Microsoft cautions against SMS 2FA

Microsoft have announced they will direct users away from SMS 2FA (‘text-based’ two-factor authentication) for security reasons.

Instead, the company will promote multi-factor authentication methods they consider to be more secure – including biometrics and secure authentication apps such as Microsoft Authenticator – for logging into Microsoft services such as Microsoft 365 and Azure.

SMS-based two-factor authentication, where the user typically receives a passcode text message to their smartphone that acts as a secondary confirmation of who they are, has been a staple of online banking and many other secure online services needing two-factor authentication (2FA) for over a decade.

However many now believes even SMS can be intercepted, and would rather sign users onto authenticator apps or issue secure keys with encoded passcode generation.

Official Microsoft statistics state that users who enable Multi-Factor Authentication (MFA) on their accounts to verify identity block 99.9% of all automated account breaches. Using SMS-based two-factor authentication should not ‘stop’ doing so (despite the flaws of SMS, any 2FA is better than none) but users should consider swapping to other methods.

We’ve talked before about the often-predicted ‘death of passwords’ – and possible scenarios for their phasing out, but in recent years a number of big tech firms, including Apple, Google and Microsoft have all suggested their long-term plans that seek to replace passwords with biometric or other forms of login.

However this modification to Microsoft’s advice will see more of a driving force behind MFA as specifically biometric, authenticator app or secure-key based, rather than relying on mobile networks for one-time passcodes.

 

For cybersecurity expertise and support, please contact out IT team today.


Phishing emails – how to teach others to avoid being hooked

Phishing emails that attempt to steal sensitive information or defraud funds are a growing threat to small businesses – and the root cause of roughly 90% of business cyber attacks.

Educating your staff to be wary of clicking on a suspicious email is arguably one of the simplest and most effective cyber-security practices for small businesses. But how should you approach this?

 

Nobody is Immune

There’s no telling when or where a phishing email will arrive at your business, and any single compromised computer might be a cyber-criminals ‘way-in’ to the company – so a good place to start is the idea that it is everyone’s responsibility to watch out for suspicious emails.

Phishing email traffic is estimated to have increased by around 65% last year, and approximately 30% of those phishing emails get opened by IT users.

You’re the CEO of a global multi-national conglomerate? Then you’re MORE, not less likely to be targeted. Such ’Spear Phishing’ attacks are often highly specific to key individuals, aiming squarely at users with privileged information, responsibility over finances or higher levels of access.

Email awareness applies to anyone and everyone with access to email, so training efforts to make your company secure need to apply up and down the hierarchy.

 

Use Examples

Getting hands-on with real examples of phishing emails is the single best way to immunise your team against being caught out. Cybersecurity companies increasingly recognise the ‘human’ factor as the most critical ’threat vector’ – put simply, there’s (ultimately) no substitute for human intuition about what might be suspicious.

Show your team key warning signs to look out for – suspicious email addresses in the email header, bad grammar, or links to dodgy URLs that display when you hover your mouse pointer over them.Fortunately ‘Fake bank’ or ’Nigerian Oil Minister’ type scams have become quite notorious over the last decade, so even the least tech-savvy user will soon catch on to the idea that if an email seems odd, it’s worth checking before clicking or typing-in any sensitive details.

Lineal have published examples of some particularly dangerous phishing emails we’ve encountered, here.

 

Defeatism is Expensive

Studies suggest many IT users increasingly feel that cyber-security breaches are inevitable, and that there’s ‘nothing they can do.’ This security ‘fatigue’ is partly the fault of cybersecurity providers, who have bombarded companies with this idea.

Avoid this mindset. Yes, 76% of companies reported being the victim of a phishing attack in 2017, but 24% did not. Those exemplary organisations will (at least partly) be making their own luck with good working practices, cybersecurity training for users, and strong IT security.

Defeatism also ignores that not all cybersecurity breaches are created equal – a breach could result in a negligible cost to recover a single PC, or cripple a major organisation worldwide, as NotPetya ransomware did to Maersk Shipping in 2017. Under GDPR, the scale of the fines issued by the Information Commissioner’s Office are directly related to the severity of the breach.

The lesson is clear: limiting your organisation’s exposure to attack also limits the potential ‘scale’ of the damage. Never surrender!

 

Do Your Part

It’s helpful to be able to show you’re also investing in your users’ safety at work – that you’re leading by example. Fortunately, there are many ways to reinforce end-user security when using email:

Cloud-based email hosting services (such as Microsoft Office 365) include multiple layers of spam filter as standard, which prevents the end-user ever coming into contact with a considerable volume of suspicious communication, and usually represents greater security than would be typical for your own on-site Exchange Server.

