Phishing Scams Target the End of Tax Year

Phishing,
25
Jul 2017

thumb_shutterstock_79924000_1024

The tax season is a stressful time of year for businesses, but now hackers are targeting this period in order to steal employee data and funds.

Using a social engineering approach, hackers are able to trick businesses into relinquishing highly sensitive information and, in particular, W-2 details such as individual employees’ wages and salary. And with this form of social engineering becoming more and more active, it’s affecting an increasing number of businesses.

Seeing as every business has to deal with their taxes in a responsible manner, this is an area of hacking which needs to be closely guarded against; this need for security is even more necessary as it can affect individual employees. Therefore, we’re going to take a closer look at this increasing threat.

Tax Season Hacking

290x195cybercrime99Tax fraud has, traditionally, been a form of hacking reserved for only the most advanced hackers, but with the rise of relatively simple social engineering methods, this hacking technique has steadily become more accessible.  Many smaller businesses are now being targeted and these can include non-profit organizations, restaurants and schools.

And with tax themed spam traps increasing by over 6000% between December 2016 to February 2017, it’s a highly worrying time of year and businesses need to be on their guard. What form, though, do these attacks take?

Well, there are a number of attack methods and these are:

  • Processed Tax Refund – Spam emails which claim to originate from the IRS have been appearing in email inboxes and advise that they are due a tax refund which has now been processed. All the recipient needs to do is open an attachment to get started, but this attachment actually contains infected macros which can give hackers remote access to your PC.
  • W-8BEN Phishing Scam – the W-8BEN form is used by Non-US citizens to clarify their tax exemption details and involves passport and personal information. As this type of data is highly sensitive and valuable, hackers are now targeting this information by sending emails purporting to be from the IRS and requesting copies of the recipients’ completed W-8BEN form and scans of their passport.
  • W2 Data Theft – Due to the valuable data contained in W2 forms (wages, taxes etc), many cybercriminals are targeting these. Copies are sent to businesses for all their employees, so hackers are actively trying to breach network security to procure these forms and any associated tax databases in order to sell this information on the dark web.

Combatting Cyber Tax Crime

tax_id_theft-small

The most important factor to bear in mind with this form of cybercrime is that the IRS will NEVER email you to request personal information. Although this seems like common sense, many people are tricked by this approach and willingly give out information when they’re promised tax refunds. The main things to look out for and consider with these types of scam are:

  • Emails with poor grammar and spelling – Government agencies tend to have their emails thoroughly proofread before being sent out to the general public en masse.
  • Dubious links – Although links contained within phishing emails may appear genuine, if you hover your mouse cursor over these links then the true destination of the link will be revealed; if this address is different to the one written in the email then it’s highly likely this is a dangerous link.
  • Common sense – If you’ve already filed your tax reforms and aren’t expecting a tax refund then you should be highly suspicious of any emails regarding these issues.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Ransomware Found Lurking in Skype Ads

Ransomware, ,
18
Jul 2017

skype-crossed-640x360Skype is a great tool for businesses to communicate with customers and partners, but now it appears that it’s being used as a delivery route for ransomware.

PC users who are using the Microsoft Skype App have reported that fake adverts have been appearing which contain a malicious payload in the form of ransomware. As per usual, this strain of ransomware locks the user’s computer, encrypts files and demands a ransom for unlocking the PC.

Ransomware is becoming increasingly more common and, as Skype is such an important communication tool, there’s a good chance that your business could find itself confronted with it. Therefore, I’m going to delve a little deeper into what’s behind this latest attack.

Skype Ransomware

ransomware-illustrationThe malicious adverts that have been appearing claim that a critical Flash update is required and offers a link to this ‘critical’ update. However, this advert – which appears on the Skype home screen – is actually a link to a HTML application that, although looking genuine, downloads a nasty dose of ransomware to your PC.

And it’s a particularly sneaky piece of ransomware as this malicious payload also runs a piece of code which deletes the downloaded application and then downloads a piece of JavaScript from a website which no longer exists. The domains being used are setup and then shut down almost instantly to prevent any form of registration fee being taken. It’s these seemingly odd processes which help to disguise the hacker’s activities and protect them from being detected by standard antivirus operations.

It’s believed that this new piece of ransomware is related to the Locky ransomware attack – which caused so much trouble in 2016 – as it shares a number of similarities such as utilizing JavaScript to shutdown computers and encrypt files without an additional app being used to execute this.

How to Tackle the Skype Ransomware

At present there is no solution to the Skype ransomware attack and Microsoft have only been able to offer the advice that users should refrain from clicking on unsolicited links. And, unfortunately, due to ransomware being so difficult to treat, prevention tends to be the best cure for ransomware.

There are, however, a few steps you can take to minimize the damage:

  • Ensure that your staff is educated to recognize what constitutes a piece of ransomware. This knowledge, though, can quickly expire if your staff isn’t regularly exposed to such attacks, so refresher courses are recommended to keep this knowledge fresh and provide updates on any changes in ransomware techniques.
  • If you fall victim to a ransomware attack then the first step you should take is to shut your network down as soon as possible. Going offline is the only way you can prevent the hacker from burrowing deep into your system and encrypting files.
  • Always back up your files so that, in the case of encryption, you still have access to your files and do not need to pay a ransom fee or invest valuable man power into tackling the attack. It’s recommended that these are backed up to physical media which has no connection to the internet.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Hackers Change Tactics with the Kirk Ransomware

Ransomware
11
Jul 2017

ransom-noteRansomware is regularly in the news, so we’re beginning to understand it more. However, a new form of ransomware is now changing the landscape.

