Embedded Files
Cyber-criminals are always busy coming up with new ways to get into your life so we wanted to ensure that we are doing what we can to arm you with some information on the threats that are topical and hopefully help keep you, your family and friends safer in this dangerous world of cyber-crime. Two of the major things we’re seeing at the moment are:
MFA Fatigue Bypass
Criminals are constantly after your account passwords for email, banking, work, social media etc. The best defence against this is using Multi-Factor Authentication (MFA) which requires you to also click “Approve” or type in a number from your phone or other device. This way if the bad guys have your password, you still need to enter the code or click OK on the prompt to login. MFA has been very effective at preventing unauthorised access, but unfortunately the criminals spend a lot of time and effort to work
around these systems we put in place.
Uber was recently hacked badly because one of their contractor staff allegedly gave their password away to someone claiming to be from their IT division. Uber does have MFA deployed to all users, but this attacker launched an attack on his account which effectively caused his MFA app to constantly spam him with login requests. He accidentally clicked “Approve” on just one of these prompts which resulted in the bad guy getting in. The attacker then used that account to gain access to other areas by pretending to be a person they knew because the emails and Slack messages appeared to come from a trusted person.
Uber was not alone. In the past few weeks, Nvidia, Rockstar Games, Samsung, Cisco and Microsoft and have all seen similar types of attacks recently.
We can learn a few things from the Uber attack:
Never give your password to ANYONE! Pepkor IT support staff are trained to NEVER ask for your password. Your password should be known to you and only you. Social engineering is a fancy name for tricking people into giving the bad guys something they want. They are very, very good at it. Be very alert at all times.
If you are seeing unexpected prompts for MFA authentication, please email your relevant IT department immediately. They can check and see what is happening and help solve the issue. Please never accept an unexpected prompt.
Phishing as a Service
We all know about phishing and how criminals will send emails or SMS’s encouraging you to click on a link which takes you to a fake banking or email login page in order to try and steal your username and password details. Some attempts are better than others but being vigilant and never entering your username or password into a site if anything looks / feels suspicious is the usual defence along with MFA.
A new threat has emerged in this space called Phishing as a Service. Phishing has been around for many years, but a new threat has emerged which is going to make fighting phishing attacks much harder. An enterprising group of bad guys have released a service for $400 per month which anyone can purchase. The service includes pre-made phishing emails which are very convincing, but the real danger is that the site these emails link to looks EXACTLY like the real site, because it is. They send you to a server which streams an exact copy of the real site exactly as you’d expect to see it. Everything looks fully legitimate, but the URL will be different.
Unfortunately, it is possible to make URLs look VERY similar to the real ones by using other character sets such as Russian or Cyrillic were an “o” character looks the same, but is actually a completely different character as far as a computer is concerned. When you enter your credentials into this fake site, it enters them into the real site in real time, so you will then see an MFA prompt as expected. If you then accept this MFA request or type in the number, you’re given by the MFA app the bad guys are into your account and you’ll have no idea.
Really good cyber-criminals have been able to achieve this sort of attack for a long time, but they were expensive to do properly and were reserved for very specific targeted attacks. It’s now easy for anyone with $400 to achieve this same level of sophistication. This is very scary and can be very difficult to protect against.
Over the next few months, you are very likely to see this sort of attack against you. The best protection is to never click a link in an email, WhatsApp or SMS, especially if it claims to come from your bank or financial institution. When receiving an email from OneDrive or SharePoint, rather go to the SharePoint site yourself and you will see the document listed in the “Shared” section. The Pepkor Cyber-Security team will do what we can to stop these messages getting to your work inbox, but some may get through so please be extremely careful. If you are unsure or notice anything suspicious, please email your relevant Security Team.
These principles also apply to your personal email accounts as well as social media and banking. Never click a link in an email from your bank. Always go to the site yourself and login there. Also always treat your personal email accounts with the same security as you do your bank and always use MFA. Once someone is into your personal email, they can usually reset any password for most other service you have linked to it.
Thanks for your time and stay safe out there!
Page updated
Report abuse