Netizen Cybersecurity Bulletin

Overview

• Phish Tale of the Week
• Cybersecurity Brief
• How Can Netizen Help?

Phish Tale of the Week

This week, we are featuring another phishing email that was received in our office. What you see (below) is an attempt by a hacker to collect log-in information from anyone falling for the phish. The perpetrator sent this email to a company-wide distribution list with the hopes of obtaining log-in information from an executive-level employee. Although it might seem tailored to target a specific company or organization, this week’s phish is typical in that it offers something to the recipient that would be a normal function in almost any business. In the body, the email states the purpose of the message is that it is being sent for “your” review and signature. This indicates that the target is a “decision maker” that would presumably have access to a business’ sensitive information. The bait is often a call to act on something by clicking or following a link to a fake log-in page, in this case, “3 files” awaiting “your” review. OneDrive and SharePoint are frequent vehicles for these attacks, because of the number of users of these Microsoft products. An example email follows below:

Why do cybercriminals love using file-sharing services to propagate an attack? In instances where a cybercriminal uses file-sharing services, a phishing email is sent with a link to a fake sign-in page that would prompt the target to enter their log-in credentials. These credentials are then collected to use that account to target other users in the organization. The good news? There is a trail of clues that you can use to identify this phishing email as a scam. 

• Unusual email addresses in heading: Notice the length of the email address at the top of the message. 
• Formatting of the frame surrounding the message is broken.
• The message in the body text contains errors and doesn’t flow smoothly.

On its face, this kind of phishing email is easy to spot – particularly if you know what to look for. Yet these kinds of scams are used widely, simply because they do work on individuals who are not educated on social engineering tactics.

General Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

Cybersecurity Brief

In this week’s cybersecurity brief: Google Chrome reports a HIGH severity vulnerability, Microsoft Announces End of Support for Windows 7

Google Chrome Vulnerability

Security researcher Clement Lecigne of Google’s Threat Analysis Group discovered and reported a HIGH severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers. According to Google officials, this zero-day vulnerability (a vulnerability that is publicly unknown and therefore exploited with much greater effect due to non-existing security patches or updates) is actively being exploited in the wild by attackers to target Chrome users. You must update your Google Chrome immediately to the latest version of the web browsing application. The vulnerability, assigned as CVE-2019-5786, affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux. 

Recommendations:
Ensure your Google Chrome is up to date immediately. The patched version is 72.0.3626.121. You can check which version you are running by going to Settings>About Chrome.
To read more about the Google Chrome vulnerability, click here.

Microsoft Ends Windows 7 Support

Microsoft has announced that in roughly one year’s time – January 14, 2020 – support for Windows 7 will officially end. That means customers will no longer receive updates or patches, including security fixes after that date. Windows 7 was initially introduced by Microsoft in 2009 and was replaced by Windows 10 in 2015. With Microsoft’s recent reports stating that over half of Microsoft devices run Windows 10, the decision was made to end support for the older Windows version. 

What does this mean for organizations still using Windows 7?
There are two ways that Microsoft can still provide security updates and fixes after January 14, 2020. These two ways were designed for business customers and not commercial consumers. Microsoft will allow customers with volume-licensing agreements to purchase Extended Security Updates (ESUs) on a per-device basis with prices increasing yearly. As most devices running Windows 7 did not begin running the operating system until well into the product’s life cycle, this brace period gives businesses a chance to begin phasing out of Windows 7 and migrating to Microsoft 365, as suggested by Microsoft. 

Organizations still using Windows 7 must take the necessary steps to ensure their system’s security remains up-to-date post January 14th, 2020. 

To read the original article by ZDNet, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.