Category Archives: Social Engineering

Working from home: VPN contracts COVID-19

With the uprise of the COVID-19 pandemic, workers all over the globe have been forced to work from home if they are not deemed essential to the welfare or survival of society. With this increase in employees working from home, they would have to resort to remotely accessing their companies network to access their resources and do their jobs as they were hired to do, and in order to do so, a company enterprise VPN server is needed. Thus the need and reliance on the service that VPNs provide has vastly increased in such a way that they are now ‘paramount to a company’s backbone’ (ZDNET).

According to both ZDNET and TechRadar, both the UK’s and the US’s Cyber Security divisions have found that cybercriminals are now seeking to exploit enterprise VPNs and other remote tools that employees might endeavour to use to access the company of employment’s network. Therefore it is paramount to secure such communications to reduce the risk of allowing privileged access to unprivileged attacker.

There are various methods of protecting one’s self and their enterprise from a variety of attacks ( most of which have not been discovered yet ) of which a few are mentioned below:

  • Log files: Now is the time to delve deeper into the log files for various incoming and outgoing communications using the VPN server and other remote working tools that the company offers. Those full application and network logs, although often disregarded for an oversimplification concocted by another third party application, will contain the details that could expose a loose end or an open hole that must be plugged to ensure data integrity and quality.
  • Strongest Authentication and Encryption method: This period of time does not cater to those that are weak willed, thus amping up the security front in terms of the networks authentication method (possibly RADIUS capable) and its Encryption method (possibly AES-256). Those methods are more likely to protect the system than any other convoluted network tunnelling that could be implemented, simply because even if an attacker does manage to get ahold of the encrypted traffic, their ability to decrypt such data without knowing the various keys used in EAP enabled RADIUS server is severely diminished.
  • Be Selective: Not all employees need direct access to the company network, and not all employees that do need direct access require its entirety. It might be useful to limit the various employees who do have access to the network and its resources with the use of a VPN service.

Whilst the outside world may seem like everything is coming to a halt, the use and need for VPN connection to various networks are blowing ahead at full speed. Clearly it is vital to both the enterprise and their employee’s online safety to have secure communication tools between their devices and the company’s network. Some other tools and tips to continue the securing process may be found in the reference links below:

References:

ZDNET: https://www.zdnet.com/article/covid-19-with-everyone-working-from-home-vpn-security-has-now-become-paramount/

TechRadar: https://www.techradar.com/news/your-vpn-could-be-putting-working-from-home-at-risk

ComputerWorld: https://www.computerworld.com/article/2547058/10-tips-to-secure-client-vpns.html

Written By: Jarryd Brits

DOJ Sues U.S. Telecom Providers in Connection with Robocall Scams

The Department of Justice is suing two telecom providers, TollFreeDeals and SIP Retail, for transmitting fraudulent VoIP calls. The providers are known as “gateway carriers”, which give foreign callers access to the U.S. phone system. The owners are Nick and Natasha Palumbo, who worked out of their home in Scottsdale, Arizona.

The main customers of TollFreeDeals are Indian call centers, which have sent out hundreds of millions of robocalls. They impersonate personnel from the Social Security Administration (SSA), Internal Revenue Service (IRS), United States Citizenship and Immigration Services (USCIS), loan approval companies, and tech support from companies like Microsoft and Amazon. The robocall scripts usually inform the recipient that they owe a large fine or that there is a problem with one of their accounts. If a potential victim called the provided number back, they were bombarded with threats and demands for a payment to “fix” whatever problem the robocall described. These calls have led to millions of dollars of loss to victims.

Between the months of May and June 2019, over 720 million calls were transmitted through TollFreeDeals. Of those, more than 425 million calls lasted less than one second, which leads to believe they were fraudulent. TollFreeDeals ignored hundreds of warnings from USTelecom and AT&T, and continued to transmit these calls.

This lawsuit is a big step in the right direction in reducing the amount of spam calls sent to U.S. citizens, assuming the outcome of the case proves the defendants guilty of wire fraud. Increased awareness on vishing and efforts to block fraudulent calls from reaching citizens will also reduce the impact of these scams.

Written by Julie McGlensey

Sources:
https://arstechnica.com/tech-policy/2020/01/doj-sues-us-telecom-providers-for-connecting-indian-robocall-scammers/
https://www.justice.gov/opa/press-release/file/1240026/download

New Method of Delivering Spam: Google Calendar

A new method by which online criminals are adapting their delivery techniques of spam is through Google Calendar and other Google Services according to Russian cyber security company, Kaspersky. The criminals are taking advantage of the default feature implemented in Google Calendar that automatically adds calendar invitations and notifications from emails.

The attacks are carried out by spamming several email addresses with unsolicited calendar invitations that are actually linked to a malicious phishing site. Currently, the malicious sites have simply asked for users to input their credit card or other personal information. However, a more intricate and advanced attack can inject malware without requiring to click on anything more that the invitation in their calendar.

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky in a press release of this new scam.

Most individuals would not think twice to trust the event on their personal calendar, since for the most part they are the only ones adding information to it. The good news, however, is that the automatic adding of events from email invitations is able to be turned off under the Google Calendar settings.

In addition to the calendar scam, Google photos has also fallen victim to the spam that plagues the internet. In this scam, victims will receive a photo of a check they can receive if they email the address supplied in the message. A much larger sum can be collected if the victim pays “a commission”. These scammers will in turn collect the money that the victim pays and will never deliver on the promised amount of the check.

