phishing

Article Dean Dorton

Let’s start with the basics: What is ‘callback phishing’?

Callback phishing is a specific type of cyber security email threat. In this type of phishing attack the cyber criminal impersonates a business and claims that a transaction has been made using the recipients information (credit card, bank account numbers, address, etc.). Then, the attacker attempts to entice the recipient to ‘confirm’ the fake transaction by calling a fictional customer support line or by submitting confidential information to validate the transaction. These attacks aim to collect specific, sensitive information from the recipient like credit card numbers and bank account information.

Dean Dorton’s Cyber Security Team has observed callback phishing attacks that impersonate PayPal, McAfee, CrowdStrike, etc., but there are countless companies that could be impersonated in this type of attack and attacks of this nature are on the rise.

Below are two examples of callback phishing attacks:

PayPal Callback Phishing Example:

https://deandorton.com/wp-content/uploads/2022/07/Callback-phishing-image-1.png

CrowdStrike Callback Phishing Example:

https://deandorton.com/wp-content/uploads/2022/07/callback-phishing-example-2.png

Callback phishing emails are unique in the way they often bypass email filters. Since they do not include malicious links or attachments with malware, email filters typically won’t catch them, so it’s important to be able to spot the general warning signs on your own.

Dean Dorton’s Cyber Security Team has a few tips to help you spot this kind of cyber attack:

  1. Review the sender. Ensure that the email is actually from the company it is purporting to be. Even email addresses can be spoofed, so this is not foolproof, but it is a great first step in the investigation process. For example, the PayPal email shown above was sent from a personal Gmail address.
  2. Ask yourself, what does this email want me to do?  If the language in the email is trying to convince you to do something (especially if it insinuates urgency), that is a red flag! In the examples above, the cyber criminal is trying to convince you to ‘callback’, but in other cases, they may try to convience you to click a fraudulent link. Be diligent before clicking any links within emails and do not call phone numbers that you can’t indentify.
  3. If you are sceptical, ask for help. After the intial investigation, you are still not sure, contact your IT team to do some further digging. Remember, causing a false alarm is much better than setting off a real one!

Dean Dorton’s Technology team is here to help. If you have questions about ‘callback phishing’ attacks, or want to discuss how we can help protect your business with cyber security services, contact us today.

 

Cyber Security Services

Jordan Johnson
Cyber Security Consultant
jjohnson@ddaftech.com • 859.425.7659

Article Dean Dorton

Phishing attacks have been occurring for years. You know the story, a threat actor attempts to trick an unsuspecting user into clicking a link or malicious attachment that leads to installing malware or directs them to a malicious domain that could attempt to harvest email credentials, or further penetrate your device. The tactic is still common because unfortunately, it still works. But with the increase of organizations relying on stronger email filtering solutions and better end user awareness training programs, they are not as susceptible to some of these basic attacks. Enter the evolution of more sophisticated and clever tactics.

“But this domain is safe!”

Threat actors are utilizing clever strategies to attempt to bypass even the best email filters. One such strategy is using common, legitimate domains to host a link to their malicious site or attachment. These domains could be Google Drive, ShareFile, OneDrive, Box, Dropbox, Adobe InDesign, etc. On the surface, these services are legitimate and offer users ways to quickly share files amongst one another. This is why most reputation-based scanning used within email filters will not often categorize the initial link as malicious because it is not. The following screenshots provide an excellent example of this in action.

Initial Email Example:

https://deandorton.com/wp-content/uploads/2022/05/1.png

In this example, a threat actor gained unauthorized access to a trusted sender for the recipient. They then sent this email that included a link to open a document. Due to this being a trusted sender, the recipient opened the file because they had no reason to assume that the link was malicious. The link then led to the following:

Ind.adobe.com site hosting the malicous file:

https://deandorton.com/wp-content/uploads/2022/05/2.png

In our example, once the user proceeded to this point, they realized something was off and reported the email to the IT team; however, if they had proceeded on to the next step, they would have received the following:

Malicious Site:

https://deandorton.com/wp-content/uploads/2022/05/3.png

There it is! The true purpose of the email was to try and harvest email credentials. An unsuspecting user could have being successfully phished here and it was all because that initial email was being hosted by a legitimate service. This is not the only variety of these types of emails and certainly will not be the last, so that leaves us with more questions.

So what can we do?

