Tag Archives: phishing

06.22.17
by

Scam E-Mails: How To Tell

 

Recently PCMDX received a call from a business who’s bank account had been compromised.  Someone, using legitimate information, was able to gain access to the account and make transfers from the account to another account, and also made wire transfers to a third party.

The business had been told by the bank that their network had been hacked and that they should seek some help in securing their network, which is why they contacted PCMDX.  We focus providing network support for small businesses that have less than 15 computers, and one of our specialties is cybersecurity and compliance.

Although how the actors (the term used for the “bad guys” since they are “acting” as a legitimate party) were able to get the necessary information is still under investigation, it’s likely that it was given to them by one of the company officers via e-mail.

 

We recently received a scam e-mail and we’d like to share it with you so that you can learn how to determine if it’s a legitimate e-mail or not.  Please note:  If you’re not sure if the e-mail is legitimate, call the sender and ask them if they sent it, even if it passes all of the tests.  It’s better to be safe and verify authenticity than take a chance.

Here’s a screenshot of the e-mail we received, along with some notes (Click on the image for a full size view).  We blurred out information that is not relevant.

 

Let’s begin at the top.  The subject line “Please Read! (Final Warning) | 06/05/2017” sounds pretty threatening and will get your attention right away.  But it doesn’t indicate who it’s from or what it’s about.

If you look at Blue Arrow 1, you’ll see that it’s from “ACME account team”, followed by the e-mail address of “admin@MAIL.HAMILTONTN.GOV”.  (We’re going to use ACME as the alias for the name of the company).  So here you have two major clues that this is a scam.  First, the words ACME account team.  Any legitimate company will list themselves as ACME Account Team, with all words capitalized.  This is a major clue that this e-mail did not originate in the US (most scam e-mails are from overseas, where grammar is poor).

Our next clue is the e-mail address.  Although “admin” is legitimate, MAIL.HAMILTONTN.GOV is not.  That’s an e-mail server for the city of Hamilton, Tennessee.  It has a .gov domain ending, which can only be assigned to government entities, such as cities, counties, states and the federal government.  Why would ACME have this domain?  If it were a legitimate e-mail from ACME, it would end with something like ACME.com or ACME.net, not a .gov domain.

The body of the e-mail is actually very good, at least when it comes to scam e-mails.  It’s convincing, it has information in it that the typical person would consider to be legitimate.  However, as we get to the bottom, some red flags appear.

When you hover over a link (and the Blue Arrow 2 is pointing to two links, “Visit Help and Support” and “Login to My Account”), the bottom part of your browser, known as the status bar, will display the link that it’s pointing to, which we’re using the red arrow to point to.  In other words, when you click on the link, it’s taking you to the web site that is showing in the status bar.

This particular link is pointing to baltoo.com/ACME/index.php .   This should immediately sound an alarm with the person reading the e-mail.  The company that is sending this is ACME, but the domain it’s pointing to (the first part of the web address is always the domain) is baltoo.com .  Anything after the domain name is irrelevant, since that’s just the directory and folder inside the server it’s pointing to, and you can name that anything you want.  When you hover over the link, it should point to the company you’re trying to go to.  So it should read acme.com/Acme/index.php.

Once you click on the link, one of two things will happen.  Either you will be shown a very convincing site that is asking for your user name and password, or you will end up on poisoned site that will infect your computer with malware, such as a virus, a Trojan, or ransomware.  If it’s the former, you’ll enter the user name and password, and within minutes the actors will have gained access to your site (as they wanted to in this case), or perhaps gained information such as name, address, social security number, date of birth, etc. (under the guise of “verifying your identity”).

Recent studies have shown that firewalls, anti-virus programs, and other security software and hardware, although still crucial in preventing attacks, need to be supplemented by training of staff so they know what they should look for.  (That page also has a quiz you can take to see how much you know about phishing attacks – we scored 10/10.  How’s your score?).

Our companion site, Don’t Become Another Target lists dozens of examples of how companies, some billion dollar plus companies, were compromised not by technology, but by social engineering.  In other words, a con job either via e-mail or via phone.  Adequate training would have prevented many of the attacks.

If you’re a small business that doesn’t have an IT department, but would like IT level support, contact PCMDX today.  We’ll take care of your computer network and cybersecurity needs so you can take care of your business.  And don’t wait until you’ve been compromised.  The cleanup is much costlier than the prevention.

07.15.15
by

Can you be a target for a phishing scam? Take the quiz and find out.

What’s the easiest way to get into a locked building?  Use the key.  What’s the easiest way to get the key?  Get it from the person who has it.

Your network is a building, metaphorically speaking.  Each device (computer, printer, network attached storage, etc.) is a room in the building and each device is protected by a user name and password, or at least should be. The user name and password are the credentials of the device, and are the “keys” to the room.  Usually, in order to make our life simple, once we insert our key (user name/password) into the building (network), we’re granted access to the rooms (devices) our gatekeeper/keymaster (network administrator) has decided we can go into.

Because we’ve become more security conscious over the past few years (we don’t use the password “password” or “123456” anymore…do we?!), the bad guys (hackers) have become more sophisticated.  They use various methods to get the keys.  Some use social engineering.  Others use brute force attacks.  And still others prey on the lack of computer knowledge of network users.

The last group uses “phishing” expeditions in order to get the keys.  This is a play on words on “fishing expedition”.  On a fishing expedition, we go out and see how many fish we can catch.  We target our area, throw out the line, which has bait on it, and see what happens.

A phishing expedition is no different.  The bad guys send out hundreds of thousands of e-mails that have malicious content, and see how many take the bait.  Once the targets take the bait, it’s pretty much over with.  Some of the malicious payload may be a virus or Trojan that captures your “keys”.  Others may be ransomware that encrypt your hard drive and demand money in order for you to get access to your files again.  Regardless of the payload, it’s all bad, which is why we call it “malware”, “mal” being the Latin word for “bad”.

Phishing expeditions are not limited to just gaining access to work networks.  They can also be used to gain access to bank accounts, credit card accounts, or any other password protected site.

So how do you protect yourself or your company?  At PCMDX we take a multi-level approach.  Securing the perimeter is very important.  We use a firewall to do so.  This prevents the bad guys from simply walking into your network through an unlocked door.

We also protect all of your devices by using anti-malware software, applying patches and updates on a regular basis, and making sure there’s no vulnerabilities on the network, such as devices that have out-of-date firmware, or computers with out-of-date operating systems, such as Windows XP or Windows Server 2013

We also believe in training and education.  The more your users know about how to protect themselves, the easier our job is, and the more secure your network becomes.

Keeping your network secure is not a one-time thing.  It requires regular maintenance, and regular training.  Every time the good guys find a way to block the bad guys from gaining access to the network, the bad guys come up with new ways to break in.

Here is a test that you can take yourself or give to your staff to find out how much you and they know about phishing expeditions.  If you score below a 100%, give us a call so that we can begin to secure your business or network.

Phishing Quiz

PCMDX is based in Hoover, Alabama and serves businesses that have 15 computers or less in Alabama, Mississippi, Western Tennessee and the Florida Panhandle.  If you’re a merchant that takes credit cards, you’re required to be PCI Compliant and PCMDX can take care of all of your PCI Compliance needs.  If you’re a medical practice, you need to be HIPAA compliant, and our engineers are HIPAA specialists.

Call us today for your free consultation at 205-201-0389 or via e-mail at pcmdxal@gmail.com .