Avoiding Cyber Security Threats: 2019

Perhaps through a vast realm of so many changes, most people are likely to state that computer security must be very technical and complex. However, the most important things are actually simple enough to deal with.

In this post we will examine and explain strategies to reduce the chance of becoming a target – or at least limit the damage that a successful attack might cause.

One of the greatest enablers of all known cyber attacks is known human behaviour. Even the latest, strongest security will not protect you if you “open the door” and let the criminal in. It is important to know what cyber threats are, how to spot a potential attack, and how you can protect yourself.

Basic Rule: Be vigilant and cautious – always! Stop and think before you click on links in emails, before you call unknown phone numbers, before installing new programs, and before you enter passwords.

Email Security

A large number of attacks originate from links in what appears as legitimate email messages. One precaution is to always check unknown links in a email with a trusted reputation online URL checker: Three reputable sources to use for link / url checking are: Norton SafeWeb, Google Transparency Report and URLVoid. Such tools can analyse a link for security issues (or lack thereof) and alert you if the link will direct you to a compromised website, malware, ransomware, or other possible risks.

To check any links for known Phishing Attacks, use the tool available at PhishTank and enter the link to see if it is listed as a known phishing attack. PhishTank is a free community site where anyone can submit, verify, track and share information about phishing data and attacks.

Note that the use of such tools is not always going to catch 100% of risky or threat based link destinations. However, such tools will flag most known risks. This is based on the fact that the three tools mentioned are being constantly updated with new threat information – both from research and as reported by other Internet users.

The danger of Email Links: Phishing

Phishing is the term used to describe emails that you receive with a link to a fake website (the bait to lure you to do so). Once you click on the link, the visitor is tricked (lured) into giving out sensitive personal information. As an example, a baited link might you to a fake site that looks like Paypal or say your Bank, and you might then fall prey to signing in with your username and password. The fake website has now captured your login information. A well thought out fake website may even redirect you to the real site after you have signed into the fake site. You may be none the wiser if the fake website is made to look “genuine”.

For a updated list of known phishing alerts, please check out FraudWatch International’s page.

In the case of a suspect email with a link, you can hover the mouse over the link and it will show you the actual (real) address of the link either at the link or on the mail status bar (see the real examples below): You can also copy and paste the address link into one of the above link checker tools open in a browser. This will also let you see if the link has any unusual spelling as well as getting back a reputation report.

Fake lure to obtain St.George personal details
Fake lure to obtain St.George personal details

The above actual email is asking me to log on to my St.George Online Banking account. I have highlighted (red) three areas that indicate this email is classed as fake (spam). Note the URL at the bottom: https://business-sharp.com/St.George/login.htm

Now, as an exercise, let us check that last “dodgy looking” URL on each of the three reputation online URL tools mentioned above:

1) Using Norton SafeWeb Report

Norton URL Report for the link
Norton URL Report for the link

The only helpful spam clue Norton gave was that web site location is located in Romania (a known risky region).

2) Using Google Transparency Report

Google Transparency Report for the link
Google Transparency Report for the link

Clearly, Google knows the link (domain) it has a bad reputation. Note the “Try to trick visitors into sharing personal info or downloading software” report line.

3) Using URLVoid Report

URLVoid report for the link
URLVoid report for the link

Two detected warnings. Let us expand the second one (Fortinet) and learn more.

FortiNet (FortiGuard) report from URLVoid warning
FortiNet (FortiGuard) report from URLVoid warning

So after reading the three reports on the suspect link, you are clearly relieved and confident that you have avoided a email bait trap! Practice the discipline to always check links and learn more below about how emails can be made to look genuine and yet may try to hide a destructive payload.

Once you have seen these real life examples that were actually sent to me, you can train your skill to recognize the fake actors and save a lot of pain and money.

Extortion Phishing: Ransom Demands

Extortion phishing ransom demand emails are on growing rise. There are several variations of this “ransom demand” email scam, each attempting to blackmail their target.

The common thread of these attacks are about threatening to expose victims with sensitive, often deeply personal and embarrassing “video footage” information. The emails make a threat to expose the victim unless a ransom payment is made in bitcoin.

Ransom Demand Threat Email
Ransom Demand Threat Email

To further frighten the poor victim (you) the ransom demand often refers to an old email account password they obtained on the dark web. The cyber-criminal informs the victim their account and passwords have been hacked and shows a potential target password in the email content.

The account passwords are often from a compromised service that the original hackers have displayed or sold on the dark web. In most real life cases the actual displayed password was up to ten years old.

How? Many of the world’s big online services – from LinkedIn to Adobe – have been at some time compromised (security breaches) and had passwords “leaked” onto the internet. You can buy these lists on the darker parts of the internet.

