Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself. The good news is that most of us have learned to spot obvious phishing attacks these days. The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.
You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.
Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims of the world.
Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.
Tips for you
So here are our 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:
1. DON’T BE SWAYED JUST BECAUSE A CORRESPONDENT SEEMS TO KNOW A LOT ABOUT YOU
Someone who has never met you, and never will, can nevertheless easily project themselves as an “insider” – a friend-of-a-friend, perhaps, or a colleague you’ve worked with electronically but never met face-to-face.
With a mixture of information collected from already-public data breaches, social media profiles and historical emails that you sent or received, even a modestly funded crook without much technical savvy can sound a lot more convincing than “Dear Customer.”
2. DON’T RUSH TO SEND OUT DATA JUST BECAUSE THE OTHER PERSON TELLS YOU IT’S URGENT
A lot of email scams work because the crook wins your trust, or makes you think they are someone high up the organisational chart in your own company, and then stresses how urgent the task they’ve just given you is.
They will often resort to flattery, too, by explaining why they are asking you and not anyone else, and impress on you that the task is confidential and therefore must not be discussed with anyone else.
Never treat it as prudent that the other person is demanding total secrecy – treat it as suspicious instead.
3. DON’T RELY ON DETAILS PROVIDED BY THE SENDER WHEN YOU CHECK UP ON THEM
You’d think that scammers would try very hard to discourage you from checking up on them – but sometimes they’ll not only welcome it but actively urge you to call or message them back, or visit their website, as part of the scam.
If you call them back on the phone number they gave you, or message them via the website they provided, you are simply offering them an opportunity for them to tell you the very lies they want you to hear.
(That’s why financial institutions print their emergency contact numbers on the back of your bank card and put them on the welcome screens of their ATMs – those sources are much harder for crooks to tamper with.)
4. DON’T FOLLOW INSTRUCTIONS ON HOW TO VIEW AN EMAIL THAT APPEAR INSIDE THE EMAIL ITSELF
A common ruse is for crooks to hide malicious content – such as data stealing software called macros – inside innocent-looking document files, and then to preface the “document” with instructions on how to view it “correctly” by changing various security settings.
Usually, the instructions sound quite plausible, but the crooks are in fact tricking you into turning off the very security features that would keep you safe.
5. DON’T BE AFRAID TO GET A SECOND OPINION
If you’ve ever asked colleagues to proofread your documents or emails, they will often have found mistakes that you can’t believe you missed yourself.
That’s because a second opinion goes an awfully long way.
In fact, that’s the main reason why crooks urge you not to tell anyone what you are up to – to stop you getting a second opinion and thereby catching them out.
Tips for IT
While we’re about it, here are 3 bonus tips for IT staff and sysadmins, too:
1. DO SET UP A SINGLE POINT OF CONTACT FOR STAFF TO REPORT CYBERSECURITY ISSUES
Most spear-phishing works not because staff want to do the wrong thing but because they’re keen to do the right thing, and to be helpful at the same time by giving great customer service to everyone.
No one wants to risk being remembered as “the ex-colleague who got fired for telling our most important customer to take a hike”.
By providing a reporting point such as an internal address like
email@example.com, you’re making it easy for your users to ask for security advice before they take risks, rather than afterwards.
The only thing worse than being scammed by a spear-phishing email is finding out that the person who fell for it wasn’t the first in the company to have encountered it and that with an early-warning system you would have headed off the attack altogether.
2. DO MAKE CYBERSECURITY A TWO-WAY STREET – LISTEN TO YOUR USERS!
In the 1990s and 2000s, cybersecurity was often based on the idea that “IT knows best and will set all the rules, with no exceptions.”
But this approach tends to create a culture in which anything that isn’t blocked is blindly assumed to be safe.
Even legitimate, high-traffic websites sometimes get hacked, and if one of your users just happens to be the first person to notice, you want them to tell you, not to shrug if off and ignore the problem.
