It’s a common occurrence in the world today, someone finds a USB thumb drive on the ground in the parking lot or a waiting area in a business. Your first instinct is very likely to be that of most American’s “studied”, plug it in and see what juicy information you can find. If you are in proximity to a larger corporation this inclination is likely to be higher because the odds are, at least subconsciously, that the drive belongs to someone from within that company.

As shown in several studies performed by researches the trend is that about half the drives are plugged into computers. According to a group from the University of Illinois (source) the “effective” rate is between 45 and 98 percent. That’s a scary number in my mind, especially considering the huge number of ransomware incidents reported on the news this past year. While most of those can be traced back to malicious payloads in emails, the USB trojan horse method is even scarier. Not only does a user risk having their data encrypted and held for ransom, they could be opening their employer up to infiltration.

Picture this scenario for a moment, it’s likely one that’s really happened somewhere. Employee Tina stops by the coffee shop every morning on her way in to work at the local community bank for her latte. It’s a pattern that’s well established and something she doesn’t often deviate from. Johnny is part of a hacker group that’s intent on infiltrating the bank Tina works for and knows that penetrating their firewall and security directly is futile. Safer than trying to get a job at the bank, Johnny’s group decides to try and compromise an employee. See where this is going yet?

(more…)

I get asked about quite a few emails and their legitimacy, more so these past six months with the rise in phishing/spear-phising messages sent to clients and friends. It’s not a bother, I’d rather get asked my opinion ten times a day than have someone I know or provide services to get nailed by ransomware or a trojan.

Here’s a quick rundown of some items I think important when considering the legitimacy of an email you’ve received.

(more…)

Phishing emails are exploratory attacks in which criminals attempt to obtain victims’ sensitive data, such as personally identifiable information (PII) or network access credentials. These attacks open the door for further in ltration into any network the victim can access. Phishing typically involves both social engineering and technical trickery to deceive victims into opening attached files, clicking on embedded links and revealing sensitive information.

Spear phishing is more targeted. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails, impersonate specific senders and use other techniques to bypass traditional email defenses. Their goal is to trick targets into clicking a link or opening an attachment. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission.

Original Source: SEC

“Phishing” Fraud: How to Avoid Getting Fried by Phony Phishermen

“Phishing” involves the use of fraudulent emails and copy-cat websites to trick you into revealing valuable personal information — such as account numbers for banking, securities, mortgage, or credit accounts, your social security numbers, and the login IDs and passwords you use when accessing online financial services providers. The fraudsters who collect this information then use it to steal your money or your identity or both.

When fraudsters go on “phishing” expeditions, they lure their targets into a false sense of security by hijacking the familiar, trusted logos of established, legitimate companies. A typical phishing scam starts with a fraudster sending out millions of emails that appear to come from a high-profile financial services provider or a respected Internet auction house.
(more…)