The Cyber Guys: Never Again – Stop Being Fooled by Email Spoofing 

Every two or three months I get the same email from my “boss.”  It goes something like this.  “Dan,  I need a favor and I need it done by the end of the day.  Can you please purchase six $100 Amazon gift cards for the company? It’s for an upcoming event to celebrate our employees.  Just email me the gift card numbers.  Please don’t let anyone know.  It’s a surprise. I’m super busy so don’t call, just reply to this email.”   Since I had a company credit card, I went online and made the purchase.   Wait…. Just kidding.   

What I really did was I checked the Display Name of the sender.  It was the name of my boss, but not the usual way he displayed it.  When I looked at the return email address, I noticed that it was not from a company address, but instead it came from a random Gmail account.  This is one type of email spoofing called “Display Name Spoofing.”  It is the easiest type of email spoofing.  The hacker went to the company website and got the name of the founder.   From there the hacker just updated his email display name to match.   

There were several things about the email that got my hacker spider senses tingling.  Did you catch them?  One of the most common social engineering tricks is to push a sense of urgency.  I need it by the end of the day.  Another giveaway was that it was a secret so if I believed it, I would not tell anyone.  Gift cards are a common tactic for scammers.  Did you notice how the hacker did not want me to validate by an alternate means of communication?  Don’t call.    For me, the biggest hint was the fact that I really don’t have a company credit card and could not have done what was asked.   

This time, they did not fool anyone, but understand they are putting out hundreds of these emails a day.  All they needed was for one to hit and it was a successful day at the office.  I’ve heard of other spoofs locally where they pretended to be the boss and asked the accountant to transfer large amounts of money to a partner to close a deal.  Don’t think that all hacks are from around the world.  In that case, they knew the boss had been traveling and was unavailable.  The key to avoid falling prey to that is to have a policy where any use of company money requires “out of band” verification.  If the request comes via email, the accountant must call the boss to get verbal verification.   

Diligence is key not to get duped by this scheme.   There have been cases where instead of a supervisor, the hacker pretended to be a vendor.  The hacker sent an invoice supposedly from the vendor but with a different account to send the funds.   I’ve heard of this happening several times in this little town.  Pay attention.  Call and ask about it, stating that you noticed the account information changed.   That would stop the scam in its tracks.   

Another technique for hackers to spoof email is to create fake display names and email addresses using Simple Mail Transfer Protocol (SMTP). SMTP is a protocol used for sending messages.  This is called “Legitimate Domain Spoofing.”  A third type of spoofing is called “Look-Alike Domain Spoofing.”  An example would be amaz0n.com (zero instead of o) or gooogle.com.  Hackers get real domains that can easily be mistaken for the legitimate company.  

There are several technical ways to spot spoofing which I’ll provide below.  Check to see if the Sender Policy Framework (SPF) passes the test.   The SPF checks to see if the sender’s address is associated with the email domain it was sent from. DomainKeys Identified Mail (DKIM) works to verify that the email has not been altered between the sender’s and recipient’s servers.  Businesses can also set up Domain-based Message Authentication, Reporting and Conformance (DMARC) for the email which lets the recipient know that the email is protected by SPF and DKIM. 

How to check SPF, DKIM, and DMARC status on Gmail: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Select “Show original.” 

    4. Check and see if the email is marked “pass” or “fail” for each section. 

How to check SPF, DKIM, and DMARC status on Outlook: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Hover over “View” and then select “View message details.” 

    4. Scroll through the details and view “Authentication-Results” to see if the email is marked “pass” or “fail” for each section. 

Now that you know the social engineering queues and you have the technical skills to verify the email, in the words of the 70s rock band, The Who, you “Won’t Get Fooled Again.”   

Original article written for the Sierra Vista Herald here.

The Cyber Guys: Critical Vulnerabilities in Voting Machines – Easy To Hack

J. Alex Halderman, a Computer Science professor at the University of Michigan, walks into a courtroom in Georgia. He borrowed a pen from the defense attorney and in under a minute he had broken into a Dominion voting machine where he could make the results anything that he wanted without a trace of his breach. 