3. DO CONSIDER PHISHING SIMULATIONS
Products like Sophos Phish Threat can expose your users to the sort of tricks that spear-phishers use, but in safety so that if they do fall for it, no real harm is done.
As long as you make it clear that your phishing tests are there to help users to learn, not to keep tabs on them simply to catch them out, then everyone benefits.
After all, some of your staff are probably already receiving dozens of real-world phishing and spear-phising emails every month – so even if you’re not testing your users then the crooks certainly are!
In the realm on protecting digital information, a man-in-the-middle (MITM) attack is one of the worst things that can happen to an individual or organization. MITM attacks happen when an unauthorized actor manages to intercept and decipher communications between two parties and monitors or manipulates the exchanged information for malicious purposes.
For instance, hackers can stage MITM attacks to steal sensitive data, such as account credentials or credit card information, or they can use them to deliver malware-inflicted files and applications while posing as legitimate sources.
During an MITM attack, each of the legitimate parties, say “A” and “B”, think they are communicating with each other. But in reality, their exchanges are going through “E”, the eavesdropper, who stands between them, posing as “A” to “B” and as “B” to “A”. “E” can decide to change the information before passing it on from “A” to “B”, or she can just sit there and silently record their exchanges for future use.
One common example is what is referred to as Man-in-the-Browser (MitB) attack, a form of MitM, where the attacker compromises the client web browser, typically with the aid of a malware. Once the browser is controlled by the attacker, it can steal data that is sent and received through it and alter what is being presented to the user and what is being communicated to the server. MitB attacks are commonly used to attack online banking services by stealing credentials and/or carrying out fraudulent transactions once the user is logged into his account.
There are eight types of Man in The Middle attacks:
- DNS spoofing
- IP spoofing
- Wi-Fi eavesdropping
- HTTPS spoofing
- SSL hijacking
- Email hijacking
- Session Hijacking
- Man in the Browser
1. DNS Spoofing
Domain name system (DNS) is the technology that translates domain names to the IP address of the server it corresponds to. DNS is one of the most important infrastructural protocols of the internet and it is meant, among other purposes, to ease communications and relieve humans of the trouble of memorizing the IP address of every server they communicate with. When you type in the address of a domain in your browser, name resolution request is sent to a DNS server, which then looks up the domain name in its directory and returns the IP address of the corresponding server.
DNS spoofing is a type of attack in which a malicious actor intercepts DNS request and returns the address that leads to its own server instead of the real address. Hackers can use DNS spoofing to launch a man-in-the-middle attack and direct the victim to a bogus site that looks like the real one, or they can simply relay the traffic to the real website and silently steal the information.
For instance, a victim wants to visit a banking website. The attacker intercepts the victim’s browser request and instead of returning the IP address of the real Choice Bank web server, he returns the IP address of a malicious web server. The server will serve a login page that looks similar to that of the authentic website, but as soon as the victims types in their username and password, the information will be sent to the servers of the attacker.
Detecting and blocking DNS spoofing is an intricate process. There are several measures that can protect you from MITM attacks through DNS spoofing.
DNS spoofing requires the attacker to have access to your local network, so the first and most important measure is to set up a good perimeter security and prevent unauthorized access to your local network. If you’re using WiFi at your organization, you can setup WPA-enterprise security, which requires every connecting user to have a username and password instead of giving a global password for the entire network.
Another protection against DNS spoofing is the use of encrypted communications. Malicious actors can easily spoof unencrypted websites. But on HTTPS communications, it is very difficult, because even though malicious actors might stage a DNS spoofing attack on the website, they won’t be able to spoof the certificate, the digital document that verifies the encryption keys of the website. So a user who has been the target of DNS spoofing on an encrypted website will see a warning in their browser, telling them that the certificate of the website they’re visiting can’t be verified.
