phishing – Fabella Security

It’s that time of year again. Holiday shopping is in full-swing. Americans are buying more and more from online vendors and shipping companies are working feverishly to keep up with demand.

And, of course, the bad guys are looming, seeking an opportunity to upset the holiday season.

Due to the increasing popularity of online shopping, shipping scams are more common than ever. Given the battle over expedient shipping, there’s no wonder that cybercriminals have developed sophisticated, and timely, methods of stealing from you.

During the holiday season, one of the most common shipping scams is nothing new, and, certainly not a sophisticated cyberattack. Commonly referred to as porch pirates, those who steal packages from the exterior of homes are rampant. In fact, recent statistics reveal that 25 million Americans were victims of porch pirates in 2018.

So, what can you do?

During the checkout process, select “signature required” in the shipping details. In doing so, you will force the shipping service to get a physical signature. The process is a bit tedious by today’s standards; however, not only will you safely collect your items, but, you’ll ensure that the items aren’t carelessly tossed onto your property in haste. Not all online vendors provide this option, so, don’t be surprised if it’s not present during the checkout process.

Secondly, if you live near a package collection service, you can use those providers. A package collection service will provide you with a physical street address – an employee will collect the packages and store for you. The service is similar to USPS post office boxes; however, many commercial carriers will not deliver to a post office box, and, these services are a good substitute for home delivery.

Next, ponder the porch pirate’s methods. They steal based on opportunity and relative ease of access to the goods. If you remove the easy access, the thief will likely pass your home. Many companies sell protective bags or boxes that are secured to your front door or other physical structure. When ordering, in the “other instructions” box for shipping, indicate that the package should be placed in the protective device and locked. While it’s true that a thief could steal the protective device, remember these are typically quick-action efforts. Porch pirates usually drive through a neighborhood and dash to and from a porch – they don’t carry tools; therefore, they aren’t prepared to fight with a locked bag or box.

Similarly, review your delivery area at your home. If you have hedges or other landscaping that will provide a blind for your packages, instruct the online vendor to place the packages behind those obstructions.

A few high-tech tools are available that could prevent, or, minimally, detect package theft. Amazon provides a locker service in some areas. The locker service is similar to the package collection providers, except, you have a key to your shipping locker, which is housed in a large building. Various video doorbell systems and motion alarms could assist with preventing the bad guys – when they work correctly. I use a combination of alarm and video products. Unfortunately, they’ve not always worked to scare away the thieves. However, I receive a text when activity occurs, so, if time permits, I can drop by and move the packages inside the house.

And, of course, the true online scammers use the holiday season as ripe opportunity to flood your inbox with phishing messages.

Shipping-themed phishing messages always increase during the holiday season. Complicating the matter, shipping companies rely heavily on email or text notification in today’s vibrant shipping environment. Therefore, it’s often a challenge to detect which messages are bad.

Whether you, or your business, use UPS, FedEx, DHL, or the USPS, it’s important to understand exactly what a legitimate delivery message looks like from those vendors.

The intent of the phishing messages is to steal. Specifically, the cybercriminals are trying to steal credentials (usernames and passwords), financial information (logins, account numbers), and spread malware which could lead to system ransom, downtime, and other undesirable outcomes.

How do the would-be bad guys design shipping scam messages?

Common techniques include: phony tracking numbers, undeliverable package notice, additional postage request, invalid mailing address, or attaching files to messages that claim to be claims forms or other shipping documents.

So, what do you do if you receive one of these messages and you know you have packages, but, are concerned about the possibility of malicious messages?

One of the most common phishing attempts is delivery of a fake tracking number. There are two ways to avoid this scam. First, if you are expecting a package, simply visit the online vendor’s website, view your account information and check the shipping information there. Secondly, if your vendor only lists the tracking information, but no detail, copy the tracking number from the vendor site and visit the shipping provider. As an example, UPS provides a very quick and accurate webpage for checking on the status of packages. I simply copy and paste the tracking numbers into the UPS website and get updates immediately. Clicking on links in email messages isn’t a good idea, so, taking a couple extra steps and being cautious will avoid malicious efforts, and, possibly provide more detailed shipping information.

Don’t trust links sent to your mobile device as texts – just because you think no one has your mobile number, doesn’t mean that’s accurate. Links within text messages can present an abundance of opportunity for poor outcome. Visit the online seller and check the status there.

As for the other common shipping scams, the same instructions will work. Visit the online vendor’s website to check on all delivery issues. It’s very unlikely that you will receive an email indicating that additional postage is needed. And, email delivery of invoices as attachments is common for business purchases, but rather inconvenient and unusual for consumer purchases – just avoid opening those attachments completely.

And lastly, a perfect way to avoid all of these online scams and shipping concerns is to shop local – support your local business community.

