Tech Next Door Technology Solutions
Shares

Category Archives for Security Alerts

Meng Wanzou, The Spanish Prison and the Human Firewall

The con went like this: There is a man, a very wealthy man, who is trapped in a Spanish prison under a false identity. I can't tell you his name as it would put him in great peril. I am his dear friend and he has entrusted me to retrieve some funds that would secure his escape. Unfortunately, getting to those funds and then getting them to Spain will incur some expense… a very small amount, I assure you, compared to the vast treasure that awaits. This man has promised one third of the treasure for the person who can help!

So goes one variation of the Spanish Prisoner confidence trick, popular in the late 19th century. The people have changed, the technology certainly has changed but that old con and ones like it, are still paying spades for fraudsters.

The stories have changed too. Remember the Nigerian Price scam from around the turn of this century… the poster child of email fraud for the 2000’s. And just this week many thousands received this imperative plea from Huawei’s CFO, Meng Wanzou, who was arrested in Vancouver last week:

"Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei. I will be good on my word. if you are single, we can also discuss the important thing in life. The guard’s name is David, the account number is 52836153836252, swift 55789034. I will be good on my word."

Wow – a promise of riches and ‘marrying up’! We can only wonder who would fall for this type of scam these days. Fact is, the reason we still see these is because they still work. And while it is possible that you might see one of these ‘classics’ show up in your Inbox, the reality is that the Spanish Prisoner scam is all growed up now, and there is a good chance you won’t be able to identify the ones being delivered today.

The term phishing was coined 20 years ago to describe these attempts to defraud via electronic means. Phishing is a progressive game… they cyber criminals are always improving. From phishing we advanced to spear phishing which were semi-targeted attacks. A good example of spear phishing is the UPS ‘There is a problem with your shipment’ email. For the 999 out of a thousand people who did not ship anything with UPS this week, we simply delete the email without a second thought. But if you happen to be the 1 in a thousand who did ship something with UPS … well, you might just double-click that attachment without even considering it. It’s been around for at least a decade and still going strong.

Recently the term phishing got another promotion… to laser phishing. Using AI, bots can collect information about you and generate a surprisingly authentic email direct to YOU and only YOU. Often these emails come in the form of CEO Fraud, also called Business Email Compromise (BEC). When the attackers know so much about you, it adds a level of authenticity to the email that can really throw you off. After all, they know your name, your bosses name, your emails, your title and responsibilities, your email… perhaps your travel plans. I know of one local attack this year where the victim did not fully check the legitimacy of an email because the writer knew the travel plans of the boss. ‘Who else would know that’ they thought. It was a mistake that cost the company over 100,000 US dollars.

How do they know this information? It’s child’s play. Social media is a huge vat of public information. Consider too the many hacks that have happened in recent years… Adobe, LinkedIn, Yahoo are a few of the big ones. Just last month Marriott gave up info on 500 million users. While the perps who orchestrate these attacks are elite hackers, all that information is then sold on the Dark Web to lower echelon hackers to do as they please.

Your privacy has gone public and practically anyone can buy the shares.

We need to assume criminals have your information and not be surprised when they use it to exploit you and your business.

The ‘Human Firewall’ has become the most important component of your business cyber security plan. If you are not taking staff training about cybercrime seriously, it’s time you did. Here are a few tips for your business to protect you against phishing scams.

  1. Have regular security training. When I do training, I ask who knows what ‘phishing’ is. I would expect today that every hand goes up… but it rarely does. Ask your IT provider or call Tech Next Door about regular training on cyber-security.
  2. Have a business class firewall with advanced malware protection. Attacks can often be stopped before even getting to your device.
  3. Have firm but straight forward policies on communication especially regarding moving money. For smaller companies it can be as easy as ‘A sum greater that x dollars must be verbally authenticated by management/CEO’. For larger companies, analyze your policies and look for loopholes that can be exploited.
  4. Enforce complex passwords. A large number of attacks happen when cloud services with simple passwords are guessed (or when everyone in the company uses the same password).
  5. Have multiple data backups and make sure at least one of them is offsite.
    Be resolved to not be a statistic in 2019 and make sure your business is protected with robust business class hardware, firm policies and committed staff training.

