Spear phishing in your “Inbox”…

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, or individual, seeking unauthorized access to confidential data. The information sought after can be trade secrets in case of organization, personal bank account credentials for financial fraud, or a mix of the two intents.

In the “good old times”, it was relatively easy to spot spear phishing. Nowadays, you should know that you do not have a recently deceased, wealthy relative in Nigeria, nor do you have a package from FEDEX/UPS that you didn’t order. The format and spelling errors in these types of emails made it easy to detect fraud. Most of the antivirus software detects this type of antiquated fraud as well.

The sophistication of spear phishing has reached a level, where identifying email based fraud is pretty much becoming impossible. Antivirus software is mostly useless when it comes to this level of sophistication. Before you start arguing with me; tell me if the email below is fraud or real?

It is a spear phishing email and you did know that, right :)? The question is, will you be able to identify it in your “Inbox” when you’ve just ordered some great SSD drive on sale at Newegg?

Newegg, PayPal,etc., will spell out your full name in emails addressed to you, instead of the general “Dear Customer”. They will not place any links to your account in the body of the email. The other method of detecting a spear phishing attempt is to move your mouse pointer over one of the link without clicking on the links. This is what you’ll see:

The link of “http://roidesrois.org/6qawKCpK/index.html” makes it easy to spot the fraudulent email. Your email client display this for you to determine, if the link is legitimate. There is no software solution that is 100% accurate at detecting these links and as such, it is you who needs to make the decision of “to click, or not to click”. Failure to make the right decision may have dire consequences to your financial status.

The sophistication of this email fraud is quite evident, once all of the links checked:

The link framed in green point to “http://www.newegg.com/index.aspx?nm_mc=TEMC-Payment-Charged-US&cm_mmc=TEMC-Payment-Charged-US-_-header-_-logo-_-Newegg”. You can safely click on these links.

The links framed in red point to “http://roidesrois.org/6qawKCpK/index.html”, where presumably the malicious code is waiting for your click to become active. Bad things can happen to your computer if you click on these links.

With this kind of sophistication, the success rate of spear phishing bound to increase substantially. Learn from the description of this type of email fraud and follow Newegg’s advice, quote:

How do I identify Phishing or Spoofed E-mails?

How do I identify Phishing or Spoofed E-mails? Know that Newegg.com does not and will never ask you for the following information in an e-mail communication:

Your social security number or tax identification number
Your credit card number, PIN number, or credit card security code (including “updates” to any of the above)
Your mother’s maiden name
Your Newegg.com password
Your address, phone number or other personal information

Occasionally, if you place an order with incorrect information, you may receive an email from Newegg.com giving you the opportunity to correct your shipping/billing information. When this occurs you will have to log into the Newegg.com website to input this info. We will not provide you with a link on the e-mail notification to ensure you are responding to a valid communication from Newegg. Another method of identifying a phishing or spooked e-mail is to place your cursor on links or images without clicking. If the hyperlink is an IP address or other than www.newegg.com, DO NOT CLICK the link. Go to www.newegg.com directly and logon. Never submit the information mentioned above directly through an email.

Well said Newegg…

Disclaimer: The email evaluated here has been picked randomly from forwarded emails and did not originate from Newegg as presented in the fraudulent emails. Newegg is a great online merchant with excellent reputation; this post has no intent to undermine their reputation.

Digital identity, gone…

In one form or other, we all use cloud-based identity where we rely on the cloud service provider for keeping our identity and data secure. Some of the cloud service providers are obvious (like iCloud from Apple), while others (such as Amazon, Google, and Microsoft) are not as obvious. In both cases, these services may offer you email accounts, storing pictures, documents, and sometime even online backup of your systems for free and/or at minimal cost to you. The chances are that you have a number of accounts for these cloud-based services (such as Amazon, Apple, Gmail, etc.) that represent your digital identity on the internet.

Most of your accounts are “daisy chained” together and hackers getting into one could allow them access and control of all of your accounts. Once hackers gain access to your digital identity, it can be exploited for financial gains, ruin your reputation or just erase your digital identity. None of these outcomes are desirable for you but the threat of this happening is very real.

Certainly, using the same weak password for these cloud-based services makes it easy to steal your digital identity; however, even different and strong passwords do not secure your digital identity. The simple reason for this lack of security is the authentication systems used for resetting your password by the cloud service providers. These authentication systems rely on your email and billing address, phone number, last four digits of your credit card number on file, Social Security number, etc. The problem is that these are identifiers and not authenticators. Some of that information is publicly available on the web – such as email, physical addresses and phone numbers. The last four digits of a credit card may be insignificant for one service provider, while others use it as authenticator. For example, Amazon treats the last four digits of your credit card number as insignificant, while Apple uses the same number as proof of identity. It should also be noted that the last four digits of your credit card number commonly appear on the numerous receipts that most people collect in a day and simply discard.

