Common scams include pretending to represent Government, law enforcement or medical authorities to obtain information or financial payment, blackmailing users with threat of infection, donation requests for fake organisations, and malware distribution – including one new ransomware even dubbed ‘Coronavirus.’
In a joint statement published in April, the UK National Crime Cyber Security Centre and US CISA (Dept. of Homeland Security) notes the sudden rise in Covid-19 scams, and even highlight instances of SMS text-messaging phishing attempts mimicking UK Government text alerts.
In the example cited, a fake compensation payment is offered to entice the user to hand over details via an imitation UK Government website.
There has also been a growth in online hackers and trolls targeting Zoom and other video conferencing platforms. Users unfamiliar with this kind of software in particular may prove an easy target for cyber criminals.
Phishing scams are part of a larger trend of online Covid-19 themed fraud. In March, the NCSC removed around 500 fake online shops claiming to be selling fraudulent virus-related items over the internet.
Google currently estimate that Gmail filtering is blocking over 100 million phishing emails each day, and that almost 20% of online email scams now refer to Coronavirus (around 18 million) – likely to be the largest phishing ‘theme’ in history.
For cybersecurity expertise and assistance, please contact Lineal today.
***Latest Update to the Hall of Shame – 8th February 2019***
At Lineal our IT team review a lot of dodgy emails. The criminal scam known as phishing (sending fraudulent emails to trick end users into divulging sensitive information or downloading dangerous files) is a widespread threat, and we’re constantly on the lookout for dangerous new scams appearing on the internet.
It’s estimated that around 90% of organisational security threats are caused by a mistaken click in an email, making it by far the most common way businesses are breached by ransomware, viruses or individuals with malicious intent.
However, some human intuition and alertness is always required. With this in mind, we take a look at some examples of the most devious phishing scams we’ve ever seen:
The ‘Delivery Note’
Phishing emails are from fake ‘banks’ or enterprising Nigerian oil ministers, right? Wrong. This fairly innocuous email is the digital form of one of those ‘sorry we missed you’ cards you might receive through the letterbox for undelivered packages.
If you didn’t notice the suspicious sending address, accurate branding could lead you to believe this was really from a major logistics company, and divulge various personal details before realising there isn’t really a package to collect.
The Card-Payment Conundrum
Oh dear! My recurring card-payment for my TV license has expired – time to key my new card details into a dodgy website.
The growth of recurring payment systems for everyday things (like TV licensing) has meant users are familiar with being prompted to update card details, but stay alert: just because the request is mundane doesn’t mean it’s innocent. This is a nasty phishing email which scammed viewers out of thousands of pounds – even hitting national headlines.
The ‘File Share’
A proliferation of easy file-sharing platforms mean that we’re all more familiar with receiving large files via sharing links.
Curiosity about what this file is, and why your contact is emailing it to you (via a pretend ‘Dropbox’ email) might cause you actually to hand over your email address details. This trick is very simple, and persuasive – only the vaguely mail-merged ‘Hi info’ should suggest this is not really something you want in your inbox.
The (Convincing) ‘Fake Bank’
Forget semi-literate Russian hackers and the like, the quality of this fake Natwest email is in a different class. Spelling corrections, clumsy phrasing or dodgy branding can often give away an email scam, but criminals are becoming increasingly sophisticated at imitation. Anyone who falls for this email would be handing over their online banking login details.
Imitation is the sincerest form of flattery, and for the unwary email user, likely to be the most expensive.
The Government Request
Uh Oh. An official demand from Companies House. Better respond quickly. Bad luck – you’ve been scammed.
Don’t let the impeccable branding or the dull subject matter catch you out: look at the email address and the link. .ink is not a normal public-sector domain, so that should ring alarm bells.
The Domain Scam
Much like the delivery note scam above, this clever phishing scam we recently witnessed is based on the user not realising there’s anything sensitive about their domain details.
Hovering your mouse over the buttons reveal URLs that are not from this organisation, and should not be trusted.
The ‘Email Recovery’
This crafty scam invites you to ‘Recover (email) Messages’ that your email service held back due to a sync error – which should be your first clue that this is suspicious. Genuine email filtering tools (such as the excellent Barracuda) are very transparent about exactly what has been quarantined, or (as with Microsoft Office 365) expects an admin user to review the email separately.
Suffice to say you should NOT click ‘Recover Messages’.
The Fake Order
A sales enquiry from a University for a high value item – how promising! Except no, ‘Daniel’ isn’t a Procurement Manager, and if dispatched on credit terms, you’ll never see this item again. Worst of all, when you invoice the real University of Nottingham, they’ll think you’re an email scammer trying their luck. How ironic.
As before, the email address should give this away: real universities use valid .ac.uk (academic) domains, not free gmail accounts with a ‘.ac’ dumped somewhere in the address by a criminal.
For IT Security expertise and support – contact Lineal today.
Continuing our recent series on email phishing trickery including fake invoices and Apple ID theft, this week we discovered a new scam involving a fake communication claiming to be from the Driver & Vehicle Licensing Agency (DVLA).
You haven’t sent them your vehicle details: but never fear, enter them below and avoid a hefty ‘1000 GBP’ fine. Never mind that your garage should have organised a V5 document for you, just click the link and type in your details. This couldn’t be a scam? Right?
We set Lineal’s security trainee Lewis on the fake DVLA emails case – who found that the email links to a private (non Gov.uk) web-page with a extensive bit of PHP code running in the background. A classic Trojan, this webpage invited you to download your casefile – and likely something dangerous along with it.
Despite poor grammar, the format matched a GOV.UK page quite closely and the ‘official’ nature of the styling might easily have tricked unsuspecting motorists.