Joel LaRusic is Founder of Tech Next Door, an IT solutions and support firm dedicated to security-forward results. Small business is often low-hanging fruit for cyber-criminals. Joel and his team all share the same mantra – We’re sick and tired of people getting ripped off and now we are dedicated to protecting the vulnerable! 

The Spanish Prison, Meng Wanzou and the Human Firewall

The con went like this: There is a man, a very wealthy man, who is trapped in a Spanish prison under a false identity. I can't tell you his name as it would put him in great peril. I am his dear friend and he has entrusted me to retrieve some funds that would secure his escape. Unfortunately, getting to those funds and then getting them to Spain will incur some expense… a very small amount, I assure you, compared to the vast treasure that awaits. This man has promised one third of the treasure for the person who can help!

So goes one variation of the Spanish Prisoner confidence trick, popular in the late 19th century. The people have changed, the technology certainly has changed but that old con and ones like it, are still paying spades for fraudsters.

The stories have changed too. Remember the Nigerian Price scam from around the turn of this century… the poster child of email fraud for the 2000’s. And just this week many thousands received this imperative plea from Huawei’s CFO, Meng Wanzou, who was arrested in Vancouver last week:

"Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei. I will be good on my word. if you are single, we can also discuss the important thing in life. The guard’s name is David, the account number is 52836153836252, swift 55789034. I will be good on my word."

Wow – a promise of riches and ‘marrying up’! We can only wonder who would fall for this type of scam these days. Fact is, the reason we still see these is because they still work. And while it is possible that you might see one of these ‘classics’ show up in your Inbox, the reality is that the Spanish Prisoner scam is all growed up now, and there is a good chance you won’t be able to identify the ones being delivered today.

The term phishing was coined 20 years ago to describe these attempts to defraud via electronic means. Phishing is a progressive game… they cyber criminals are always improving. From phishing we advanced to spear phishing which were semi-targeted attacks. A good example of spear phishing is the UPS ‘There is a problem with your shipment’ email. For the 999 out of a thousand people who did not ship anything with UPS this week, we simply delete the email without a second thought. But if you happen to be the 1 in a thousand who did ship something with UPS … well, you might just double-click that attachment without even considering it. It’s been around for at least a decade and still going strong.

Recently the term phishing got another promotion… to laser phishing. Using AI, bots can collect information about you and generate a surprisingly authentic email direct to YOU and only YOU. Often these emails come in the form of CEO Fraud, also called Business Email Compromise (BEC). When the attackers know so much about you, it adds a level of authenticity to the email that can really throw you off. After all, they know your name, your bosses name, your emails, your title and responsibilities, your email… perhaps your travel plans. I know of one local attack this year where the victim did not fully check the legitimacy of an email because the writer knew the travel plans of the boss. ‘Who else would know that’ they thought. It was a mistake that cost the company over 100,000 US dollars.

How do they know this information? It’s child’s play. Social media is a huge vat of public information. Consider too the many hacks that have happened in recent years… Adobe, LinkedIn, Yahoo are a few of the big ones. Just last month Marriott gave up info on 500 million users. While the perps who orchestrate these attacks are elite hackers, all that information is then sold on the Dark Web to lower echelon hackers to do as they please.

Your privacy has gone public and practically anyone can buy the shares.

We need to assume criminals have your information and not be surprised when they use it to exploit you and your business.

The ‘Human Firewall’ has become the most important component of your business cyber security plan. If you are not taking staff training about cybercrime seriously, it’s time you did. Here are a few tips for your business to protect you against phishing scams.

