One born every minute

You are security conscious and know all the Internet do and don’ts, but sometime it is going to happen. You’re going to fall for click bait, open an infected email attachment, or fall for a social media hoax. You’re not dumb. You’re not gullible. You’re not alone. People of all ages, backgrounds, and intelligence will fall for social media hoaxes. Including this writer.

As with any scam, whether it is a criminal affair or a joke, the perpetrators play on our human nature and how we react to stimuli. Must notably anything that threatens our family or personally well being. Fear. As with any con, the perpetrator uses broad, widely known information, with some truth sprinkled in for good measure. Sometimes, as the case with privacy issues, will use functions of the app to make it believable. Instructing the victim to perform a function within the app that produces a result. When the result happens, it further validates the hoax.

The ones that get you are intelligently written in a generic style or tone that could be from any close friend or relative that you would normally trust. They either forward the item to you, or worse, endorse it with a message that reads something like, “Tried it. It works!” or “This is true”. Most people don’t do research. If so and so posted it must be true, and we quickly click ‘share’. After fourteen years, Facebook is still having trust issues with its users. Anything that hints at a privacy scandal runs wild and users react.

Hoaxes, just like malware, circulate, mutate, and resurface, sometimes years after being launched. The one that got me was the ‘Following me’ security check on Facebook. [Spoiler alert-It’s a hoax] You receive a message from someone you trust that reads like the photo heading of this blog post. And trust me, it will read like the above photo because the original language just keeps getting forwarded. Following the steps outlined in the post you’ll find these unknown people “following” you on Facebook. You quickly go to the next step and start deleting all of these unwanted followers. How dare they intrude onto my highly secure and private Facebook page! The nerve.

After testing the theory and seeing that it does indeed reveal hidden followers, you forward the message on with your own endorsement. Because it does work, it must be true. You have to alert all of your friends. I didn’t go that far. But it did give me an idea for a blog post. A couple minutes of research had me SMH. Got me!

Snopes.com addressed this very hoax in a January 2017 article that was updated in September 2017.(Are Facebook users secretlyfollowing you?) Snopes traced the origin to a rumor post being circulated that Facebook security teams were paid to follow individual accounts. The post read similar to the one pictured except the user was instructed to enter ‘Facebook security’ in the block users search box. While this did return a list of people, it was determined to be people who had used ‘Facebook security’ in their profiles. In September 2017, the hoax took on the form we have pictured. However, now following the instructions returns a list of people that have “me” in their profiles.

In fact, the search box reads

So the hoaxers set you up with instructions that return what they want, a list of people you’ve never heard of, which gives validity to the hoax. Which gets it forwarded. And on and on and on it goes.

Please feel free to share. See the blog archive for more posts about privacy.
Are you being watched? February 2018

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

Teach your employees well

Small business hacking is becoming more prevalent. The payoff isn’t as big but the opportunity is greater and security is lacking. Security firm Symantec reported in 2016 that 43% of cyber attacks were against small business. Small businesses have little in the way of security and employee training. They often have more to lose in the sense that they have less cash flow or all of their money is tied up in their business. Making them more likely to pay ransoms. (Ransomware is explained in more detail in our post-If you ever want to see your files again…)

Attacks can be as simple as rerouting the web address to a porn site, locking all of the computers for a ransom, all the way to hacking financial data and cleaning out bank accounts. More than half of the companies attacked were forced to go out of business. Maintaining sound computer security cannot be emphasized enough.

The website Small Business Trends, in an article posted January 3, 2017, stated that 48% of attacks are caused by an employee error. In addition to updating security software one of the biggest defenses owners can deploy is educating their employees on cyber attack indicators. The malware has to enter the system somehow. Simply clicking on attachments will send the virus into the network to do its work. The more stealthy viruses will enter the system without a show of existence. These are meant to mine data from the system. By the time you find the virus the bank accounts are fleeced.

Regularly train employees on different types of attacks and how to defend against them. Establish a policy for computer usage. Explain what is acceptable Internet use. Malware can be injected via email attachments or links to websites. These links can be introduced through email or social media. Demonstrate what a suspicious email, link, social media contact looks like. Practice solid password policies and change regularly. Encourage employees to speak up when something is suspicious and do not click on the suspicious activity.

Even if you do not think you store valuable data, although customer records are a valuable commodity, the chance of losing your business data or risking a financial attack is too great a chance to take.

See our blog archive for other posts relating to cyber security:

Scam Websites November 2016

If you ever want to see your files again…August 2016 

There’s been a breach February 2015

If you ever want to see your files again…

One computer in the office has a warning that it is being held ransom, “Provide 500 bitcoins to unlock the system”, is the message emblazoned on the screen. Any computer that requested data from the original would fall prey to the malware, which is now spreading through the office. The IT department had already been notified and the tech is running through the office unplugging data cables trying to isolate the attack.  No, this isn’t a mega corporation. It was a less than 100 employee accounting firm.