Dr. Halderman was an expert witness that demonstrated just how vulnerable these voting machines are to tampering. He used a pen to hold down the power button on the voting machine. He waited 7 seconds until it came up in “safe” mode. From there he could open files and change the contents of files to include the results and audit files without a password.

Later Dr. Halderman showed how with just a $30 purchase on Amazon, he was able to create a technician card for the voting machines that gave him super user access. Once programmed, a hacker could make as many technician cards as needed and distribute across the voting area.

At this point you might be thinking, OK, but how many computer science professors are going to hack a voting machine? Well, it turns out in August of 2018 at a DEFCON hackathon conference, it took an 11-year-old boy 10 minutes to hack a simulated Florida state voting website and change the results of the election. There was not just one child, but 30 of the 50 children with age ranging from 8 to 16 were able to hack the simulated election website. 

Over the last 6 years there have been many lawsuits concerning the use of these machines all over the country. Not only in Georgia, but Pennsylvania, Michigan, Texas, Arizona, and more.

But it’s not just Dominion machines that have vulnerabilities. In the summer of 2020, students from the University of Pennsylvania conducted an audit of the ES&S voting system1. ES&S claims to be the world’s largest e-voting system vendor, supporting more than 67 million voter registrations with 97,000 touchscreen voting machines installed in 20 states, with optical ballot readers in 43 states. 

The team reported numerous critical vulnerabilities existed in nearly every component of the ES&S system. They identified serious and undetectable attacks that could be carried out by poll-workers and even individual voters. What makes matters worse is that these attacks are not limited to the local machines. There are several attacks that propagate like a virus to the backend systems on the network affecting all the results of a precinct or an entire county. According to their report, virtually every mechanism for assuring the integrity of precinct results and backend systems can be circumvented. With these machines, they found that almost every major component of ES&S can be altered or replaced by other components with which it communicates. In other words, there are many ways to get to the back end to modify the results. 

The calibration of the touchscreen affects how the voters’ input maps to different locations on the screen. If the calibration is incorrect, it could alter the voters’ choices. For example I vote for Alice for the school board on the touch screen, but the machine selected the opponent, Bob. This happened in Pennsylvania in the 2023 Superior Court election. When a voter would select ‘yes’ or ‘no’ on their ballot for one of the candidates, the vote was recorded on the paper ballot and the machine for the other candidate.

Some countries like Argentina and the Philippines have recently banned the use of the machines due to their vulnerabilities. There is talk in different states around the country about doing the same. What should we do to ensure that each voter’s choice counts?

The original article was published in the Sierra Vista Herald here.

wazuh-agent-4.7.2-1.msi /q WAZUH_MANAGER=”167.172.6.98″ WAZUH_AGENT_GROUP=”Windows” WAZUH_AGENT_NAME=”Desktop-R8UQ69L” WAZUH_REGISTRATION_SERVER=”167.172.6.98″

The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.

The $100 Million Phone Call – Tale of the MGM Hack

In 2008, an Australian man received a $147,000 phone bill while traveling in Europe. It appeared his 12-year-old son was playing a game of “Tap, Tap, Revenge” on his iPhone the whole time. That was quite a bill, but it is peanuts compared to the 10-minute phone call to technical support that cost MGM Resorts close to $100 Million.  

In September of 2023, a group of cyber hackers from the US and UK, ranging in age from 19-22 called Scattered Spider, used social engineering to take down many of the operations of the almost $34 Billion gambling giant. Cyber criminals went to the Linked-In social media page to find an employee that works in IT for MGM Resorts. A member of the State sponsored group named Scattered Spider called the MGM tech support team impersonating a hard-working IT employee that needed a password reset. After 10 minutes on the phone, the hackers owned that account. This was the cornerstone of the operation. If tech support verified who they were talking to prior to resetting the password, this attack may have been less damaging. The helpful tech support worker had an amygdala hijacking. The urgency to help took over the logical part of the brain that would have verified the caller.  