2. IP Spoofing
Every computer in a network is identified with an internet protocol (IP) address, which it uses to communicate with other devices on the same network. IP addresses come in different forms, the more common form, known as IPv4, gives each computer a 32bit identifier (e.g. 192.168.X.X).
On some networks, security of digital assets and applications is maintained by specifying which IP addresses can access which resources. An IP spoofing attack happens when a malicious actor masks their identity by presenting themselves with the IP address of a legitimate device to gain access to resources that would otherwise be beyond their reach.
For instance, access to a server might be limited to a specific set or range of IP addresses. A hacker manipulates its network packets so that the sender’s address reads as that of a legitimate computer. By doing this, the attacker tricks the server into thinking the packets are coming from an authorized device.
Hackers use IP spoofing in a number of different ways, including staging DDoS attacks, in which attackers drain the resources of a server by flooding it with bogus network traffic. IP spoofing can also be used in man-in-the-middle attacks. In this case, the attacker stands in between two communicating parties, spoofing each of their addresses to the other. This way, each of the victims sends their network packets to the attacker instead of directly sending it to its real destination.
The biggest defense against MITM attacks conducted through IP spoofing is to use encrypted communications. When the information being two parties is encrypted with a key that only they hold, it will make sure that even if a malicious party manages to intercept the traffic, they won’t be able to read or manipulate its contents. Authenticating user identities also prevents hackers from gaining unauthorized access to network resources by simply spoofing their IP address.
3. Wi-Fi EavesDropping
Also known as an “Evil Twin” attack, hackers perform Wi-Fi eavesdropping is a type of man-in-the-middle attack that tricks unsuspecting victims into connecting to a malicious Wi-Fi network. To perform Wi-Fi eavesdropping, a hacker sets up a Wi-Fi hotspot near a location where people usually connect to a public Wi-Fi network. This can be a hotel, a restaurant or your local coffee shop. The hacker then names the hotspot after the actual public network that people use in that location (thus the name “evil twin”).
Since people usually set their devices to remember and automatically reconnect to known Wi-Fi networks, as soon as they come in the vicinity of the malicious hotspot, they automatically connect to it. The user will then think they have been connected to the legitimate network.
Since they are acting as the gatekeeper to the internet, the attackers can now perform a number of man-in-the-middle techniques. For instance, they can perform SSL stripping attacks to force users to go through the unencrypted versions of their favorite websites, or they can stage DNS hijacking to redirect users to bogus versions of the websites they’re trying to connect to.
For instance, say a victim usually uses the Wi-Fi network of a Starbucks where she eats breakfast. A hacker who wants to stage a man-in-the-middle attack on the victim goes to the same coffee shop and picks up the ID and password of its Wi-Fi network. Then, the attacker sets up his own Wi-Fi network with the same name and password using a router or a laptop computer. Now, devices of users who have previously connected to the coffee shop network (including the victim) will automatically connect to the evil twin when they come within its network range. The attacker can then use the connection to stage man-in-the-middle attacks.
Because of this and other threats, public Wi-Fi networks are considered extremely unsafe, and most security experts will recommend not using them for any sensitive task such as banking or connecting to social media accounts. However, if you absolutely have to use a public Wi-Fi network, there are a couple of things you can do to make sure you don’t fall victim to Wi-Fi eavesdropping.
One of the most important measures is to disable automatic Wi-Fi connections and make sure you manually select which networks you want to use. It will be a little less convenient, but at least you’ll have a greater chance of avoiding evil twins and MITM attacks.
Another very important protective measure to prevent MITM through Wi-Fi eavesdropping is to use a virtual private network (VPN). VPNs create a secure channel for all your internet traffic, encrypting everything and sending them through an intermediate server. When using a VPN, even if a hacker manages to intercept your communications, all they will see is a stream of encrypted data, and they won’t be able to make sense of it. They won’t even be able to figure out which sites you’re browsing to, so they won’t be able to redirect you to their own malicious copies of the websites.
