Email scam targets executives, NSA rates conferencing tools and get ready for COVID tracing apps
Welcome to Cyber Security Today. It’s Monday May 4th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast, click on the arrow below:
Senior executives of companies around the world should always be careful clicking on email attachments because their positions make them among the prime targets for hackers. Being cautious is even more important now with news that several cyber criminal groups have banded together and launched successful attacks around the world. A report released last week says at least 156 senior executives of financial, real estate and legal firms have been victimized by the attacks since the middle of last year. The report by a threat intelligence company called Group-IB says 81 of the victims were in the U.S. and 11 in Canada. The tactic involves detailed research on the victims and their companies. The executive then gets an email from what looks like a partner firm and includes a PDF attachment. That attachment may be a Microsoft Office file. Clicking on the file the victim is sent to a website that looks like a Microsoft Outlook login page. Victims who login give up their username and password to the crooks. Then they can log into the executive’s email and copy all messages. Then the attackers send phishing emails from the executive’s account to new victims, after which the sent message from the executive’s outbox is deleted to avoid detection. With the captured emails the criminals can search for and resell sensitive business information. Threat researchers spotted this campaign and temporarily derailed it. However, the crooks were back in business in December.
How can this attack be diffused? Well, anyone with the word ‘chief’ in their title — like chief executive, chief financial officer — or ‘vice-president’ should remember they are prime targets. The same for lawyers. That means they have to be extra careful — and slow– reading email. They have to look carefully at who has sent the email. In at least one case here there was a tip-off: The sender and recipient were the same person, with the real recipient hidden in the blind copy section. So just because the sender’s name is “Joe Smith” doesn’t mean it’s from Joe. Click on the arrow to see the full sender’s email address. Also some messages had unusual formatting: Instead of spaces between some words the were plus signs. Everyone — even if you’re not an executive — needs to turn on two-factor authentication for email logins. And last, remember it’s easy to create fake Microsoft login pages.
In Wednesday’s podcast I mentioned a blog from Mozilla that gives a quick security rating system for some videoconferencing platforms. That’s helpful for consumers. Businesses and consumers with higher security needs may want to consult a recently-released guidance from the U.S. National Security Agency on how to chose collaboration software and services for their needs. In addition to rating services it offers questions for you to answer when choosing a service, such as does it include end-to-end encryption? does it offer multi-factor authentication for logins? and what’s the provider’s privacy policy? There’s a link to the guide in the text version of this podcast.
There’s a lot of talk about using smartphones in some way to help public health authorities track people who have come into contact with those infected with the coronavirus. Google and Apple are assembling a piece of a wireless solution developers can build on. Approaches differ, but generally solutions would have people agree to install an app on their phones and leave the Bluetooth signal on. The phone emits a series of scrambled numbers. As you move around, the Bluetooth captures the numbers of people who are close to you for a period of time over 14 days. If you feel ill and are tested positively for COVID-19, you agree to let your app signal those on your list to see their doctor for testing. In theory the notification is anonymous — people can’t trace the movements of anyone with the app, or anyone who has tested positive. Developers in Canada and the U.S. are now working on potential apps, which would have to be approved by governments. So you’ll soon see a lot of news on proposals of nearly finished products. The idea is such an app could help health authorities who do manual contact tracing. Some are skeptical, saying mass testing of people for the virus is more precise way to identify those at risk. If you want to get an idea of the privacy pros and cons a new blog by the Electronic Frontier Foundation has a good summary. There’s a link to the article here. You could also do a Google search for ‘COVID tracking app’ to find other news so you’ll be ready to participate in the public debate.
Finally, IT administrators have a lot of just-released security updates to install if their systems use products from these providers: SaltStack has released a fix for critical vulnerabilities in the Salt server management tool used in data centres. Oracle says a patch released for its WebLogic server on April 14hth should be installed as soon as possible. Ninja Forms, which makes a plugin that creates forms for firms that use WordPress issued a patch for a serious security flaw that could allow an attacker to take over a web site. And there are more WordPress plugins to patch, from learning management platforms LearnPress, LearnDash and LifterLMS.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.