An automotive service center with less than 20 employees had a similar experience. The office manager starts the computers for the day and she sees a message that her computer has been locked. Pay up if you want the decryption key. An ordinary Joe is surfing the net when a warning appears on his monitor that all of his photographs have been encrypted. If he wants to have access ever again, he’ll need to pay $1200.

Ransomware has been in the news lately. More than likely you’ve heard the stories of hospitals, police departments, or large corporations having their computers locked and given a price to pay to have them set free. Or the more common terminology, held for ransom.  But cybercriminals are not just targeting institutions or corporations. As security features are improved, the criminals move on to more vulnerable prey. Any size business or any person can fall victim. Yes, the bigger fish will offer a more lucrative payday, but stack enough pennies and eventually you will have a dollar.

Definition and history

Ransomware is a type of malware that infects a computer or network preventing users from accessing the system until a ransom is paid for the decrypt key. There are two kinds. The first is called “locker” which locks the user’s computer. The second and more sophisticated is called a Crytovirus, which targets specific files (Photos, personal, financial), encrypting them until a ransom is paid. Ransom payment is usually requested in the form of the electronic currency Bitcoin. (Bitcoin converts to roughly $575 U.S. dollars) Symantec estimates that over 60% of the malware detected is of the cryptovirus variety and the average ransom paid in the U.S. is $300.

The Symantec white paper, Evolution of Ransomware, August 2015, gives this chronology of ransomware appearances: The first ransomware appeared in 1989, but wasn’t that effective due in large part to the lack of the Internet. Crypto ransomware came on the scene in 2005. As each version was detected and defended against, the writers would learn from mistakes and rewrite the code to make the malware more resistant to computer security features. In 2008, the criminals began secreting the malware in the form of fake antivirus programs. The programs would appear to scan and identify problems and then ask the user for up to $100 to fix the fake problems. In 2011, cybercriminals moved away from the antivirus attacks and began completely disabling the victim’s computers. Criminals then stopped mimicking anti virus problems and jumped to directly locking the computer using a law enforcement warning style of hoax. This was so effective that law enforcement themed ransomware became quite popular between 2012 and 2014.

Like most malware, ransomware is delivered via an attachment to an email. The user clicks on the legitimate looking file and the malicious code is delivered. However, as users became savvier to suspicious emails and clicking on attachments, malware developers have learned to hide their code in websites. Either bogus sites setup for the purpose of delivering malware or within legitimate sites. Once the malware infects a computer it begins encrypting files. If the infected computer is attached to a network the malware spreads as that computer interacts with the network.

On the FBI website, FBI Cyber Division Assistant Director James Trainor writes, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Who is vulnerable?

Institutions, government agencies, big or small business, even personal computers can be targeted or infected. Some attacks are targeted and some are just malware creator’s phishing for victims.  For most small business and individuals it is the latter. Anyone or any business can be victimized. As with identity fraud it is not a matter of if but when. The world is so electronically social that malware gets passed around like a rhinovirus. Eventually, someone close to you will be victimized or you yourself.

Smaller businesses and individuals are more susceptible due to a lack of computer knowledge and access to technical support. They also lack an effective backup system. Files being held ransom or the threat of a fake criminal charge coupled with the lack of technical support make personal computers users more likely to pay.

The FBI, Internet Crime Complaint Center (IC3) reports that while companies and organizations are the primary targets, the IC3 continues to receive reports from individuals. According to reports to the IC3, most individuals are told that their personal/financial information or photos will be publicly released if a bitcoin ransom is not paid within a certain timeframe. Ransom amounts range from $250 to $1,200.

Prevention

For business and individuals alike one of the main defenses is education. Know what the dangers are and be prepared. Businesses need to educate their employees on the tactics of cyber criminals and how to react if they feel they have been victims. After providing education and training, some companies will send their own “suspicious” emails to employees. The emails will look legit enough with the guise of signing up for training or providing personal information for system updates. However, each email will have the telltale signs of phishing that was thoroughly explained to employees. The IT department will monitor how many fall for the trick and how many reported it. Then they will provide further training and education to the employees.

The FBI confirms that ransomware has been around for several years. But there was an increase in 2015 with incidents still on the rise in 2016 due to lack of preparedness and protection. The FBI doesn’t support paying a ransom. Cyber Division Assistant Director James Trainor said, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

What the FBI does recommend is prevention and a business continuity plan. The FBI website offers the below tips for businesses and individuals when dealing with a ransomware threat:

Prevention Efforts

•  Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
• Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
• Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
• Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
• Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.Disable macro scripts from office files transmitted over e-mail. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts

• Back up data regularly and verify the integrity of those backups regularly.
• Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

At the very least, educate your employees and have a conversation with whoever manages your computer system. At home, resist the urge to fall for “click bait” and pay attention to where you’re surfing. As for your smartphone? Don’t be lulled into a false sense of security. Your phone is a connected device. Someone, somewhere is figuring out a way to get in.

See our blog archive for other posts relating to security issues:

There's been a breach February 18, 2015

What did you say? August 4, 2015

Keys to the vault August 14, 2015