Hackers do not need to guess your password or obtain it by other means; they simply exploit the different authentication systems of the service providers to gain control of your online identity. It recently happened to a tech writer, Wired employee, Mat Honan. Just as the cloud accounts are daisy chained, the hackers used this daisy chain to gain access to the Mat’s digital identity by:

  1. Collecting the name of the target, an associated e-mail address, and the billing address for Amazon;
  2. Calling Amazon customer service with this information and add a new credit card number to the account;
  3. Calling back Amazon customer service and tell them that you no longer have access to the email address on file;
  4. With the name, billing address, and the new credit card number from step two, Amazon will change the email address on file to your “new” email address given to them;
  5. Requesting password reset online for the Amazon account that will be sent to the email specified in step four;
  6. Login to the Amazon account and view the last four digits of the credit card numbers on file;
  7. Calling AppleCare and request a password reset for the “@me.com” email account;
  8. AppleCare will require to provide name, address, the last four digit of the credit card number from step six, and resets the password over the phone;
  9. Use the web based Gmail password reset that is sent to the “@me.com” email address;
  10. Accessing any other cloud services, such as Twitter, that relies on Google identity;
  11. Once done with the stolen digital identity, erasing digital identity. Deleting Amazon/Google accounts and using “Find My iPhone, iPad, MacBook” to remotely erase these devices

While most people believe that their data is secure with cloud-based services that is not the case, as the current event underline that point. Erasing the digital ID of an individual has consequences; however, erasing the digital ID of a business would be catastrophic for the business. And that could happen to businesses that use the “free” cloud services, such as WordPress that hosts your business website and your business email address ends with “@gmail.com”, “@aol.com”, “@hotmail.com”, etc. And when it does, your business disappears from the web and your customers cannot reach you by email. If you use iPhone for your business, and possibly Android and Windows-based smartphones as well, your customers will not be able reach you by phone either.

The cloud service providers will certainly make changes to their authentication system for disabling the “daisy chain” type hacking of digital identity. That will force hackers to change their method of stealing digital identity which, in return, will trigger additional changes in the authentication systems. Regardless how the authentication systems are changed, it is the owner of the digital identity who needs to protect their digital identity, especially for the businesses.

In addition to backing up business data “offline”, the business should ensure that it does not use:

  1. Free email services, such as Gmail, Hotmail, AOL, etc., to conduct business;
  2. Free web hosting services for web presence;
  3. Same credit card number for all cloud service providers;
  4. “Find my device and erase it” type of services

Most businesses already have a domain name, such as “mybusiness.com”. If yours doesn’t have one, create one. Have your domain hosted by web hosting service that provide email services and use the “@mybusiness.com” email address to conduct business. The additional benefit is that your business email address of “@mybusiness.com” looks more professional to potential customers than “@gmail.com”. Free services are certainly beneficial for the bottom line of the business; however, stolen digital identity is one of the prices that the business may need to pay for in the near future. Due to technological advances, domains hosted by web hosting services are no longer prohibitively expensive, even for small businesses.

You should not wait to secure your business until it is too late. You need to do it now, with the information that we currently have and constantly update your technological security plan as the online environment evolves.

WordPress security…

WordPress has become the most widely used blogging software that runs about 10% of all of the websites on the Internet. The popularity had been fueled by easy installation and management of WordPress based sites. That’s the good news..

The bad news is that the majority of the people using WordPress don’t change the default administrator account (“Admin”) and database prefix (“wp_) at the time they install WordPress. Why is that a bad news? Well, hackers automated scripts/bots use the default values to insert content and links to your site using SQL injection. Just by changing the default administrator account and database prefix at the time of installing will prevent most if not all automated scripts/bots changing your site content.

If you didn’t change the default values, like most WordPress users, you can change them without much impact to your “live” site. Prior to making any changes to the default values, do backup your WordPress database, and pay attention to the syntax of various command that you’ll execute.

Let’s change the default administrator account of “Admin” first:

  1. Login to your blog as “Admin” and create a new user account “Newadmin”, a name of your choice, and assign the role of Administrator
  2. Logout as “Admin” and login with you new administrator account
  3. Delete the first administrator account, named “Admin”

While you could use the suggested new user account of “Newadmin”, change the name to a word you’d like to use.

Changing the database prefix is easier, just use the:

Better WordPress Security plugin

Among other nifty security checks and configuration changes, this plugin can backup the database, change the database prefix, and modify the wp-config.php file to reflect the “newprefix”; do change the “newprefix” to a word you’d want to use.

Unfortunately, the WebsiteDefender does not replace the database prefix of “wp_” inside in the options and usermeta tables. You can verify this by running the the SQL queires of:

Select *  
FROM %newprefix%_options
WHERE `option_name`  LIKE '%wp_%'
Select *  
FROM %newprefix%_usermeta
WHERE `meta_key`  LIKE '%wp_%'

You can use the phpMyAdmin GUI to change the database prefix inside the “%newprefix%”_options and “%newprefix%_usermeta” tables; it is about 20-30 entries that need to be renamed. Alternatively, run some more SQL queries.

If you don’t feel comfortable running SQL queries, have someone do it for you. Depending on the version of MySQL you have, the syntax below may require modifications.The %newprefix% in the script below indicates the prefix name changed in the previous step.

Replace the “wp_” prefix inside in “%newprefix%_options table:

UPDATE %newprefix%_options
SET %newprefix%_options = REPLACE (option_name  'wp_', '%newprefix%_');

And finally, replace the “wp_” prefix inside in “%newprefix%_usermeta table:

UPDATE %newprefix%_usermeta
SET %newprefix%_usermeta = REPLACE (meta_key,  'wp_', '%newprefix%_');

Will changing WordPress default values make your blog hacker proof? Well not really, you’ve just made your blog more immune to hackers automated scripts/bots. Jokes are good to explain things:

Joe and Tom go camping and setup the tent in the woods. Late at night, they hear some worrysome noise in the forest and they see a grizzly coming toward them. Joe panics, while Tom calmly puts on his sneakers.
Joe looks at him and says, “What are you doing, you are not going to outrun the bear?”
Tom replies, “I don’t have to, I just need to outrun you…”

When you replace the default WordPress values, you’ve just put on your sneakers….