrance in the same way if you don’t know how to read.”

Making basic cybersecurity literacy a new ‘R’ in school curriculum will expose students to lessons that can last a lifetime and teach them critical steps to protect themselves. The time to create good cybersecurity habits is when children first begin operating a computer. Rather than trying to “unlearn” bad habits (as identified in the Pew study) we should build a strong foundation of cybersecurity literacy skills in our students as early as possible.

We can do a better job of preparing our students to enter the workforce with a strong set of cybersecurity literacy skills. We can begin with a focus on the topics mentioned earlier: passwords, their management and tools, as well as understanding social engineering and phishing attacks. Engaged and enlightened students with a modicum of cybersecurity literacy will make a huge difference in creating a workforce prepared to defend against the daily cyberattacks in our homes and businesses of today and tomorrow.

Craig, Co-Founder – CyberHoot

Editor’s Call to Action: two years on from my original article, the state of Cybersecurity in our Cities, Towns, and Business is no better; in fact it’s gotten much worse. If you’re a City, Town or Business Manager/Owner and you want a simple solution to attack this problem proactively, putting the odds in your favor instead of the hackers out there, sign-up for free training for 30 days at CyberHoot.com. Or, contact sales@cyberhoot.com if you have questions or want a reseller to setup and run your training program for you. We have both options available.

I encourage anyone who will listen to deal with this problem head-on – train your employees and take control of your destiny by improving your employee odds of recognizing an attack and avoiding it.

For the Month of July 2019, anyone who signs up for free training will get 2 months free. We’re so confident you’ll love our solution we’re willing to give it away free for 60 days to convince you! Try it to be certain. You’ll be glad you did.

Cyber “Hoot” Wednesday: Two-Factor Authentication

Cyber “Hoot” Wednesday: Two-Factor Authentication

We’re all familiar with using passwords and some are experienced with password managers, but they aren’t always the best way to secure your critical accounts. If you’re using a password manager you may be surprised that sometimes these unique, complex, randomly generated passwords are still not enough to secure your critical accounts. To protect your critical information and accounts you need something even stronger and more secure, something the technologists and IT professionals calls two-factor authentication, often abbreviated as 2FA.

What is Two-Factor Authentication?

Two-factor authentication is simply combining and using two of the following three identification factors:

Something you know – a password or passphrase on your account;

Something you have – your cell phone‘s ability to provide a random 6-digit code or to receive a code from a text message;

Something you are – your physical characteristics such as a fingerprint, facial recognition, voice recognition, or even an iris scan.

If you use two of these three identification factors, you are using 2FA to authenticate yourself, and your critical accounts and data will be properly secured. This is the gold standard of authentication and protection.

Why is 2FA Important on Critical Accounts?

According to this Symantec Info-graphic “80% of data breaches could be eliminated by the use of two-factor authentication.” Hackers know most people have never been trained on creating strong passphrases, using password managers, or setting up two-factor authentication to protect their critical accounts and data. Consequently, hackers send millions of sophisticated Phishing Attacks trying to steal our usernames and passwords.  Once someone clicks on one of these phishing campaigns and attempts to log in to a real looking but fake website, the hacker has your credentials. If the hacker has hacked into one of your critical accounts such as your email, bank, or Virtual Private Networking (VPN) they can do some serious damage to you and your reputation or your company’s reputation.

Domino Attack Risk

In my Blog article on Domino Attacks, hackers target every single person you’ve corresponded with in that compromised email account with a sophisticated phishing attacks. The dominoes begin to fall as hackers break into your contact’s critical accounts person by person and company by company.

Account Reset Risk

If hackers breach your email account, this is also where all your other account resets emails go for approval. If your email account is compromised, besides the Domino Attack and the personal information hackers can sift through, this account breach can allows allow hackers to reset your other account passwords to grant them access to more of your digital life. However, if you’re using two-factor authentication on your email account, you can prevent this victimization.

“If I don’t click phishing links, do I need two-factor authentication?”

Yes. Hackers now find your credentials in several ways besides successful phishing attacks. Hackers can acquire your credentials from underground forums that trade stolen credentials from breaches websites. Other hackers use viruses like Trickbot or Emotet to steal credentials from infected machines you may be using. Using a second factor on your critical accounts is something hackers cannot get around, because to compromise your 2FA protected account, a hacker would need access to your cell phone and be able to unlock it to gain access to the randomly rotating unlock codes in your 2FA application.