4. HTTPS Spoofing
Basically, HTTPS websites can’t be spoofed. But that doesn’t mean hackers can’t create websites whose domains look very similar to that of the targeted website. HTTPS spoofing, also known as homograph attacks, replace characters in the targeted site’s domain with other non-ASCII characters that are very similar in appearance. The attack exploits a feature called Punycode, a standard that enables the registration of hostnames that contain non-ASCII characters.
To stage homographic attacks, hackers register a domain name that is similar to the target website, and they also register its SSL certificate to make it look legitimate and secure. Then they send a link to their intended victim. Since most browsers support the display of punycode hostnames in their address bar, when the user browses to the address, they won’t notice that it is a bogus version of the site they expect to visit. Their browser even shows that the website’s certificate is legitimate and secure, further making it difficult to detect the attack.
From there, while the user thinks they are interacting with a legitimate encrypted website, they have in fact fallen victim to a man-in-the-middle attack and are giving away their information to a malicious actor.
One of the ways to prevent HTTPS spoofing is to disable punycode display support in your browser. This will make sure that the real, encoded domain name in the address bar and warn you if you’re visiting a non-authentic website.
Another protection against homographic attacks is to use a password manager. Password managers will automatically fill in the username and address boxes of websites when you’re visiting the legitimate domain. They’re not fooled by the looks of punycode representations.
5. SSL Hijacking
Another form of man-in-the-middle attack happens when a hacker manages to stage an SSL stripping scheme against the victim. As we mentioned previously, hackers can’t break into legitimate HTTPS traffic between a client and a server even if they manage to intercept and relay the communications.
In the case of SSL stripping, the attackers downgrade the communications between the client and server into unencrypted format to be able to stage a MITM attack.
When a victim wants to connect to a server, the attacker intercepts the request and creates an independent, legitimate connection to the server through HTTPS protocol. When attackers receive the server’s response, they relay it to the victim in unencrypted format, posing as the server. Thinking they’re communicating with the legitimate party, the victim will continue to send information to the attacker, who will then relay it to the server in HTTPS.
To give an example, say the banking website receives several complaints of man-in-the-middle attacks and hijacked accounts and decides to roll out a secure version of its website. A hacker monitoring a potential victim sees the target trying to visit the HTTPS version of website and intercept the request. From there the attacker sends a request to the login page of the website and returns the unencrypted response to the victim. When the victim types in their username and password and clicks the login button, the hacker steals the login information before sending it to the server.
Wary users will notice that they’ve been targeted by an SSL stripping attack if they look in their browser’s address bar and see that they’re connected through the unencrypted HTTP protocol. You can also install HTTPS Everywhere, a browser extension that enforces HTTPS communication wherever possible. HTTPS Everywhere will prevent an uninvited party from downgrading your communications to HTTP.
Another measure to protect against SSL stripping is to make sure your local network is secure and unauthorized parties don’t have access to it. SSL hijacking requires access to your local network. At the corporate level, setting up strong firewalls will also prevent outside parties from gaining access to your local network and moving laterally to stage MITM attacks.
6. Email hijacking
Email hijacking is another form of man-in-the-middle attack, in which the hacker compromises and gain access to a target’s email account. The attacker then silently monitors the communications between the client and the provider and uses the information for malicious purposes.
For instance, at an opportune moment, the attacker might send a message from the victim’s account to their bank and instruct them to transfer funds to the attacker’s bank account. They might also use the email to take over other online accounts tied to the email account.
Email hijacking is usually staged through phishing and other social engineering scams, in which attackers deceive victims into revealing their credentials by directing them to bogus login pages or tricking them into installing a keylogger malware, which records the victim’s keystrokes and sends it to a remote server that the attacker owns.
While there are many guidelines and practices that can reduce the risk of phishing and email hijacking, the best way to prevent a malicious actor from taking over your email accounts is to strengthen your authentication. One solution is to use two-factor authentication, which requires users to have a secondary token (such as a mobile device or a physical key) in addition to the password when signing into the account. An even stronger solution is the use of passwordless authentication technologies, which totally obviate the need for passwords and make it impossible for hackers to gain access to accounts through phishing.