Once in the network, they escalated their privileges (gained admin rights) and found their way into the most valuable computers. The computers were responsible for the hospitality applications used to run the hotels and casinos. The hacking group loaded ransomware on over 100 servers. One by one the ransomware encrypted the systems and the applications crashed. Hotel keys no longer worked. Slot machines were unavailable. Point-of-Sales systems (credit cards) were unable to take payments. Guests were not able to reserve rooms and check in or out. MGM saw operations in eight states affected by the intrusion.  

Because MGM did not immediately pay the ransom, their systems were in a state of upheaval for 10 days. The losses from the disabled slot machines alone cost MGM an estimate of $5 Million a day. Some estimate a total loss of $8.4 Million per day. MGM Resorts International claimed the disruption in service caused a $100 Million loss in the third quarter results. Additionally, they spent another $10 Million on legal fees and technical consulting. As a result of the attack, their stock dropped $850 Million in market value. They have since recovered that loss. However, their biggest loss might be the damage to their reputation.  

Just a week before, another casino giant, Caesars Entertainment, suffered a ransomware attack. In contrast they immediately negotiated the ransom from $30 to $15 Million and saw only minimal disruption. The bright side (if there was one) for both corporations was that they both carried excellent cybersecurity insurance policies which covered the cost.  

There may be legitimate business reasons to pay the ransom, but it comes with an additional ethical price. The ransom you pay funds other elicit criminal activities like drug smuggling and human trafficking. We will save that discussion for another day.  

Don’t think this only happens to huge corporations, it happens to small and medium sized companies every day in America. Employees need cybersecurity training, so they don’t fall for the kind of trick played on MGM. You need to have company policies in place to protect against impersonation. You need business plans such as Incident Response Plans and Contingency of Operation plans developed and ready in case of an attack or disaster.

Keep all that in mind for your business the next time you receive an unexpected call. What will this phone call really cost? 

Original article in the Sierra Vista Herald found here:

Scammed! How Hackers Hijack Your Amygdala

Last week an elderly friend called me. He had been scammed out of $13,000 … almost. RIGHT before he finalized sending the money, he had a lucid moment and thought “this is probably a scam”. He ended the call and phoned his bank. All ended well.

So, what can we do to help our elderly friends and family? They are easy pickins for professional scammers. These scams work because they incite a cognitive response in the mind of the potential victim that causes them to jettison all logic. They simply fall prey to an ancient brain-part — the amygdala. Chris Hadnagy (professional white hat social engineer) references the term “amygdala hijacking”. It’s a term coined by Dr. Daniel Goleman. Hadnagy states scammers use techniques that hijack the amygdala which shuts off the logic center of your brain. The tragic result is that in less than 30 minutes your elderly loved one will transfer tens of thousands of dollars to a person they’ve never met.

According to Hadnagy, there are 4 vectors of social engineering attacks: 1. Phishing. 2. Vishing. 3. SMiShing. 4. Impersonation. I’m sure we could add to or subdivide these categories, but this is enough for now.

Phishing is typically an email delivery. That’s how my friend was targeted. He received an email informing him his Norton antivirus subscription had just been renewed for $250. He was kindly informed to “call this number if you’d like to cancel.” Panic set in. The amygdala hijack was on. He completely ignored the fact he NEVER had a Norton antivirus account.

Vishing uses the same content essentially as a phishing email but delivered over a phone call. SMiShing is the same – except over text message. Impersonation is an in-person visit from someone pretending to be someone like phoneline repair or a plumber.

In almost all these cases the scam works because the content of the message causes the victim to immediately panic. The anger, fear, or excitement they feel disables all the logic which they would normally use to make informed decisions. This is where the amygdala takes center stage. Logic takes a lunch break.

It’s here that the scammer handholds the victim all the way through the scam. They promise to fully refund the victim’s money. This makes the amygdala happy. The scammers convince the victim to let them remote connect to their computer. Next, they do some confusingly technical looking things to build false trust. But it’s all a ruse. The scammer is counting on the good heart and trusting character of the victim. Trust and honesty make them the perfect victim.

To protect yourself and your loved ones, here are a few rules:

1. Trust no one.

2. If you get any kind of communication you didn’t expect, pay attention to your feelings. Does it make you anxious in any way? Then it’s a scam.

3. If the message you received claims your bank account or credit card have been charged, close the message and contact your bank using a known-good number.

