Ceci est une ancienne révision du document !
Recently, we had a customer who was targeted by a phishing campaign. Even after telling them NOT to click on links or open attachments, the staff still did, then calling IT a few days later after their PC’s had been fully ransacked to report it. By then, it is too late. Sometimes one has to wonder how these people infiltrate your organization. Part of this particular case was due to the owner and his son buying new luxury vehicles and everything else in the company got slashed, including the IT budget. His response to IT was, he did everything by pen and paper 30 years ago, he can go back to that at any moment. In IT, you need policies and procedures from the top down. Slashed budget meant they could not afford new laptops if they broke down. They bought old laptops from Cash Crusaders that already contained Windows and Office (legality be damned), and wanting to save money on IT, they put those laptops to work without sanitizing them. At the moment we have them blaming IT for the “hacking” (!!!). “Why can’t IT make the hacking stop?” It is too late; IT can now only block the domain squatting, etc, on a retroactive basis. Once blocked, the adversaries just create another domain name and spoof the client’s mail again. They already have all your emails, all your contacts and are using your emails to get your contacts to click on malicious links.
Récemment, un client était ciblé par une campagne de hameçonnage. Même après qu’on leur a dit de NE PAS cliquer sur des liens ou ouvrir des pièces jointes, le personnel continuait à le faire, puis appelait IT quelques jours plus tard, après le saccage complet de leurs ordis, pour le signaler. Et alors, il était trop tard. Parfois, on se demande comment ces gens-là ont réussi à infiltrer votre organisation. Dans ce cas précis, une partie du problème était due au fait que le propriétaire et son fils avaient acheté de nouvelles voitures de luxe et tout le reste de la société a dû se restreindre, y compris le service IT. La réponse du propriétaire au département d’informatique était que, il y a trente ans, il faisait tout avec du papier et un stylo et qu’il pouvait s’y remettre à tout moment. Dans l’IT, il vous faut des politiques et des procédures décidées au plus haut niveau. Le budget restreint signifiait qu’ils ne pouvaient pas acheter de nouveaux portables en cas de panne. À la place, ils ont acheté de vieux ordinateurs portables de chez Cash Crusaders, qui contenaient déjà Windows et Office (peu importe la légalité), et, voulant économiser de l’argent sur le dos de l'IT, ils ont commencé à utiliser ces portables sans les désinfecter.
Safety starts with YOU.
Let’s look at the fishing campaign. The sales people were the culprits who clicked on links and opened attachments, even after they were told not to. My first question was, why did you click on the link. Salesperson1 – but it was from my customer! Salesperson2 – it was an accident! I just did a preliminary investigation. Me to salesperson1 – but I thought you said it was a customer of yours, this is not even in the country? Salesperson1 – but I thought it was! Me to salesperson2 – How do you ‘accidentally’ click on a zipped file, unzip it, click the link and bypass the Firefox warning? Salesperson2 – yes it was by accident. * Shakes head *
Just a little bit more prodding and I came to the answer. Their sales targets were raised and they were desperate to make their targets so they could afford their lifestyles. Desperate to keep up with the Joneses, they click everything for a sale. Sales first, everything else last.
Now I examined the email. The subject line contains “from trusted sender”. They have never received emails that had that in the subject line. That should immediately raise a red flag. The body of these messages all have urgency stipulated: Your account will be deactivated in 24 hrs. Fill this form in to avoid being arrested. Respond immediately! Account on hold, payment overdue! Account confirmation, URGENT! Unusual activities detected on your account. Sign-in attempt blocked, respond immediately. I have hacked your email and …blah (spoofed your email address).
Now that everyone has the company’s emails, the criminals are taking messages verbatim, adding a line stating: the password to the attachment is:43yu3i3 or whatever, and adding another malicious attachment to see what they can gain.
If you are unsure if you would have clicked on any of these, take the Google phishing quiz: https://phishingquiz.withgoogle.com/ (Gizmodo had an article on it last year).
The guys are getting smarter, the link points to a file transfer server where he/she/it leaves the payload: https://t.mycloud.ch/c/9xQivLs5rCr3C2XXXX (last characters removed so you don’t click it accidentally).
Quick ‘n dirty rules to email safety:
1. If you can, block whole countries in your blacklists, eg: “*@*.cn or *@*.tk“
2. Never click a link. Copy and paste it into a notepad and look at it.
3. If you don’t know the person or never dealt with them, file that email into a folder where you can examine it at your leisure.
4: Ignore any urgency indicators. If it is urgent, they will call you.
5. If your email client allows it, turn on headers.
6. If you use windows, turn ON file extensions. Pay attention to the time email arrives, your friends / work colleagues do not send email at midnight.
7. Do not open compressed / zipped attachments, unless you KNOW what it is.
8. Have a work email and a personal email and a junk email. Keep these separate.
9. Do not reply to junk email (that goes for phishing emails too).
10. Make sure your password is long enough.
Here is a chart for password cracking on a modern machine. What you need to remember is, that these values can be halved and halved again if computer clusters are used. It is from 2016, so I would assume 21 characters should be the minimum password length, not 18.
So my old password “(NEVER.share.your-p@ssw0rdz!!)” would now need something like a date added to it. Memorable passwords do not have to be difficult.
Now please go take that Google quiz mentioned above and if you do not get 8/8, you need to be more careful.
Disagree with us? Let us know on misc@fulcirclemagazine.org