  1. Have regular security training. When I do training, I ask who knows what ‘phishing’ is. I would expect today that every hand goes up… but it rarely does. Ask your IT provider or call Tech Next Door about regular training on cyber-security.
  2. Have a business class firewall with advanced malware protection. Attacks can often be stopped before even getting to your device.
  3. Have firm but straight forward policies on communication especially regarding moving money. For smaller companies it can be as easy as ‘A sum greater that x dollars must be verbally authenticated by management/CEO’. For larger companies, analyze your policies and look for loopholes that can be exploited.
  4. Enforce complex passwords. A large number of attacks happen when cloud services with simple passwords are guessed (or when everyone in the company uses the same password).
  5. Have multiple data backups and make sure at least one of them is offsite.
    Be resolved to not be a statistic in 2019 and make sure your business is protected with robust business class hardware, firm policies and committed staff training.

Joel LaRusic is Founder of Tech Next Door, an IT solutions and support firm dedicated to security-forward results. Small business is often low-hanging fruit for cyber-criminals. Joel and his team all share the same mantra – We’re sick and tired of people getting ripped off and now we are dedicated to protecting the vulnerable! 




Sextortion Scam with a Disturbing Twist

Online “sextortion” scams are nothing new. They claim to have information, pictures and/or video of you in a compromising situation and ask for a little hush money to keep it between ‘friends’. Lately though, there is a new twist that has many people doing a jaw drop and becoming very concerned. What causes this nervous reaction: The email contains a real password of the victim.

But how! Read on…

Here is how a common variety of the email reads:

I do know, [password removed], is your password. You do not know me and you’re most likely thinking why you are getting this e-mail, right?

In fact, I installed a malware on the adult video clips (porno) site and you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your web browser began operating as a RDP (Remote control Desktop) having a keylogger which provided me with access to your display and also web cam. Right after that, my software collected all of your contacts from your Messenger, FB, as well as email.

What exactly did I do?

I made a double-screen video. First part shows the video you were viewing (you’ve got a fine taste ; )), and second part displays the recording of your web camera.

What should you do?

Well, in my opinion, $1900 is a reasonable price for our little secret. You will make the payment through Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

Note: You have one day to make the payment. (I have a unique pixel within this email, and right now I know that you have read through this email). If I do not receive the BitCoins, I will certainly send your video to all of your contacts including members of your family, coworkers, and many others. Nonetheless, if I do get paid, I will destroy the video immidiately. If you want to have evidence, reply with “Yes!” and I will send out your video to your 8 friends. This is the non-negotiable offer, and so please do not waste my personal time and yours by responding to this email.

The password that was retracted in this email was an actual password that is used or was used by the victim. Obviously, this adds a level of authenticity that greatly increases the chance of a ‘sale’ for the cyber-criminal. The victim thinks ‘if they know my password the rest of the email must be true too’. And… if our sorry target was actually visiting adult sites on his computer, well the deal is practically in the bag.

The good news is that despite assurances that they know a lot about you the reality is all they know is that password. The rest is fiction.

How did they do it?

The big question… where did they get the password? How did they know? The most likely scenario is that the emails and passwords were harvested from well known repositories on the Dark Web. Think about it… all these hacks you hear about on the news from companies who do business online; there have been some widely publicized hacks:

  • LinkedIn – 159 million emails stolen
  • Adobe – 152 million emails stolen
  • Myspace – 359 million emails stolen
  • Dropbox – 68 million emails stolen

These are just a few of the big ones but the list goes on and on. The total goes into the billions and more emails and/or passwords that have been stolen by hackers.

Infographic shows over 12 billion emails hacked and 687,000 in just the past week.

Often these emails become salable merchandise, purchased by minion hackers to use several tricks to extort money from unsuspecting people. One such trick is the sextortion described above. Another trick is to use the email and password to try to log into other online services. After all, most people use 3 or 4 passwords for up to dozens of online services!

Has your email and password been hacked?

One astute Microsoft employee, Troy Hunt, took it upon himself to compile a database of all the hacked passwords. Check it out and see if your email is in there.

https://haveibeenpwned.com/

Just type in one of your emails and click ‘pwned?’ (What is ‘pwned’ mean? … click here if you are interested)

If it shows up as hacked, make sure any passwords that go along with that email are fresh.