More secure antivirus providers (such as ESET) maintain their own lists of suspicious websites likely to be imitations used for phishing important credentials (such as bank details) and blocking these when encountered.

Email filtering services, such as the excellent Barracuda, are an inexpensive security bolt-on to work email that can dramatically cut down on each person’s day-to-day exposure to dodgy emails. Barracuda Phishline is also available as an automated training service – building a program of dummy phishing emails that can be used to raise awareness among your staff. Clever!

 

 


Fake DVLA Emails: Tracing a Trojan Scam

Continuing our recent series on email phishing trickery including fake invoices and Apple ID theft, this week we discovered a new scam involving a fake communication claiming to be from the Driver & Vehicle Licensing Agency (DVLA).

You haven’t sent them your vehicle details: but never fear, enter them below and avoid a hefty ‘1000 GBP’ fine. Never mind that your garage should have organised a V5 document for you, just click the link and type in your details. This couldn’t be a scam? Right?

We set Lineal’s security trainee Lewis on the fake DVLA emails case – who found that the email links to a private (non Gov.uk) web-page with a extensive bit of PHP code running in the background. A classic Trojan, this webpage invited you to download your casefile – and likely something dangerous along with it.

trojan

Despite poor grammar, the format matched a GOV.UK page quite closely and the ‘official’ nature of the styling might easily have tricked unsuspecting motorists.

Avoiding the page itself, Lewis completed an HTTPS lookup on the domain hosting the fake web page – but found two servers running the same scam. The email itself appeared to be routed via the USA, in an effort to mask the attacker(s) identity.

Tracing both IPs seperately led back to the same address in Germany, registered under two different names which could either be part of an organisation (or more likely) both assumed identities stolen from others fallen victim to the scam.

German privacy law prevents Google StreetView from being completed across most of the country, so an aerial view of an unknown industrial building on the outskirts of Lippstadt was a close as we could get to sourcing the suspicious email itself.

Clearly a sophisticated operation, fake DVLA emails like this highlight the growing technical ability of online scammers and the need for solid IT security precautions.

 

For IT Security advice and support, contact Lineal today: 01271 375999


Can this Facebook Filter Stop Fake News?

Facebook have announced the testing of a new news filter in France, designed to stop fake news or deeply misleading stories from being shared online via social media.

The announcement comes only two months from the first round of voting in the French Presidential Election.

Under the new filter, dubious news stories flagged by Facebook users will be double checked against eight leading French media outlets, including Le Monde, Agency France-Presse and Liberation. Should any two of the eight provide evidence of ‘fake news,’ the story will be flagged as ‘disputed’ in Facebook’s News feed.

Users will receive a warning before sharing ‘disputed’ stories and will be blocked from using paid advertising to promote ‘disputed’ stories.

In addition, Le Monde and Liberation are believed to have begun compiling their own databases of unreliable fake news websites – which may eventually be used in a similar way to more advanced antivirus companies’ watchlists already used to isolate suspicious phishing websites.

The move comes just months after social media giants Facebook and Twitter faced widespread criticism for the proliferation of fake news websites using false stories or invented facts to promote political agenda during the 2016 US Presidential Elections.

For IT Security support or assistance, contact Lineal today: 01271 375999


Phishing Emails that know your home address spread

 

Hundreds of people have received new types of phishing emails which knows the individual’s home address.

Clicking the link in the dangerous email, which as a appears very authentic request to pay an overdue invoice, installs devastating cryptolocker ‘ransomware’ on the user’s computer.

The virus then begins encrypting files, demanding a ransom be paid to unlock the user’s data.

According to the BBC the unconnected company cited in the email, cotton fabric manufacturer British Millerain Co Ltd, have received more than 150 phone calls from individuals concerned that they owe money.

Phishing emails and websites, which typically mimic official bank or company communications to trick vulnerable users into making payments to criminals, are becoming increasingly sophisticated.

The use of an individual’s personal address, and higher quality written English, suggests the original creator of the email has gone to greater lengths to make the email look convincing and to avoid detection.

It is also likely that the matching address originates from stolen, legitimate customer data, accounting for users’ recognition of the way they write their own home contact details.

New threats are constantly developing, and Lineal recommend installing an antivirus software with a strong record of catching emerging online threats – such as ESET.

 

Always follow some simple rules:

  • Never click a link or open an attachment from any suspicious email whose origins you do not recognise.
  • Banks and similar will NEVER request your private passwords, pin numbers or other confidential information. Do not disclose these to anyone.
  • If hit by cryptolocker style ransomware, every second counts – seek professional technical support immediately.
  • Always keep a regular, separate backup of your files.

 

Photo Credit: BBC News