There are few different strategies that can help prevent against phishing attacks:

  1. Never assume that an email is safe just because it came from a trusted sender that you communicate with regularly.  Threat actors are engaging in reply-chain attacks, where they gain unauthorized access to an account and then start replying to emails posing as the hacked user. When in doubt, contact the sender out-of-band (phone call, preferably) to verify the email.
  2. Make end user awareness training a priority. An end user is any organization’s first line of defense! A well-trained staff can bring attacks to a halt. Ensure that your users are provided with regular security training and that they are informed of the latest threats. Ensure that they are trained to review the address bar for any site that is asking them for email credentials. If it’s not a Microsoft (or whatever email system you may be using) domain, then that is a red flag. It is also helpful to periodically test the effectiveness of the training by sending out phishing simulations.
  3. Utilize multi-factor authentication (MFA). In any particular scenario, even if a threat actor was able to harvest email credentials, they would not have be able to perform any actions on objectives if multi-factor was enabled for the account. It is a cybersecurity best practice to ensure that MFA is enabled on all externally-facing systems, email being one of the highest priorities.
  4. Block uncategorized websites in your web filtering solution and/or firewall. Threat actors spin up thousands of domains per day and these are often categorized as, “uncategorized,” where filtering solutions are not sure if they are malicious or not. Blocking these outright could help stop attacks in which the malicious site is uncategorized.

If any of the tips above have given you pause and you would like to know where your security posture stands, please contact Dean Dorton’s team of cybersecurity professionals for assistance.

Jordan Johnson
Cyber Security Consultant
jjohnson@ddaftech.com • 859.425.7659

Article Dean Dorton

For small businesses, the result of a cyber incident can be disastrous. While larger organizations and enterprises may be able to absorb the monetary costs and reputational damage that is caused by a cyber incident, most smaller businesses are unable.

“The National Cyber Security Alliance has recently released statistics that show 20% of small businesses experience such an attack every year, and that 60% of these businesses were forced to close within six months of being hacked.”1

Cybersecurity risks are constantly evolving as organizations adopt new technology (such as cloud services) and cyber criminals adopt new tactics, techniques, and procedures (TTPs). The construction industry doesn’t have the same regulatory and compliance requirements pertaining to cybersecurity that other industries—such as the financial and healthcare sectors—have, yet they face the same threats. For this reason, it is imperative for the construction industry to focus on cybersecurity risks to avoid becoming the next victim of cybercrime.

How a Cybersecurity Attack Can Impact Construction Companies

Today, construction companies transmit and store the kinds of sensitive data that cyber criminals target most. Employee and project information, contracts, financial data, and planning tools are all at risk — yet the industry remains behind the curve in bolstering cyber security measures compared to other industries. 

What’s more, the move to an increasingly remote workforce with more devices in play has exposed gaps in networks that cyber criminals are all too happy to exploit. And as the industry continues to embrace the Internet of Things (IoT) and leverage artificial intelligence technologies, their potential attack surface also continues to expand.

Cyber criminals most often seek financial gain from an attack via ransomware. But there are additional, deeper impacts of a cyber attack as well:

  • Down time: Deadlines aren’t made to be broken. An interruption in business due to a technology disruption can cost a company days or even weeks it can’t afford in reduced or even lost productivity.
  • Breach of project IP: Loss of privileged contracts, proprietary designs, schematics, and confidential blueprints can not only lead to huge financial losses. It could also result in irreparable damage to reputation.
  • Loss of bid information: Forfeiting leverage in the upfront process can result in losing competitive advantage, as well as the job itself.
  • Equipment damage: It’s a concern for equipment off and on site. Servers, devices, and key computing hardware are costly to repair or replace. And compromised on-site equipment can lead to significant physical damage to nearby structures and the equipment itself.
  • Workforce injuries: Protecting the most valuable asset is paramount. A security breach or system failure that allows autonomous equipment to be compromised puts the safety of workers — and civilians — at significant risk.  

There are many ways that cybercriminals (also known as threat actors) can compromise confidential information in an organization. Below, we’ll address three of the most common vectors for a successful cyber attack.

Common Cybersecurity Threats for Construction Companies:

Spear Phishing

One of the most common techniques, “spear phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It’s actually cybercriminals attempting to steal confidential information. A whopping 91% of cyberattacks and the resulting data breach begin with a spear phishing email, according to research from security software firm Trend Micro. This conclusively shows that users really are the weak link in IT security.”2

Often, threat actors will employ the use of malicious file attachments when conducting these types of attacks. “There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spear phishing email usually tries to give a plausible reason to open the file, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.”3

Password Spraying

This technique “uses one password (e.g. Password01), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.” For instance, from September 2018 through February 2019, Proofpoint conducted a six-month study that analyzed over 100,000 unauthorized logins across millions of monitored cloud user-accounts.”4

“The company found that 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, while 25 percent were successfully breached in this manner. Proofpoint noted that the number of IMAP-based password-spraying attacks jumped up following the December 2018 publishing of the Collection #1 data dump that exposed nearly 773 million unique emails and 21 million unique passwords.”5

Exploiting Vulnerabilities in Unpatched Software

“Earlier this year, the National Security Agency urged organizations to ensure that they are using patched and updated systems in the face of growing threats. The vulnerability is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable.”6

How Construction Companies Can Mitigate Cybersecurity Risks

Dean Dorton recommends that organizations consider the following to identify their risks and enhance their cybersecurity preparedness:

