The Cyber Guys: Never Again – Stop Being Fooled by Email Spoofing 

Every two or three months I get the same email from my “boss.”  It goes something like this.  “Dan,  I need a favor and I need it done by the end of the day.  Can you please purchase six $100 Amazon gift cards for the company? It’s for an upcoming event to celebrate our employees.  Just email me the gift card numbers.  Please don’t let anyone know.  It’s a surprise. I’m super busy so don’t call, just reply to this email.”   Since I had a company credit card, I went online and made the purchase.   Wait…. Just kidding.   

What I really did was I checked the Display Name of the sender.  It was the name of my boss, but not the usual way he displayed it.  When I looked at the return email address, I noticed that it was not from a company address, but instead it came from a random Gmail account.  This is one type of email spoofing called “Display Name Spoofing.”  It is the easiest type of email spoofing.  The hacker went to the company website and got the name of the founder.   From there the hacker just updated his email display name to match.   

There were several things about the email that got my hacker spider senses tingling.  Did you catch them?  One of the most common social engineering tricks is to push a sense of urgency.  I need it by the end of the day.  Another giveaway was that it was a secret so if I believed it, I would not tell anyone.  Gift cards are a common tactic for scammers.  Did you notice how the hacker did not want me to validate by an alternate means of communication?  Don’t call.    For me, the biggest hint was the fact that I really don’t have a company credit card and could not have done what was asked.   

This time, they did not fool anyone, but understand they are putting out hundreds of these emails a day.  All they needed was for one to hit and it was a successful day at the office.  I’ve heard of other spoofs locally where they pretended to be the boss and asked the accountant to transfer large amounts of money to a partner to close a deal.  Don’t think that all hacks are from around the world.  In that case, they knew the boss had been traveling and was unavailable.  The key to avoid falling prey to that is to have a policy where any use of company money requires “out of band” verification.  If the request comes via email, the accountant must call the boss to get verbal verification.   

Diligence is key not to get duped by this scheme.   There have been cases where instead of a supervisor, the hacker pretended to be a vendor.  The hacker sent an invoice supposedly from the vendor but with a different account to send the funds.   I’ve heard of this happening several times in this little town.  Pay attention.  Call and ask about it, stating that you noticed the account information changed.   That would stop the scam in its tracks.   

Another technique for hackers to spoof email is to create fake display names and email addresses using Simple Mail Transfer Protocol (SMTP). SMTP is a protocol used for sending messages.  This is called “Legitimate Domain Spoofing.”  A third type of spoofing is called “Look-Alike Domain Spoofing.”  An example would be (zero instead of o) or  Hackers get real domains that can easily be mistaken for the legitimate company.  

There are several technical ways to spot spoofing which I’ll provide below.  Check to see if the Sender Policy Framework (SPF) passes the test.   The SPF checks to see if the sender’s address is associated with the email domain it was sent from. DomainKeys Identified Mail (DKIM) works to verify that the email has not been altered between the sender’s and recipient’s servers.  Businesses can also set up Domain-based Message Authentication, Reporting and Conformance (DMARC) for the email which lets the recipient know that the email is protected by SPF and DKIM. 

How to check SPF, DKIM, and DMARC status on Gmail: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Select “Show original.” 

    4. Check and see if the email is marked “pass” or “fail” for each section. 

How to check SPF, DKIM, and DMARC status on Outlook: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Hover over “View” and then select “View message details.” 

    4. Scroll through the details and view “Authentication-Results” to see if the email is marked “pass” or “fail” for each section. 

Now that you know the social engineering queues and you have the technical skills to verify the email, in the words of the 70s rock band, The Who, you “Won’t Get Fooled Again.”   

Original article written for the Sierra Vista Herald here.

The Cyber Guys: Critical Vulnerabilities in Voting Machines – Easy To Hack

J. Alex Halderman, a Computer Science professor at the University of Michigan, walks into a courtroom in Georgia. He borrowed a pen from the defense attorney and in under a minute he had broken into a Dominion voting machine where he could make the results anything that he wanted without a trace of his breach. 

Dr. Halderman was an expert witness that demonstrated just how vulnerable these voting machines are to tampering. He used a pen to hold down the power button on the voting machine. He waited 7 seconds until it came up in “safe” mode. From there he could open files and change the contents of files to include the results and audit files without a password.

Later Dr. Halderman showed how with just a $30 purchase on Amazon, he was able to create a technician card for the voting machines that gave him super user access. Once programmed, a hacker could make as many technician cards as needed and distribute across the voting area.

At this point you might be thinking, OK, but how many computer science professors are going to hack a voting machine? Well, it turns out in August of 2018 at a DEFCON hackathon conference, it took an 11-year-old boy 10 minutes to hack a simulated Florida state voting website and change the results of the election. There was not just one child, but 30 of the 50 children with age ranging from 8 to 16 were able to hack the simulated election website. 

Over the last 6 years there have been many lawsuits concerning the use of these machines all over the country. Not only in Georgia, but Pennsylvania, Michigan, Texas, Arizona, and more.

But it’s not just Dominion machines that have vulnerabilities. In the summer of 2020, students from the University of Pennsylvania conducted an audit of the ES&S voting system1. ES&S claims to be the world’s largest e-voting system vendor, supporting more than 67 million voter registrations with 97,000 touchscreen voting machines installed in 20 states, with optical ballot readers in 43 states. 

The team reported numerous critical vulnerabilities existed in nearly every component of the ES&S system. They identified serious and undetectable attacks that could be carried out by poll-workers and even individual voters. What makes matters worse is that these attacks are not limited to the local machines. There are several attacks that propagate like a virus to the backend systems on the network affecting all the results of a precinct or an entire county. According to their report, virtually every mechanism for assuring the integrity of precinct results and backend systems can be circumvented. With these machines, they found that almost every major component of ES&S can be altered or replaced by other components with which it communicates. In other words, there are many ways to get to the back end to modify the results. 

The calibration of the touchscreen affects how the voters’ input maps to different locations on the screen. If the calibration is incorrect, it could alter the voters’ choices. For example I vote for Alice for the school board on the touch screen, but the machine selected the opponent, Bob. This happened in Pennsylvania in the 2023 Superior Court election. When a voter would select ‘yes’ or ‘no’ on their ballot for one of the candidates, the vote was recorded on the paper ballot and the machine for the other candidate.

Some countries like Argentina and the Philippines have recently banned the use of the machines due to their vulnerabilities. There is talk in different states around the country about doing the same. What should we do to ensure that each voter’s choice counts?

The original article was published in the Sierra Vista Herald here.


The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.