Phishing and information leakage: How to avoid security threats on the Internet



What is Phishing





Some months ago, two IT experts from EPAM Systems posted at the popular Ukrainian web-portal for IT professionals DOU.ua an article talking about phishing, data leaks, and the measures to resist them. We decided to translate this article and post in our blog because cybersecurity is on-top always, especially now, when a lot of businesses moved their staffs to the remote working mode.


The way how the infrastructure services provider can help in organizing the remote office of your company to avoid business downtime, we described in the article  How to arrange a remote office quickly and safely.


The floor is given to the authors:


«Talking about the information security, we should admit that IT experts often get around its rules in favor of [solutions] convenience. We exactly know it, because we have a lot of working experience in IT. This article is aimed to remind you a bit forgotten Internet security practices, and perhaps to discover something new in the cybersecurity universe. Besides, the article contains many examples of phishing emails and some real stories about companies that have lost their customers' data.


How often do you notice if there are HTTPS on the web page? Do you use multi-factor authentication? Do you often pay attention to the “From” field in the mailing list?


Nowadays, Security Awareness training courses have become a routine for IT professionals — most of us study it several times a year. So, many IT experts consider such events as a waste of time because there are told about things those «everyone knows.» But let us show you the Security Awareness form the other side, less officially, not for a show, but, as they say, for people.


Social engineering is one of the most ominous cyber threats to companies, as well as to ordinary users. Actually, social engineering is a manipulative technique that forces a person to perform actions that he should not perform. In this case, the target of the attacker is the person (not too attentive or educated). Forcing him or her to click on the necessary link or launch a harmful executable app is much easier than, for example, hacking the entire corporate information security system, including antiviruses, firewalls, and SIEM. Recent high-profile cyberattacks, lead any-sized companies to allocate a considerable part of their corporate budgets for cybersecurity. So, the task of getting to critical information inside a well-protected organization will require almost unrealistic efforts, costs, and time.


Some years ago, the crew of a Jimmy Kimmel Live performed an experiment that came to light potential victims of social engineering by asking bypassers at the Hollywood Boulevard to tell about their passwords.


The experiment results were shocking — a vast number of strangers eagerly met the interviewers and easily shared their passwords from social networks and mailboxes. This case proves that it is much easier to entice a user's password than it seems. And people sometimes do not adhere to the seemingly obvious rules of information security and their privacy protection


Phishing

Phishing is the most common example of social engineering implementation. The characteristic phishing email is posted below. Learn it attentively, you will easily find some indisputable signs that this email was not sent with noble intentions:



Phishing Example
A fake email that was sent not by Amazon!



Let's analyze the signs that strongly indicate that the letter is fake.


  1. A phished email domain. The first thing that catches your eye is a fake email domain: Amazon doesn't have the letter “a” in the beginning.

  2. Depersonalization. A name or nickname of the person whom it addressed is absent in this letter — most likely, the attacker doesn't know it.

  3. A suspicious link or file is attached.. The most important thing is a phishing link, clicking on which the user is most likely to enter his credentials as if for authentication. In other cases of phishing, a letter can have an attachment – a document, or a table, or some file capable of executing malicious code.

The secret of phishing success is user carelessness and lack of attention. But besides, a phisher can widely manipulate various human emotions and needs. Here are several examples below.



Greediness or pursuit of gain. What about an unexpected win in the lottery?



Phishing Example
This email definitely not from the CEO of the Google Inc.



Oh, so, you asked to double your bitcoins amount? Do you really believe it happens?



Phishing Example
It's too good to be true.



Anxiety. You should agree that no one body can keep calm getting the message about the suspicious activity in your PayPal or online banking account has been noticed. If you have received such a letter, it is better to go to the official website or mobile app.



Phishing Example
Don't panic — just check your account on the official website or app before!




Phished SMS
The arrow points to the fake link (that leads to the phishing webpage) posted in the message of the fake refill by a considerable amount to the bank account.


Curiosity. It is another one of human weak points. Wouldn’t it be curious for you to look into the secret payroll, mistakenly sent to you, or to see photos from the corporate party where you could not visit?



Phishing Files
There are no files worth your attention. Do not open any of them!



Liking. Nowadays, you can run into IT company recruiters anywhere, even in Tinder. So is there anything stopping malicious persons from trying these platforms to phishing?



Phishing in Tinder
It is not a real girl, and there's no love at all!



Bonus track. It also happened:



Message from an attacker
On this printscreen, there's a fake message from the Security Service of Ukraine. This letter is told that the user allegedly used the computer for illegal activities, and the computer is locked (in fact, not locked!). To unblock it, the user had to pay the "fine" offline, but this transaction was addressed to the account of the malicious persons




Messages from attackers
Wow!



So, some conclusions are the following:


  1. Don’t click shit!
  2. Don’t open, don’t click, don’t run suspicious files, links, and apps.
  3. Any of unexpectedly got files or links are suspicious.


Data leakage

Data leakage is another cyber threat that business faces. Data leakage is an unauthorized data transfer to the third-party, outside the company to which it belongs, or making this data publicly available illegally. On the Internet, you can easily follow how often sensitive information leaks occur. E.g., you can find several recent data leaks that happened in the day by the hashtags #leakage or #databreach on Twitter.