4. If the message appears to come from a government agency, close the message and contact the agency using a known good number.

5. Every organization that deals with your money has a fraud department. Contact them. They can help you get things straightened out.

6. Contact the Cyber Guys at CyberEye.

Original Article appeared in the Sierra Vista Herald here

The Cyber Guys: Are we going to have a catastrophic cyber event in 2024?

What would happen to the country if most of the internet went down for a day? 

In January 2023, the World Economic Forum released a cybersecurity report that found 93% of cyber leaders, and 86% of cyber business leaders believe geopolitical instability makes a catastrophic cyber event likely in the next two years.  Nation states may focus on cyber warfare to accomplish their objectives rather than kinetic alternatives.

With major wars going on in Gaza and Ukraine, that could look like an attack on critical infrastructure as a response to American policy in either region.  On a small scale, this has already happened.  In November the federal Cybersecurity and Infrastructure Security Agency revealed hackers had breached computers at “less than 10” water facilities in different parts of the United States. U.S. and Israeli authorities issued an advisory confirming that hackers had “accessed multiple U.S.-based” water facilities that operate Israeli-made equipment, likely by breaking into internet-connected devices with default passwords.

The U.S. and Israeli government agencies blamed hackers affiliated with the Islamic Revolutionary Guard Corps, a military branch of the Iranian government, for the activity.

In December the Jerusalem Post reported a significant cyberattack that impacted Israeli emergency services. Cyberattacks on critical infrastructure, such as emergency services, can result in response time delays, compromised communication systems, and even the loss of sensitive data. These attacks not only put lives at risk but also have far-reaching societal and economic implications.

The hacking goes both ways.  A hacking group previously linked to Israel, known as “Gonjeshke Darande” or “predatory sparrow,” claims it took down 70% of the gas stations in Iran by gaining access to the payment systems.

But geopolitical instability is not the only threat in cyberspace. The WEF conducted cybersecurity scenario simulations in 2020 and 2021 called Cyber Polygon. In the 2020 exercise, it predicted the world would experience a “digital pandemic.” There could be a virus that mass-infects internet-connected devices similar to how the coronavirus mass-infected the physical world.  In the case of a “digital pandemic,” the infection would spread so much faster the only answer might be to remove devices from the internet so they don’t get infected — effectively shutting down the internet for a time.  

The 2021 Cyber Polygon exercise focused on an attack on third-party supply chains where major organizations were “collateral damage” of the attack.  For example, in February 2022, a cyberattack on commercial satellite services in Ukraine caused electricity-generating wind farms to shut down across central Europe. In July 2021, supermarkets in Sweden were forced to close their doors after a cyberattack on IT services provider Kaseya, based in Florida.

But wait, there’s more! Cybercrime has become big business. Cybercrime is expected to grow from $3 trillion in 2015 to $10.5 trillion in 2025.  Crime ranges from phishing emails looking for $100 Amazon gift cards, to social engineering of crypto wallets producing millions, to ransomware that affects small town business and huge multinational businesses alike. 

As a business owner, what can you do to protect yourself?  Are you doomed?

Of course not, you can set up a defense-in-depth strategy to protect your data. Change the default passwords on all your devices.  Use good password hygiene.  Set up multi-factor authentication on your systems wherever you can. Back up your data. Implement application whitelisting that allows only approved applications to run. Train your employees how to identify malware and social engineering schemes.  Have a Business Associate agreement in place. Create an incident response plan in case of a cyber incident and develop a disaster recovery plan in case you lose access to all your data.

If a catastrophic event does occur in 2024, you can survive and thrive if you properly prepare. Want to learn how?  Ask the Cyber Guys from CyberEye.

https://www.myheraldreview.com/news/business/the-cyber-guys-are-we-going-to-have-a-catastrophic-cyber-event-in-2024/article_e02a9cc2-abf4-11ee-a175-8f398b7c9072.html

JOURNEY TOWARDS SECURITY

Stay secure while preparing for the new year

The new year is upon us!
Whether you are posting pictures from the holidays on social media, creating a new year budget, or setting up that gifted smart TV, cybercriminals are finding ways to sneak their scams into these exciting times. As you take on whatever the new year throws at you, make sure your journey includes staying cyber secure.