Be safe.

Various Federal and cybersecurity advocates have released numerous announcements this year, highlighting the increase in ransomware attacks in the United States. Many of the notices indicate that the rise in ransomware attacks is directly related to attacks on enterprises: the large targets are paying substantial amounts of money to regain access to their data. And, as a result, the cybercriminals are expanding their “business”.

While the increase in attacks is likely correct, the troubling issue is the continued increase in successful attacks. The bad guys are winning and gathering financial gain in the process.

On November 18, Louisiana found itself, once again, in a painful situation. Ransomware struck the state networks and resulted in a decision to shutter various agencies in order to reduce the spread of the ransomware. The governor’s office indicated that the Departments of Health, Children and Family Services, Motor Vehicles, Transportation and Governor John Edwards were closed as a result of the attack.

The state’s cybersecurity response team was activated and moved quickly to contain the ransomware. Based on various reports, the team isolated the malware and began an aggressive server restore process.

A statement indicated that no data loss occurred and no ransom was paid.

Several researchers revealed that the attack was similar to one on Louisiana’s public school systems in July. The ransomware was a variant of the popular Ryuk malware.

The real story here is Louisiana’s response: no ransom payment. The team was able to contain the situation, and, due to a careful eye to proper backups, restored operations. The disruption may have been annoying, perhaps inconvenient, but the message was very clear: the disaster recovery plans worked. As a result, the bad guys’ efforts were wasted. Chalk one for the good guys and adhering to good computing hygiene.

As I’ve mentioned before, sometimes the best practice is a solid, tested defense. Louisiana could have poured millions of dollars into the latest shiny object or expensive consultants. Instead, they created a method for containing cyber attacks and built a strong cyber hygiene program, all of which are predicated on two things: updating software and following a rigorous backup routine.

So, speaking of updates, the would-be bad guys are actively impersonating Microsoft.

According to online reports, a spam campaign has been launched, offering a Windows 10 update.

The malware is disguised within the fake Windows 10 update, likely the Cyborg ransomware. When installed, instead of Windows 10, you will have a locked PC and a demand for ransom.

Given that Microsoft releases patches routinely and aggressively pushes the Windows 10 platform, impersonating a Windows 10 update is a clever way to trick users.

But, here’s the thing. Microsoft never announces updates or provides downloads to its software through email links.

What should you do if you receive one of the Microsoft Windows 10 update email messages?

Delete it. Don’t forward it, don’t preview it, don’t open with your mobile device. Just delete it.

Despite the increased attacks to large enterprises, the largest volume of successful ransomware attacks continue to occur with individual users and small businesses.

So, how do you build a solid defense to ransomware?

Start with some basic computer hygiene.

Pay attention to email, avoid opening unsolicited attachments, don’t click on emailed links. Additionally, stop sharing data via fistfuls of thumb drives. There are many efficient and secure methods for sharing files: consider Microsoft’s OneDrive, Google Drive, Dropbox, as examples.

Next, avoid running pirated, or, stolen software.

If you download files via torrent sites or enjoy “borrowing” software from pirated software sites, you’re not only likely breaking many laws, but, you’re exposing yourself to untrusted software, all of which could be loaded with malware. Use licensed software or download open source tools from trusted sites.

And, of course, keep your software updated.

Backup your files frequently and properly. Most modern devices include an online backup service – enable the service for your devices and review that all of your important files are backing up correctly.

Despite all of our efforts to have a good defense and adhere to best practices, there is still a chance that we all can fall victim to a scam and end up with an infected or broken device. Having your files backed up properly is the best way to avoid losing your data or having to run the risk of paying a hefty ransom.

As the holiday season approaches, the scammers will be more vibrant than ever. Below are a few items to help you increase your awareness and hygiene to avoid the most common of email scams.

First, be cautious, even paranoid with links.

Don’t click on email links, especially if you find the content questionable or suspicious. Hover over the link and see if the link’s actual address matches its display name. Also, open a web browser and visit the site directly: type the link into the browser and avoid clicking the link completely.

Second, watch for grammar and typographical issues.

Since the beginning of phishing and scam messages, typos and grammar problems have drawn attention to the legitimacy of the messages. Old, or, dated images often suggest problems as well. Reputable companies don’t send poorly-written inquiries.

Lastly, use multi-factor authentication.

If you fall victim to an impersonation attack and offer your credentials, at least with two-factor, you will have a parachute, of sorts. If two-factor is available use it and pay close attention to the requests you receive for the second form of verification. If you receive one and you didn’t initiate the request, don’t approve it.
Pay attention to the basics and enjoy a safer computing experience.

Be safe.

Tag: phishing

Holiday Shipping Scams

Ransomware Strikes Again