7. Session Hijacking
Session hijacking, also known as cookie side-jacking, is another form of man-in-the-middle attack that will give a hacker full access to an online account. When you sign into an online account like social media websites, the application returns a “session cookie,” a piece of data that identifies the user to the server and gives them access to their account. As long as the user’s device holds on to that session token, the server will enable them to use the application.
When a user signs out of an application, the server invalidates the session token and all further access to the account requires the user to re enter their login credentials.
In a session hijacking attack, the hacker steals the user’s session token and uses it to access the user’s account. There are several ways that an attacker can stage a session hijacking attack, such as inflicting the user’s device with a malware that monitors and steals session data. Another method is the use of cross-site scripting attacks, in which an attacker uploads a programming script into a webpage that the user frequently visits and forces the user’s computer to send the session cookie data to the server. Other methods of session hijacking leverage flaws in the application’s programming to guess or reveal session cookie information.
Protection against session hijacking mostly lays on the shoulders of app developers, who will have to make sure their programming practices are secure. Users can protect themselves against hijacking attacks by using encrypted communications (via HTTPS and VPN). They can also minimize the attacks of potential session hijacking attacks by frequently signing out of their accounts to invalidate their session cookies.
8. Man in the Browser
Man-in-the-browser is a form of man-in-the-middle attack where an attacker is able to insert himself into the communications channel between two trusting parties by compromising a Web browser used by one of the parties, for the purpose of eavesdropping, data theft and/or session tampering.
Man-in-the-browser is often used by attackers to carry out various forms of financial fraud, typically by manipulating Internet Banking Services.
In order to compromise the browser, adversaries can take advantage of security vulnerabilities and/or manipulate inherent browser functionality to change content, modify behavior, and intercept information. Various forms of malware, most typically malware referred to as a Trojan horse, can be used to carry out the attack.
1. Keep your CMS and plug-ins Updated.
Whether your website was built from scratch by your development team or you chose to create a personal site on a third-party turnkey platform, as a site owner it’s your job to ensure that every piece of software you run is up to date.
CMS providers like WordPress, Joomla trying to plug any holes in their systems and release regular patches and updates that make their software less vulnerable to attacks. Ensure that you run these updates and have the latest version supporting your site at any given point in time.
If your site uses third-party plugins, keep track of their updates and ensure that these are updated on time as well. Often, many sites include plugins that fall into disuse over time. Clean out your website of any unused, old and non-updated plugins — they are sitting ducks for hackers to be used as a gateway to enter your site and wreak havoc on it.
2. Use Strong Passwords, Change Regularly.
Make sure your password is a combination of alphanumeric characters, symbols, upper and lower-case characters and is at least 12 characters long to prevent brute force attacks.
Do not use the same password for all your different website logins. Change your passwords regularly to keep them doubly secure. Store users’ passwords in encrypted form. This ensures that even if there is a security breach, attackers do not get their hands on actual user passwords.
And make sure everyone who has access to your website has similarly secure passwords. Institute requirements concerning length and the type of characters that people are required to use, so they have to get more creative than going with the standard, easy passwords they turn to for less secure accounts.
One weak password within your team can make your whole website more vulnerable, so set expectations for everyone who has access and hold yourself to the same high standard.
3. Make Admin Directories Tough to Spot.
An ingenious way a hacker can gain access to your site’s data is by going straight to the source and hacking into your admin directories.
Hackers can use scripts that scan all the directories on your web server for giveaway names like ‘admin’ or ‘login’ etc. and focus their energies on entering these folders to compromise your website’s security. Most popular CMS’s allow you to rename your admin folders to any name of your choice. Pick innocuous sounding names for your admin folders that are known only to your webmasters to reduce the possibility of a potential breach.