There are many resources and programs online you can use to help accomplish fitness and health goals. When searching for gyms, workout plans, or healthy recipes, watch out for scams. Some of these scams are nothing more than misleading ads, while others result in no product being delivered at all. Be wary of any pills, diets, or programs that promise immediate results.

The new year is a great time to look at finances. With the rise of online shopping, it can be difficult to keep track of purchases. Set a routine to check your transactions on debit and credit cards and look for any suspicious charges you didn’t make. Many people are using budgeting apps. Make sure to read reviews and research the app before downloading or entering your personal information on it. Avoid entering your banking information on unknown apps.

Online surveys may seem like an easy way to make money, but it is important to do your research before participating. Many of these sites are scams. If the money offered seems too high or if a reward is offered just for signing up, it is likely a scam. Be careful with your personal information. Read the privacy policy and leave the survey immediately if the questions ask for sensitive information.

Costco or Walmart
Denied

Where do you prefer to shop? Walmart is easy to get in and out. Usually without even the slightest interaction. Costco on the other hand is different. You need to have a membership card first. No card, no access.

Your computer security is similar. Generally speaking the security you are using is either the Walmart model or the Costco model. If you chose Walmart, malware can get in and out without you ever knowing. Sadly though, you are never offered the option for the Costco security model. Except here at Cybereye. Give us a call so we can tell you how it works and so you can have the peace of mind our customers rave about.

In the year 1209 the Cathars were besieged at Carcassonne in southern France. The Cathars were a religious group branded heretical by the Pope. Within the heavily fortified city the Cathars were protected but vulnerable to a supply chain attack.

The Castle Comtal within the fortified city in France’s Aude department, stands as a monumental testament to medieval military architecture and strategy. One of the most distinctive features of this castle is its portcullis with two independently controlled gates. This engineering marvel serves as an apt metaphor for the need to separate your Information Technology (IT) and Cybersecurity teams.

The Portcullis at Carcassonne

The fortified city of Carcassonne has a complex defensive system that has stood the test of time. One of its remarkable features is the portcullis, a heavy grilled door that could be dropped or raised to secure the castle’s entrance. But what sets Carcassonne’s portcullis apart is its two independently controlled gates. This means that even if one gate were compromised, the other could remain secure, providing an additional layer of defense.

Separating IT and Cybersecurity Teams: A Modern-Day Portcullis

In modern organizations, the IT and Cybersecurity teams often have different mandates but overlapping responsibilities. The IT team is generally responsible for managing the hardware, software, and networks that keep the company running. In security terms this is called “Availability”. The Cybersecurity team, on the other hand, focuses mainly on protecting the “Confidentiality” (controlling who can see what), and the “Integrity” (who can change what).

Much like the dual gates of Carcassonne’s portcullis, these teams should operate independently but in tandem. A Change Board approves software installations and updates; The Cybersecurity team updates the allow policies and the IT team implements the changes.

Advantages of Separation

1. **Focused Expertise**: Specializing allows each team to become experts in their area, leading to better performance and problem-solving.

2. **Risk Mitigation**: Separating the approval and installation of software makes it almost impossible for a disgruntled employee to wreak havoc.

3. **Checks and Balances**: Independent operations allow for internal checks, reducing the likelihood of systemic failures and oversights.

The Harmony of Independence and Interdependence

While it’s crucial for these teams to operate independently, they should not work in silos. Much like the independent but harmoniously functioning gates of Carcassonne, IT and Cybersecurity teams should have protocols for secure communication and collaboration. For instance, while the IT team may be responsible for implementing a new software platform, the Cybersecurity team should be involved in assessing its security features and updating the allow policies.

Conclusion

The dual-gate portcullis at the Castle at Carcassonne serves as a timeless symbol of defense in depth. In a world where cyber threats are increasingly sophisticated, the need for separate but coordinated IT and Cybersecurity teams has never been greater. By learning from the past and applying its lessons to the present, your company can fortify your castle against the ever-evolving challenges facing you.