Avoiding the page itself, Lewis completed an HTTPS lookup on the domain hosting the fake web page – but found two servers running the same scam. The email itself appeared to be routed via the USA, in an effort to mask the attacker(s) identity.
Tracing both IPs seperately led back to the same address in Germany, registered under two different names which could either be part of an organisation (or more likely) both assumed identities stolen from others fallen victim to the scam.
German privacy law prevents Google StreetView from being completed across most of the country, so an aerial view of an unknown industrial building on the outskirts of Lippstadt was a close as we could get to sourcing the suspicious email itself.
Clearly a sophisticated operation, fake DVLA emails like this highlight the growing technical ability of online scammers and the need for solid IT security precautions.
For IT Security advice and support, contact Lineal today: 01271 375999
Last week our security trainee from Petroc, Lewis, received a fairly typical ‘Phishing’ email – designed to look like an official request for information in order to trick recipients into handing over personal details. Keyboard at the ready, he decided to go on an investigation – hunting down email scammers.
‘Your Apple ID has been suspended’ read the headline, but never fear, you can reset your account by typing in your private details via ‘Appl.e.com’. It may sound like an obvious scam, but the written quality of the email was high, and Verizon estimates that more than 25% of Phishing emails are not only opened, but clicked on by unsuspecting victims.
The email link itself looked suspicious so Lewis stripped the exact page link back to it’s original domain as our first clue. A quick HTTP lookup found the IP address of a Linux based Server with several open ports.
The scammers themselves were careful – expanding the email header shows an encrypted code in place of an email reference.
Online tools like GeoTool suggested the server sending the email had been French (although mapping this an imprecise science – suggesting the Parisian machine was sat at the bottom of the river Seine.) Nevertheless this gave us a country of origin and also a more accurate address.
Here we hit a problem: the address listed related to a French cloud hosting provider’s company office building in Roubaix, near the city of Lille on the border between France and Belgium. The company itself appears entirely legitimate, so it’s likely a server there has been hijacked or otherwise used inappropriately by a customer of the provider.
A reverse DNS lookup via an online US Security tool suggested the hosted domain name’s registered contact person was based in an apartment building in district 56121, Thessaloniki, Greece, and even listed a gmail address and phone number for the named contact (redacted.)
Had we wanted to, there’s an opportunity here for mischief, but here we decided to end our search – with sufficiently detailed information to report to customer services of the French hosting provider whose server had been misused to distribute the email.
Although it’s likely the original source had been found, it’s possible the Greek client registering the domain name was themselves a victim of the Phishing email or a similar scam.
As a case study, Lewis’ virtual chase across Europe hunting down email scammers highlights how every business is at risk from a globalised world of threats – anyone can be struck by a dangerous email from anywhere, and even the most local businesses need to take precautions.
Data breaches can lead to a massive loss of trust among customers, so how do you ensure your IT remains secure?
Despite what many online sign-up forms would suggest, the ‘strongest’ password is not necessarily long and complicated. Whilst complexity makes a password harder to guess or crack with a ‘brute force’ testing of combinations, most security breaches occur from stolen passwords, either physically or by malware attacks.
Very complex passwords do not help in this respect: users still need other IT security, such as antivirus software, errors are more common when typing (particularly on handheld devices) and employees may find complex passwords harder to remember – undermining data security by writing down their login details. The ubiquitous sticky note attached to the monitor is still a trusted solution to working with complex password policies in some organisations!
Routine password changes are a sensible precaution for most businesses, but can make it harder for employees to remember their passwords, leading to the same problem in which users are locked out of work accounts, copy passwords across accounts, or write passwords down at risk of theft.
Phrases can help avoid this problem by making passwords easier to recall: ‘Lineal15theB3st’ is preferable to a 15-digit numeral because a touch of personality adds memorability. Beware profanity though – just imagine trying to explain it to technical support later on!
Here at Lineal we’d also advise against ‘Remember Me’ automated sign-in functions, as well as Windows 10’s new Wi-Fi password sharing ‘Wi-Fi Sense’ Feature, as these make your chosen password redundant.
If you want to see where the future of online security is going, follow the money: most online banking incorporates a two-stage authentication process, requiring both a password and a unique alert code texted to the customer’s mobile phone for identification. This is already a free optional setting for Google, Facebook, Twitter and other popular websites.
Lineal’s advice is to stick to the following basics:
Avoid physical theft:
Don’t write your passwords down on a post-it note on your desk! Microsoft has a practical tip: if you absolutely must write a password down, do so in a safe place, without labeling it as a password or to which account it refers. Substitute words should also be used to hide the true password, for example writing ‘Fruit8£’ could refer to a password of ‘Apple8£’.
Don’t use an easily guessed word, such as your name, your company’s name, 1234, the name of something on your desk, the word ‘password’, or anything similarly obvious.
Never tell anyone your password, and change your password if you suspect it has been compromised.
Ease of Access:
If you struggle to remember your passwords, use a password storage program to store some of them. Remember to use a secure password for the program.
Mitigate against your own forgetfulness by setting up alternate password recovery options, allowing you to choose more varied, difficult passwords.
Consider where users will need to log in from – take full advantage of using numbers and special characters ( ! , £, %, * etc.) for keyboard users.
Preventing digital theft:
Use different passwords for your most important accounts, such as online banking.
Use two-stage authentication.
Maintain up to date anti-virus security software and firewalls on your work desktops, and don’t download untrusted software or open suspicious emails which could be phishing or contain password stealing malware.
Consult IT specialists to ensure office networks are protected from outside attacks.