While Google is working on better detecting and eliminating spam from their products and services, spammers will still find ways to slip it through. This is why the people that are being targeted need to be made aware of the attacks in order to prevent themselves from falling victim.

 

Written By: Spencer Roth

 

Sources:

https://usa.kaspersky.com/about/press-releases/2019_cybercriminals-use-smartphone-calendars-to-distribute-scam-offers

https://www.infosecurity-magazine.com/news/criminals-try-to-schedule-spam-in-1/

 

 

Spam Email by Season

Everyone has seen and been pestered by spam email. Generally, these emails are easy to dismiss because they are offers that are too good to be true or content does not pertain to us. However, attackers have started to realize that during a few specific times each year, people share a few common concerns. During Christmas season, the concern is what gifts am I going to buy and how am I going to afford it. During tax season, everyone has some concern about handling their taxes properly and protecting their identity. Scammers are perfecting their attacks to take advantage.

Spam Methods

In 2019, the number of Black Friday scams exploded. Acknowledging the chaos and spending of Black Friday sales, attackers began to craft their own spam sales ads. Unlike the rest of the year, this spam is expected and even requested by consumers. Companies like Best Buy, Walmart, Target, and just about any large retailer you can think of email Black Friday sales ads. This makes it easy for spam email to hide among the influx of emails and get more clicks than the rest of the year. But just like other spam mail, the sender addresses and links in these emails can easily be spoofed. This can redirect user’s to malicious sites designed to harvest credentials and payment information.

IRS scams are especially dangerous scams that individuals need to be on the lookout for. A successful scam can mean that the scammer has your Social Security Number and can open lines of credit in your name or even file a false tax return in your name, allocating a large refund to themselves. Instead of relying on the holiday season for these scams, attackers rely on fear of the IRS. Scam emails from the IRS typically try to scare the reader, telling them that their Social Security is about to be deactivated unless confirmed. Scammers also like to tell recipients they owe taxes and to submit payment immediately via gift cards or they will be arrested.

Spam Safety

For email, the rule is do not click the links in an email that you did not expect. This would include all Black Friday sales ads. Instead, manually navigate to the website. In the case of sales ads, most retailers will have them posted directly on their website as well. This way, you know that the retailer in fact published this sales ad, and the links will be links that they published for their own website.

While often much scarier than others, IRS scams are equally as easy to avoid. The IRS has posted several guides on their website to avoid scams. As far as spam, the IRS will not email or call as the first means of contact. Prior to receiving any direct contact from them, you will receive written notice in the mail. But if you have received a suspect email, you can always contact the IRS directly by their contact page.

Written by: Andrew Olin

Sources and Further Reading

Tax Scams/Consumer Alerts

Black Friday Cyberattacks Just Soared 275%: Here’s What You Do Now

How to Avoid Black Friday Scams Online

Tasty Spam: Black Friday, Cyber Monday Phishing Scams

Overview and Thoughts on A new Paypal Scam

PayPal over the years has and will continue to be a home of plenty of scams. The latest is a good case study of a common SMS scam.

The link first comes via SMS, instructing the victim to click a link to a clever subdomain in regards to a payment issue, either unauthorized transactions or some sort of account restriction. The link itself is a subdomain containing “paypal.com”, making the full link something like “paypal.com.phishing.com”. Though more obvious in a desktop browser, the link is long enough to appear cut off as “paypal.com” on a standard phone screen, making it adept for this kind of phishing campaign. The site of course has its own TLS, further tricking victims with a comforting green padlock.

After this point the user is asked progressively more personal details, including account credentials and their mother’s maiden name. This process is separated over several pages, with artificial load times, to hopefully increase the odds of the user actually going through with all of the questions. Hopefully by this point the user knows that they do not have to enter their credit card information just to see their PayPal account.

If they don’t know better, they never even get to their account as once the process has finished the page redirects to the real paypal.com, without logging them in. At this point the victim is probably supposed to assume some sort of technical issue, and log into the real page.

As an added measure, the phishing site remembers the IP address of the victim, and if they click it more than once, they are redirected to the real page immediately instead. Like the legitimate TLS and the subdomain, this is one more technique to try to make the page appear as legitimate. Even though many people will know better than to give all of the information asked, there are still plenty of people that are going to be tricked into at least giving their credentials given that they don’t take the time to read the full URL.

Phishing scams are and will continue to be common into the future, but a reasonable prediction is that the future of scams like these are going to occur over SMS or at least be directed towards mobile devices. As users start to enable MFA and other mobile-friendly usage and security practices, phones are a prime target due to the inherently fewer features and security suites that run on them. Smaller screens make subdomain fronting much easier, the padlock icon is larger and still trusted by many as the “secure” icon, and most online banking and social media users are using their favorite services on mobile. As many users move from SMS to their favorite messaging apps, SMS becomes used more as an official channel for services instead of friends, especially in regards to increased usage of 2FA over SMS. This shift, along with the fact that checking for security is even less convenient on a mobile device, is enough to keep these kinds of scams going well into the future.

Citations

https://nakedsecurity.sophos.com/2020/02/05/paypal-sms-scams-dont-fall-for-them/

https://blog.knowbe4.com/another-sms-scam

https://static.makeuseof.com/wp-content/uploads/2018/08/paypal-phone-mobile-app-670×335.jpg