Let's recall the most high-profile data leakage cases of the last year.

Facebook. On April, 2019, researchers from UpGuard discovered two data sets at once; one of them contained over 540 million entries: likes, comments, account names, Facebook ID, etc. In another dataset were photos, posts, and user passwords from an application that used Facebook. According to UpGuard experts, the passwords of a third-party app could well be identical to the passwords for Facebook accounts..


Overall, last year April was difficult for Facebook. So, besides the case above, Facebook admitted in the same month that for a long time, it stored user passwords for Instagram accounts without encryption. Well, we saw the telling example of “how user passwords should not be stored.”. 


First American Financial Corp. One of the largest US financial institutions that positions itself as a third party in real estate transactions has left publicly available about 885 million records. This fact in May 2019, discovered Brian Krebs, an expert on information security.. The oldest document in this collection was dated 2003, and the newest one was of 2019. Later, the corporation fixed the problem and deleted the dataset.



A personal data that was leaked to the Internet
All of personal data is publicly available...



Capital One. A bank holding specializes in credit cards, bank and deposit accounts, in July 2019, said that hackers stole personal data of about 100 million people in the United States and 6 million people in Canada. It means, if you opened an account with Capital One between 2005 and 2019, then your data most likely fell into the hands of cyber thieves. The lost data included social security numbers, bank account numbers, first and last names, home addresses, postal codes, dates of birth, and email addresses of the Bank customers. Despite the vast amount of lost data, Capital One said that not a single credit account or password was compromised; thus, no victims of this data leakage. Later, the FBI arrested a 33-year-old Seattle resident Paige A.Thompson, on suspicion of committing this attack on the Bank’s data. Her guilt was proved by identifying traces of Capital One data on her devices. The verdict of the court included five years in prison and $250 thousand fine.


Adobe. In October 2019, Adobe suffered from massive data leakage. The cyberattack resulted in stole personal data of about 2.9 million users of Adobe services. Information stolen by hackers included Adobe user IDs, encrypted passwords, first and last names, and encrypted credit card numbers. Unfortunately, in this case, the FBI investigation did not identify the attackers. In its turn, Adobe has provided all users whose data has been compromised, a free year of subscription to all of Adobe services.


All cases above allow making a clear conclusion: data leaks occur from time to time, and almost no one has protection from these incidents.


However, some simple tips will allow users to feel a little more secure and (possibly) reduce a little bit their paranoia on the Internet.



How to minimize cyber threats

First, you can check if your email was included in one of the known data leakages. To help to do it, Troy Adam Hunt, the Australian security expert and Microsoft Regional Director developed the service Have i been pwned? (HIBP). He created HIBP as a free resource so that any user can quickly check if there are any accounts associated with your email, among compromised or included in known data leaks.




Email Address Availability in any of eaked datasets Checking
Check your email right away!



If your email is detected in hacked datasets, it makes sense to immediately change the password of the account. We also strongly recommend you to use two-factor authentication wherever it can be enabled. [e.g., in Gmail, Facebook, etc. — comment by SIM-Networks]


One more essential that everyone (or almost everyone) knows about, but not everyone probably uses, is the password manager. For reliable data protection, you should always use complicated, long, and, most importantly, different passwords for all resources. Sure, you physically cannot keep such many complex passwords in your head. Thus, a password manager is no longer an optional software, but a vital utility. Today, the password manager market has many solutions with a variety of additional functionality.
Of the open-source solutions, KeePass is a utility that will store your passwords locally in an encrypted database.
From commercial solutions, you can choose 1Password — and for $3 per month, you will get support for all popular platforms (apps for iOS and Android) and an unlimited number of passwords for storage. And the password manager from Dashlane, besides to the secure password storage, a VPN is offered as additional functionality.


Summary

Instead of a conclusion, we give you some tips, which can increase the level of your information security and privacy protection on the Internet.

Tip 1: Do not click on links, do not open files or launch attachments in suspicious emails. Yes, unfortunately, identifying a real phishing email sometimes is not easy.


Tip 2: Read the guide on How to Avoid Becoming a Cyber Victim.


Tip 3: Use a proxy or VPN on unknown networks, if possible.


Tip 4: Check your email address from time to time using the haveibeenpwned.com service.


Tip 5: Use password managers. $3 per month is not too expensive when it's talking about your privacy and security.


Tip 6: Use multi-factor authentication, at least, on the most critical services that you use (email, Internet banking, etc.)


As you can see, these security tips are very simple and obvious. But this is only at first glance. We believe that you can make your stay on the Internet more private and secure by following our recommendations.»


Originally, this article with all pics was posted here.


The floor is given to SIM-Networks:


Recommendations and rules described above really work despite their quasi-simplicity. The most important note, those tips are multiuse – you can follow them while working in the office, and from home, and remotely working during the period of COVID-19 quarantine isolation. Follow these tips to keep your personal and business accounts completely safe.


If you need to configure a VPN, organize a secure RDP connection, create a VDI environment, or move your offline office infrastructure to the protected cloud, please contact us right away, and SIM-Networks experts will help you.



Share this:

close