“How hard is it to setup 2FA?”

Not hard at all. Setting up 2FA on all your critical accounts (you’re probably already doing this for your bank accounts) is easier than you may think. Most 2FA is already available, free to set up, and easily found within your online account’s “Password” or “Security” settings. Look for “Advanced Security”, “Advanced Settings” or search for “two-factor authentication” in the website’s help menus. Calling the website support line is another option to walk you through the set up quickly and easily. There’s even a website dedicated to listing websites that support 2FA or not.

Conclusion:

Don’t let hackers get the upper hand on your critical accounts. Protect yourself personally and professionally by setting up two-factor authentication today on all of your critical accounts. It’s the perfect example of “an ounce of prevention being worth a pound of cure”. You’ll be happy you did.

Call to Action:

As employers and resellers, we need to be perfect at protecting our critical accounts and critical data; hackers only have to succeed once for a costly cyber incident or breach. Improve your odds of success by visiting CyberHoot.com and signing up for a free 30-day trial to begin closing the Cybersecurity skills gap by training your employees. Our 5-min Cyber “Hoots” teach your staff about Passwords, Passphrases, Password Managers, Two-factor Authentication, WiFi Insecurities and dozens of other important cybersecurity topics. Are you doing everything you can to reduce your risks?

Craig, Co-Founder – CyberHoot

Quest Diagnostics Data Breach Affects 12 Million Customers

Quest Diagnostics Data Breach Affects 12 Million Customers

Overview

In May of 2019, medical testing company, Quest Diagnostics had their second data breach in three years, where 11.9 million customer’s personal information was compromised. The breach likely came through their third-party billing system, the American Medical Collection Agency (AMCA). The data compromise included customer’s medical and financial information, which contains social security numbers, credit card numbers, and bank information. The breach surfaced on May 19, when researchers found payment card details for 200,000 of Quest Diagnostics patients for sale on the dark web.

Then, on June 6th, LabCorp, a competitor of Quest Diagnostics, announced its own breach of nearly 7.7 million records and noted it was related to the same AMCA website that Quest reported.  That’s a total of 19.6 million financial and medical records suspected breached.

Man receiving a blood test

What may have happened…

The data breach likely came through the third-party vendor, the American Medical Collection Agency. The AMCA provides services to Optum360, a Quest billing contractor. Quest reported that they believe that the unauthorized activity took place on the “ACMA’s web payment page”, which may suggest that the intrusion came through skimming. Skimming on the Internet happens by someone maliciously injecting malware onto a website’s payment pages. This has happened many times in the past by a group that goes by the name of Magecart. Magecart is a group of hackers who are known for having stealthy and creative ways to inject malware onto webpages that is difficult to detect. Magecart was behind many high-profile breaches in the past including British Airways and TicketMaster.

There are three ways skimming typically occurs on a website: Keylogging, sniffing form submissions, and form jacking. All three steal information in different ways, but they all produce the same result. They all convince your browser to send your critical data (Credit Card for example) entered into the payment web page back to hackers without your knowledge.

Mitigating Controls for Web Applications:

There are a few ways companies can prevent something like this from happening to them. First, they could implement data encryption; encrypted data is useless to hackers as this data is unreadable without the decryption key.  Secondly, they could perform regular risk web application assessments and scan for vulnerabilities, identify risk sources, and remediate them in a timely fashion.  Thirdly, they could add another layer of protection by running different parts of the website under separate accounts and/or in front of a Web Application Protection solution that might identify data exfiltration as was reported here. Finally, businesses can implement fraud indicators (also known as red flags to some) which perform regular scans to identify when and if there has been a data breach of some kind.

Tips for Businesses with Web-facing Applications:

Businesses have never been under more sophisticated and frequent attacks.  Cybersecurity spending on defenses is set to top 1 Trillion dollars in aggregate by the end of 2021.  Web applications are one of the weak links hackers are exploiting.  You must consider implementing some of the mitigating controls above to protect you and your clients from Internet attacks and to discover attacks as quickly as possible when hackers exploit some error in your web application.