The same website has a list of all the hacked passwords.

https://haveibeenpwned.com/Passwords

Type in a password here to see if it is in the list (It’s OK to type in your password here, it is not saved). If it comes back saying that password is on the list then you should never use that password again on anything. So, if you are thinking about choosing a new password, why not check here first… if it is in the database, don’t use it!

Lessons

Is it important to use unique passwords?

A resounding YES. It is a challenge to monitor them all so our recommendation is to use a password manager like Roboform (https://www.roboform.com). Then you need to remember only 1 master password and all the others are saved in the program which is accessibly via your computer, your phone/tablet or any Internet connected computer.

Keep your passwords fresh. New hacks happen all the time and that password that you have been using for a couple of years may have been hacked by now. Switch it up!

Tech Next Door – We’re sick and tired of people getting ripped off and now we are dedicated to protecting the vulnerable.

 

If you think browsing in ‘Private Mode’ is really private… think again!

All of the major browsers have a feature that provides greater privacy.

Internet Explorer and Edge browser call it 'InPrivate Browsing'
Chrome calls it 'Incognito'
Firefox calls it 'Private Browsing'
Safari calls it a 'Private Window'

Millions use these features for greater privacy however in a recent report by DuckDuckGo it turns out that very, very few understand the technology and most were shocked when they found out how little protection it affords.

Privacy features, such as those described above, do enable web browsing that clears browsing history and file cache after use... but only on your computer. Websites, search engines, internet service providers, and governments can still easily track you across the web. Since most people are really not that concerned about what is on their own computer (unless you are using a public computer) then really, these incognito modes are doing nothing for your privacy... accept maybe give you a false sense of security.

Note these key findings of the DuckDuckGo report:

76% of the 5710 people surveyed were unable to accurately identify the benefits of Private Browsing. In fact about:

  • 40% thought that it prevented websites from tracking them on the Internet.
  • 40% thought that it prevented ads from tracking them
  • 35% thought that it prevented search engines from knowing about their searches

Clearly there is a huge gap in what is provided with 'Private Browsing' and what people think is provided!

This gap is further identified by this statistic from the survey:

65% of the respondents reported feeling “Surprised”, “Misled,” “Confused,” or “Vulnerable” upon learning about the limitations of Private Browsing.

Tech Next Door is here to protect the vulnerable. We are not opposed to Private Browsing but think people need to understand it's limitations. If you use Private Browsing on your computer and were surprised to learn that the amount of privacy provided is actually very poor then here are a couple of tips.

  • Use a search engine like DuckDuckGo.com that does not track anything. There is also a DuckDuckGo extention for Chrome and Firefox to provide more robust privacy features.
  • Firefox has taken steps to improve privacy features to include tracking from ads and other websites.
  • There other browsers that offer way better privacy that the big 4 mentioned in this article. In a coming article we will consider a few of them.

Reboot Your Router!

Last week it was announced by Talos Intelligence, a leading cyber security intelligence organization, that a sophisticated new type of malware was infecting certain WiFi routers. It is called 'VPNFilter' and it can collect information, block network traffic and exploit devices on your network. Apparently it also has a 'self-destruct' command that renders your router useless. The report suggests up to 500,000 routers are affected. Here is what you need to know.

To cut to the chase, reboot your router. This malware resides in the router's memory so rebooting clears that memory. The FBI have shut-down the web-domain responsible for controlling the virus so you will not be reinfected after the clean boot of the router. True, only certain routers are infected but since the fix is so easy we would suggest just rebooting. 

How easy is rebooting your router? The hardest part for some might be identifying the router. For most home users it will be the box provided by your Internet Service Provider. Simply unplug it, wait about 10 seconds, and re-plug it in. That's it!

For businesses, you too may have a modem/router from your ISP or you may have a third-party router. Check with your IT provider if you are not sure.

To protect against this and future attacks to routers we strongly recommend making sure your computer operating system, applications and network devices such as routers are all on the latest firmware version available. If you need help, just call Tech Next Door.