  • Identify where your valuable information is stored (on your internal network and the cloud)
  • Develop policies, procedures, and standards pertaining to cybersecurity
  • Adopt a cybersecurity control framework
  • Develop a cybersecurity incident response plan
  • Secure your backups; also, test your backups to ensure they work correctly upon use
  • Disable legacy authentication protocols (such as IMAP)
  • Enforce two-factor authentication (2FA), also referred to as multi-factor authentication (MFA)
  • Update and patch your computers. Vulnerable operating systems and third-party applications are often targeted by threat actors. You should ensure that your operating systems and third-party applications are updated with the latest updates.
  • Train your organization. “Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.”7
  • Perform regular cybersecurity assessment and penetration tests against the network—no less than once a year. Ideally, run these as often as possible and practical. Dean Dorton can perform these tests for you.

Dean Dorton’s Information Security Office (ISO) provides a team of experienced information security professionals who can augment your organization’s information security team or take the lead in designing, implementing, and maintaining a strong information security program on your behalf.

1https://www.csoonline.com/article/3437777/how-a-small-business-should-respond-to-a-hack.html
2https://www.knowbe4.com/spear-phishing/
3https://attack.mitre.org/techniques/T1193/
4https://attack.mitre.org/techniques/T1110/
5https://www.scmagazine.com/home/security-news/password-spraying-attacks-abuse-imap-to-break-into-targets-cloud-accounts/
6 https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/
7 https://www.us-cert.gov/ncas/tips/ST19-001

Article Dean Dorton

The Internal Revenue Service warned people to avoid a new phishing scheme that impersonates the IRS and the FBI as part of a ransomware scam to take computer data hostage.

The IRS said: “The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation. It tries to entice users to select a “here” link to download a fake FBI questionnaire. Instead, the link downloads a certain type of malware called ransomware that prevents users from accessing data stored on their device unless they pay money to the scammers.”

“This is a new twist on an old scheme. People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

John Koskinen, IRS Commissioner

Article Dean Dorton

There seems to never be an end to the stream of new cyber threats being thrown at us and our user base. Most people are starting to be more aware of phishing scams, but are your users up to speed on “smishing”? Smishing is a term used in reference cyber scams delivered through SMS (text) messaging to smartphones. Please share the following with your corporate users:Bad guys are increasingly targeting you through your smartphone. They send texts that trick you into doing something against your own best interests. At the moment, there is a mystery shopping scam going on, starting out with a text invitation, asking you to send an email for more info which then gets you roped into the scam.

Always, when you get a text, remember to “Think Before You Tap”, because more and more, texts are being used for identity theft, bank account take-overs and to pressure you into giving out personal or company confidential information.User awareness is one of the most important parts to a company’s cybersecurity defense plan. Contact your Dean Dorton team to learn more about our tools and services to enhance your user awareness strategy and cybersecurity defense tools.

Article Dean Dorton

It’s no secret that scammers are continuously looking for new ways to reinvent common scams, especially when it comes to phishing emails. Phishing emails are meant to look real, but trick you into clicking a link, providing personal information, or downloading viruses or malware.

Recently the Better Business Bureau learned of a new version of this scam which is circulating quickly. While anyone may receive this email, scammers are specifically targeting small businesses.

According to the Better Business Bureau, here is how the scam works:

You receive an email with the subject line “QuickBooks Support: Change Request.” The message is “confirming” that you changed your business name with Intuit, QuickBook’s manufacturer. However, you never made such a request. It must be a mistake, but fortunately the email contains a link to cancel.

Hand click no [Converted]Pause before you click! Scammers know that you didn’t make this request, and the link to cancel is simply bait. It downloads malware to your device, which scammers use to capture passwords or hunt for sensitive information on your machine. This can open you up to identity theft.

How to Spot a Phishing Scam:

Always be wary of expected emails that contains links of attachments. Here are some other ways to spot phishing messages:

  • Check the reply email address. One easy way to spot an email scam is to look at the reply email. The address should be on a company domain, such as jsmith@company.com.
  • Check the destination of links. Hover over links to see where they lead. Be sure the link points to the correct domain (www.companyname.com) not a variation, such as companyname.othersite.com or almostcompanyname.com. Scammers can get creative, so look closely.
  • Consider how the organization normally contacts you. If an organization normally reaches you by mail, be suspicious if you suddenly start receiving emails or text messages without ever opting in to the new communications.
  • Be cautious of generic emails. Scammers try to cast a wide net by including little or no specific information in their fake emails. Be especially wary of messages you have not subscribed to or companies you have never done business with in the past.
  • Don’t believe what you see. Just because an email looks real, doesn’t mean it is. Scammers can fake anything from a company logo to the “Sent” email address.

Source: Better Business Bureau

When in doubt, if you have a questionable email, it is best to call the source of that email (person or company) to verify that they sent you something you need to open.

If you have concerns regarding your accounting systems or cybersecurity, please contact your Dean Dorton advisor.