4. Build Layers of Security Around Your Site.
A Web Application Firewall is your first line of defence. These solutions are designed to inspect incoming traffic, provide and weed out malicious requests, offering protection from SPAM, brute force attacks, SQL Injections, Cross Site Scripting and other threats.
5. Switch to HTTPS.
HTTPS (Hyper Text Transfer Protocol Secure) is a secure communications protocol that is used to transfer sensitive information between a website and a web server. Moving your website to the HTTPS protocol essentially means adding an encryption layer of TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to your HTTP making your users’ and your data extra secure from hacking attempts.
6. Error messages.
Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs and show users only the information they need.
7. Change your database table prefix.
If your website uses a blog or forum script, you can change the default database table prefix. For example, a WordPress blog carries the table prefix “wp.” If you change your table prefix, hackers will have a harder time getting data from your website.
Top 10 Password Policies and Best Practices for System Administrators
- Enforce Password History policy
The Enforce Password History policy will set how often an old password can be reused. It should be implemented with a minimum of 10 previous passwords remembered. This policy will discourage users from reusing a previous password, thus preventing them from alternating between several common passwords. Some tech-savvy users might try to work around the Enforce Password History policy, to prevent that from happening use the Minimum Password Age policy.
- Minimum Password Age policy
This policy determines how long users must keep a password before they can change it. The Minimum Password Age will prevent a user from dodging the password system by using a new password and then changing it back to their old one. To prevent this, the specific minimum age should be set from three to seven days, making sure that users are less prone to switch back to an old password, but are still able to change it in a reasonable amount of time. As a system administrator you must keep in mind that this policy could also prevent a user from immediately changing a compromised password, so if the user can’t change it, it will be up to you to make the change.
- Maximum Password Age policy
The Maximum Password Age policy determines how long users can keep a password before they are required to change it. This policy forces the user to change their passwords regularly. To ensure a network’s security you should set the value to 90 days for passwords and 180 days for passphrases.
- Minimum Password Length policy
This policy determines the minimum number of characters needed to create a password. You would generally want to set the Minimum Password Length to at least eight characters since long passwords are harder to crack than short ones. For even greater security, you could set the minimum password length to 14 characters. A word of advice: if you haven’t changed the default setting, you should change it immediately since sometimes the default is set to zero characters, meaning that it allows empty passwords.
- Passwords Must Meet Complexity Requirements policy
By enabling the Passwords Must Meet Complexity Requirements policy, you’ll go beyond the basic password and account policies and ensure that every password is secured following these guidelines:
- Passwords can’t contain the user name or parts of the user’s full name, such as their first name.
- Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.
- Reset Password
The local administrator password should be reset every 180 days for greater security and the service account password should be reset at least once a year during maintenance time.
- Use Strong Passphrases
Strong passphrases with a minimum of 15 characters should always be used to protect domain administrator accounts. While passwords and passphrases serve the same purpose, passwords are usually short, hard to remember and easy to crack, while passphrases are easier to remember and type but much harder to crack due to length.
- Password Audit policy
Enabling the Password Audit policy allows you to track all password changes. By monitoring the modifications that are made it is easier to track potential security problems. This helps to ensure user accountability and provides evidence in the event of a security breach.
- E-Mail Notifications
Create e-mail notifications prior to password expiry to remind your users when it’s time to change their passwords before they actually expire.
- Store Password Using Reversible Encryption for All Users policy
I’ll start by saying that this policy should only be enabled on a per-user basis and then only to meet the user’s actual needs. As you all know, passwords in the password database are all encrypted and this encryption can’t normally be reversed. If your company uses an application that needs to read a password, then that is the only time you would want to enable this setting. Keep in mind that when enabling the Store Password Using Reversible Encryption for All Users policy, it’s like your passwords are stored as plain text, representing the same security risks. Always be cautious when enabling that policy.
Original Article at Devolutions