In 2017, Yahoo admitted that it had data breaches that compromised 3 billion accounts. Other major breaches involved Marriott International (500 million customers), LinkedIn (164 million), Adobe (153 million), eBay (145 million), Sony’s PlayStation Network (77 million), Uber (57 million) and Ashley Madison (31 million).

Sources of leaked (old) passwords

In most cases, the credentials are very outdated (years old), however anyone actually using those old passwords, could be fooled. Such recipients should change passwords immediately – if still in use. Do consider using multi-factor authentication for sensitive accounts!

Someone is attempting to blackmail me! Help?

You need realize that these scams and tactics are all fake, and cyber-criminals do not have any of the stated incriminating or personal information to use against you. They are using your fear and paranoia to elicit a ransom from you.

This should act as a reminder to be careful about how you use data that is being stored or shared online that could be used against you.

Important Rule #1: Change your password at least once per year (not to often)! Use strong passwords, store them in a password manager, and turn on multi-factor authentication everywhere you can.

The key times when you should change a password:

  • After a internet based service discloses a security incident (breached). 
  • You see evidence of unauthorized access to your account
  • There is evidence of malware orsome other compromise of your device
  • In the past you once shared access to an account with someone else and they no longer use or need the login
  • You logged in one of your accounts on a shared or public computer (such as at the library or a hotel with WiFi)
  • Iif it has been a year or more since you last changed the password, and especially if you do not use multi-factor authentication

In the above cases, changing your password is a smart precautionary step. A new password will ensure that someone cannot abuse your account – even if they have the old password.

Be aware of any Security Breaches

If you do business with a supplier or have an account on any website that has been impacted by a security breach, find out what information the hackers accessed and change your password immediately.

The danger of Email Attachments: Embedded Nasties

Similar to like phishing email attacks, emails can have embedded attachments with a hostile payload. Attachments are included in a email body as a link, and normally when you click the link, the attachment will open and ask you how you would like to view or execute the contents.

Always be suspicious if you receive an email with a attachment you are not expecting. The next step is to check the content and source of the email. Does the sender’s email address match up with the senders name? Is the sender someone you do recognize and trust?

Note that NO file extensions are automatically safe (by default) when received either by email or when asked to download via a web link. Some emails and Windows will hide some file extension, so what may allegedly be a image file may have a hidden extension of “.exe” – which is an executable file.

With risky attachments in a email, the default Windows 10 Defender Security protection will normally prevent you from opening a hostile attachment. Even with this protection it is still a good practice to study carefully an attachment before actioning on it.

Two basic rules about dangers with email attachments

The email may appear to be from a harmless source with a very general title but the attachment may contain offensive or upsetting material.

Rule #1

The email attachment may be a harmful virus, malware or a malicious ransom threat trap and by opening the attachment it will become active on the computer.

Rule #2
Email with suspect embedded attachment
Email with suspect embedded attachment
Email with an attachment that is a Link to a unknown site
Email with an attachment that is a Link to a unknown site

Keep all your devices updated

A lot of new malicious software will advantage of any known bugs to attack your computers and other devices you connect with. Recent operating systems and their devices will release patches and updates from time to time. Part of the reason for Microsoft’s somewhat strict update policy in Windows 10 is based on keeping your system secure.

For an example, Windows 10 Home is permanently set to download all updates automatically, including cumulative updates, security patches, and drivers. That may seem an excess, but I can see the merit of better security for most Windows 10 “Home” users. Business editions of Windows 10 allow “administrators” to exercise some control over when updates are installed (deferred).

Installing updates immediately after they are released offers the best protection and fail-safe; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.

Choosing when to install updates involves a trade-off

Managing Updates

The most important security setting for any Windows 10 computer is ensuring that updates are being installed on a regular, predictable schedule. This is true of all modern computing device, of course, but the “Windows as a service” model that Microsoft introduced with Windows 10 does change the way we manage updates.

With patches and updates installed, your software, computers or other devices are at least free from the known bugs and as a result, avoiding cyber-attacks. Known security issues or weaknesses are often exploited by malware or hackers.

Social Media

Keep your personal and private information locked down with strong passwords and if possible consider using two-factor authentication. Social engineering cyber-criminals can get your personal information with just a few data points, so the less you personal identity information that you share publicly, the better.

Cyber-crime in Australia

The principal threat to Australia from cyber-crime is from overseas. Cyber-criminals who are impacting victims in Australia generally work together even though they may live in different countries or even different continents.

The principal place in Australia to report a possible cyber-crime is SCAMwatch, the site also reports current known scams. You will be able to report and receive information on the matter along with any options that may be available. Note: SCAMwatch does not provide legal advice.

The Australian Government ACSC website provides additional resources on how to protect yourself online and also allows you to report a cyber-crime scam event.