Bitcoin has always been the preferred payment method for releasing encrypted files following an attack, but the newly detected Kirk ransomware is not interested in Bitcoin payments. Instead, it’s demanding its ransom through the relatively new cryptocurrency known as Monero.

Now, ransomware is a troublesome piece of malware at the best of times, so if the hackers behind these attacks are changing tactics then it’s important to be aware of what’s happening. And that’s why I’ve decided to take a closer look at the Kirk ransomware to help eliminate any confusion.

Understanding Kirk

18kwxnye6wxtljpg

Kirk ransomware is a piece of malicious code which appears to be going about its business in the normal manner. Researchers believe that its preferred method of attack is to impersonate the network stress tool Low Orbital Ion Cannon (LOIC). Once the ransomware has been activated, Kirk gets to work by encrypting the user’s files – it’s currently believed that it targets a total of 625 different file types.

The target is unaware of what’s happening as all that happens is that a message box pops up which mimics the LOIC company slogan of “Low Orbital Ion Cannon | When harpoons, air strikes and nukes fail | v1.0.1.0”. Meanwhile, the files are being encrypted as the victim carries on with their daily activities. However, a ransom note is soon deposited into the same folder as the ransomware; this note is then displayed in a window for the victim to learn that a number of their files have been encrypted with the .kirk filename.

The only way to decrypt the files is by paying the ransom payment to the hackers. This, it is hoped, will facilitate the purchase of the Spock decryptor – note the Star Trek reference – but researchers are yet to get their hands on this decryptor to evaluate its validity as a solution. Now, the interesting thing about Kirk is that it demands its payment in Monero which is causing a whole host of new problems.

Bitcoin is a notoriously difficult currency to lay your hands on, you can’t just go down to the bank and expect the teller to exchange your dollars for Bitcoins. Instead, you need special merchants to trade your dollars and this isn’t particularly cheap or easy. However, where Kirk differs is that it’s requesting payment from an even more obscure monetary source, so this has the potential to leave victims completely baffled.

Combatting Kirk

whatisransom

At present, the Kirk ransomware hasn’t been cracked and there is no known rescue for encrypted files aside from making the payment. Therefore, it’s crucial that you take the following steps to avoid falling victim to the Kirk ransomware:

  • Don’t activate untrusted macros that are embedded in Microsoft Office documents as this is how ransomware is usually activated.
  • The only way to truly know if an Office document is genuine is by opening it but, to minimize the risk, try installing a Microsoft Office viewer as this will allow you to view it without macros.
  • Provide annual training to your employees on malware and the many forms it can take. It’s a lack of knowledge which leads to people activating ransomware.
  • Maintain regular backups of your files as this gives you some breathing space (and saves you the cost of a ransom) if your files do become encrypted.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

DNSMessenger is a New Method of Cyber Attack

Security, Services,
04
Jul 2017

DNS-Messenger

We’re used to hackers using conventional attack strategies, so, although we can defend these, it means hackers are looking for more discreet attack methods.

And, just recently, hackers have been looking to exploit routes in and out of our PCs which are not usually monitored for malicious activity. It makes sense for hackers to seek out these poorly defended access points as, for hackers, the best hack is an easy hack.

For businesses, though, it raises a lot of questions on just how in-depth and conscientious your security efforts need to be; in order to help you understand the situation and nature of these attacks, I’m going to discuss the DNSMessenger threat.

DNS as a Means of Attack

The Domain Name System (DNS) is the method by which the domain name of a website, computer or network is converted into an IP address which is a numerical code that can be recognized by PCs e.g. one of the many IP addresses for Google is 74.125.224.72

Now, as DNS helps PCs to communicate with many other systems, it provides a very useful route for hackers to breach defenses. Thankfully, it’s very difficult for hackers to hack directly into the DNS channels, but by using a malware exploit they can gain access. And it’s all part of a trend in the evolution of malware.

Users are prompted to download an MSWord document – containing malicious code – through an email phishing campaign which sets the attack in motion. The malicious payload is written in the Powershell language which permits administration tasks to become automated. It’s at this point that the hackers can identify user privileges and plan the next step of the attack which utilizes the DNS.

Using the DNS, hackers are able to send commands directly to the user’s system and effectively have free rein over that system. What’s particularly deceptive (and clever) about this attack method is that it’s very difficult to monitor; few systems monitor DNS traffic and Powershell operates purely in the system’s memory rather than relying on external files which are easily identifiable.

Combatting DNS Attacks

Security-Icon-Microsoft-696x464

Whilst there are niche software solutions that can help protect businesses from DNS attacks, the simplest solution is by educating your staff on the telltale signs of malware and phishing:

  • If you do not recognize an email address then, under no circumstances, click on any links or files contained within it. And, even if you do recognize the sender’s email address, run a quick audit on the email’s content as the sender’s account could have been hacked – badly worded and poorly formatted emails are often a sign of hacked emails.
  • The DNSMessenger attack is only able to unleash its payload once the infected Word document is opened and the recipient clicks on the pop up window prompting them to “Enable Content”. By enabling the content, the recipient is unwillingly giving permission for their system to be hacked, so always treat this request with suspicion.

These preventative methods are fairly simple, but, due to the volume of emails people receive these days, there doesn’t seem to be the time to carry out these quick checks. However, with hackers taking their attacks in new directions which are incredibly difficult to monitor, a few seconds thought could save your systems from a nasty attack.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More