Tips for Businesses who Grant Critical Data Access to 3rd Parties:

In this case, neither Quest nor Lab Corp themselves were compromised. It doesn’t really matter though does it? The damage to their brand has been done. Their names will forever come up in Google searches of major security breaches and stolen data. If you outsource your critical data processing to a 3rd party, you need to examine them for cybersecurity preparedness. Do not assume they know what they’re doing. Directly inspect them with a site visit or audit. Really review their auditor reports if they have them. At a minimum, send them a 3rd Party Cybersecurity Awareness Questionnaire which is available to clients of CyberHoot.com.

Tips for Individuals whose data was potentially Breached:

Individuals whose personal medical and financial data was breached including social security numbers should follow the same advice provided for the Experion and Anthem breaches.  Freeze your Credit until you need to use it for your own purposes.  I have frozen my credit at ALL FOUR credit agencies and twice lifted the freeze for myself – once to buy a car and once to change Credit Cards at my bank.  Both times it was easy and painless… but I sleep better knowing I’ve made it as hard as possible for hackers to breach my personal credit with my compromised Social Security number, medical, and financial records.  Freeze yours as well. Here’s how.

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Editor, Craig, Co-Founder – CyberHoot

Sextortion Email Scam: Don’t Allow Yourself To Be Victimized

Sextortion Scam

Hackers are using new tricks to get information or money by blackmailing people through emails. In this latest blackmail scheme, hackers use an individual’s old password, found on the dark web, to add credence to their claims that they have compromised your computer, recorded images of you surfing pornography, and then demand a bitcoin payment to prevent public release.

Unlike many other real-world sextortion cases you may have heard about including revenge porn and the misuse of sexting, this latest threat is 100% a hoax.

But How Could a Hacker have my Password?

As documented in my CyberHoot Wed. piece on Passwords, Passphrases, and Password Managers, the website ‘https://HaveIBeenPwned.com’ is a legitimate and useful website you can visit to see if any of your email accounts and passwords are part of more than 8 Billion records of publicly disclosed breaches at Linked In, DropBox, Yahoo, and many others. The unfortunate truth is that this is just the tip of the iceberg when it comes to compromised credentials with many more accounts and passwords available on the “Dark Web” in private forums where cyber-criminals sell these credentials for profit. This is where your Sextortion email likely secured that “really old password” you barely remembered having!

In this Sextortion scheme, hackers mine the dark web for credential pairs (email and password) and craft the message (shown below) to induce panic and convince you to pay a bitcoin ransom to prevent the release of photos to your social media accounts.

I do know, [redacted], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct?

Actually, I placed a malware on the adult videos (porno) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. After that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. Fist part displays the video you were viewing (you’ve got a nice taste haha) and second part shows the recording of your webcam.

What exactly should you do?

Well, I believe, [insert various dollar amounts], is a reasonable price tag for our little secret. You’ll make the payment via Bitcoin. (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: [redacted(It is cAsE sensitive, so copy and paste it)

Important:

You have one day to make the payment. (I’ve a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive payment, I’ll erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

I’ve received many inquiries about this scam and whether hackers could really pull off this “Sextortion Attack”. Checking whether the identified password was part of a breach by visiting the HaveIBeenPwned.com site should provide you the relief you’re seeking.  If your password was part of a breach you can confidently ignore this extortion.  If on the other hand your password was reported in that site, you should probably think about whether you could have clicked on a phishing email or other attack recently.  Running a MalwareBytes scan on your computer and/or AV scan wouldn’t hurt.  Knowing that you don’t surf pornography, don’t have a web Camera, or cover your web camera with a cover should also provide you some automatic relief.  Technically, everything the hacker claims to have done could be done. But the presence of a password is usually a dead give-away that this hack is a HOAX. I have not know a single person to pay this scan… but given its prevalence someone must be paying!

 Now that I know this is a hoax, what should I Do?

A good response is to delete the message and never give it another thought, however, the best response, would be to read my article on Passwords, Passphrases, and Password Managers (link above). Learn how to use a Password Manager, Pass Phrases, and then slowly begin to replace all your old passwords with strong, long, random passwords generated and managed by your Password Manager. You’ll be more confident, secure, and productive!

Follow our LinkedIn page for other updates: CyberHoot LinkedIn

Craig, Co-Founder – CyberHoot