Definition: Ransomware

Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. 

Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, typically payable to cybercriminals in hard to trace cryptocurrency such as Bitcoin.

Definition: Consent Phishing

A “consent phishing” scam is an attempt by adversaries to get employees to install a malicious application and/or grant it permissions that will allow it to access sensitive data or perform unwanted functions.

This type of consent phishing relies on the OAuth 2.0 authorization technology. By implementing the OAuth protocol into an app or website, a developer gives a user the ability to grant permission to certain data without having to enter their password or other credentials.

Used by a variety of online companies including Microsoft, Google, and Facebook, OAuth is a way to try to simplify the login and authorization process for apps and websites through a single sign-on mechanism. However, as with many technologies, OAuth can be used for both beneficial and malicious purposes.

Microsoft details the problem step by step in its blog post:

  1. An attacker registers an app with an OAuth 2.0 provider.
  2. The app is configured in a way that makes it seem trustworthy, such as using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or through other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks Accept, they grant the app permissions to access sensitive data.
  6. The app gets an authorization code, which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.
  8. The attacker can then gain access to the user’s mail, forwarding rules, files, contacts, notes, profile, and other sensitive data.

“Part of the problem is that most users don’t understand what is happening,” Roger Grimes, data driven defense evangelist at KnowBe4 said. “They don’t know that a sign-on that they’ve used with Gmail, Facebook, Twitter or some other OAuth provider is now automatically being called and used or abused by another person. They don’t understand the permission prompts either. All they know is they clicked on an email link or an attachment and now their computer system is asking them to confirm some action that they really don’t understand.”

Definition: Fleeceware

Fleeceware:  Apps which are marketed as “free”, but which then trick the user into subscribing for paid services (which are available free elsewhere), often for excessive fees.

Common examples are horoscope apps, QR code or barcode scanners, and face filter apps targeted at younger users. Publishers of fleeceware target users who may be less cognizant or sensitive to initial fees and reoccurring charges.

Often users are hooked in by free trials, which turn out to be difficult to extricate yourself from after the “free” period has lapsed.

These are currently most common on phone apps (both iPhone and Android), but the same techniques can be found with some desktop applications as well.

Definition: Watering-hole campaigns

Watering-hole campaigns make use of malicious websites that lure visitors in with targeted content – cyberattackers often post links to that content on discussion boards and on social media to cast a wide net. When visitors click through to a malicious website, background code will then infect them with malware.

SSL Security Certificates and https://

What is an SSL Certificate and what does it do for me?

An SSL Certificate allows your site to serve your data – and receive input from visitors – in an encrypted form.  This means that if either side is sending sensitive data, it becomes extremely difficult for anyone else to see what is being sent. It’s an important tool to thwart Man-In-The-Middle attacks.

The https:// part of an address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and cannot be read by third parties.

We’re advised to never send sensitive information to a website which does not have the https:// and a padlock icon on the address line, as pretty much anyone can read it if they know how.

However, security expert Brian Krebs points out that the presence of “https://” or a padlock in the browser address bar does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.

Here’s a sobering statistic: According to PhishLabsby the end of 2019 roughly three-quarters (74 percent) of all phishing sites were using SSL certificates.

The reason Mr. Krebs brings this up is that “many U.S. government Web sites now carry a message prominently at the top of their home pages meant to help visitors better distinguish between official U.S. government properties and phishing pages. Unfortunately, part of that message is misleading and may help perpetuate a popular misunderstanding about Web site security and trust that phishers have been exploiting for years now.”

The problem is that those government sites are misinforming the public, including statements such as “The https:// ensures that you are connecting to the official website….”

No, it does NOT.

All it ensures is that you’re connecting to a site which has an SSL Certificate in place. It’s not particularly difficult to obtain a .gov domain name, and it’s a fairly trivial exercise these days to get a basic SSL Certificate.  So all that the https:// on a .gov site ensures is that someone got a .gov domain name and put an SSL Cert on it – nothing more.

The moral?  Make sure you’re going to the right site!  Both for government anything else you do online.

Original article at Krebs On Security

Definition: Man-In-The-Middle (MITM) attack

Written by a NortonLifeLock employee

 

A man-in-the-middle attack requires three players. There’s the victim, the entity with which the victim is trying to communicate, and the “man in the middle,” who’s intercepting the victim’s communications. Critical to the scenario is that the victim isn’t aware of the man in the middle.

How does a man-in-the-middle attack work?

How does this play out? Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.

In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) He also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you’re handing over your credentials to the attacker.

MITM attacks: Close to you or with malware

Man-in-the-middle attacks come in two forms, one that involves physical proximity to the intended target, and another that involves malicious software, or malware. This second form, like our fake bank example above, is also called a man-in-the-browser attack.

Cybercriminals typically execute a man-in-the-middle attack in two phases — interception and decryption.

With a traditional MITM attack, the cybercriminal needs to gain access to an unsecured or poorly secured Wi-Fi router. These types of connections are generally found in public areas with free Wi-Fi hotspots, and even in some people’s homes, if they haven’t protected their network. Attackers can scan the router looking for specific vulnerabilities such as a weak password.

Once attackers find a vulnerable router, they can deploy tools to intercept and read the victim’s transmitted data. The attacker can then also insert their tools between the victim’s computer and the websites the user visits to capture log in credentials, banking information, and other personal information.

A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted data must then be unencrypted, so that the attacker can read and act upon it.

What is a man-in-the-browser attack?

With a man-in-the-browser attack (MITB), an attacker needs a way to inject malicious software, or malware, into the victim’s computer or mobile device. One of the ways this can be achieved is by phishing.

Phishing is when a fraudster sends an email or text message to a user that appears to originate from trusted source, such as a bank, as in our original example. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device.

The malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.

7 types of man-in-the-middle attacks

Cybercriminals can use MITM attacks to gain control of devices in a variety of ways.

1. IP spoofing

Every device capable of connecting to the internet has an internet protocol (IP) address, which is similar to the street address for your home. By spoofing an IP address, an attacker can trick you into thinking you’re interacting with a website or someone you’re not, perhaps giving the attacker access to information you’d otherwise not share.

2. DNS spoofing

Domain Name Server, or DNS, spoofing is a technique that forces a user to a fake website rather than the real one the user intends to visit. If you are a victim of DNS spoofing, you may think you’re visiting a safe, trusted website when you’re actually interacting with a fraudster. The perpetrator’s goal is to divert traffic from the real site or capture user login credentials.

3. HTTPS spoofing

When doing business on the internet, seeing “HTTPS” in the URL, rather than “HTTP” is a sign that the website is secure and can be trusted. In fact, the “S” stands for “secure.” An attacker can fool your browser into believing it’s visiting a trusted website when it’s not. By redirecting your browser to an unsecure website, the attacker can monitor your interactions with that website and possibly steal personal information you’re sharing.

4. SSL hijacking

When your device connects to an unsecure server — indicated by “HTTP” — the server can often automatically redirect you to the secure version of the server, indicated by “HTTPS.” A connection to a secure server means standard security protocols are in place, protecting the data you share with that server. SSL stands for Secure Sockets Layer, a protocol that establishes encrypted links between your browser and the web server.

In an SSL hijacking, the attacker uses another computer and secure server and intercepts all the information passing between the server and the user’s computer.

5. Email hijacking

Cybercriminals sometimes target email accounts of banks and other financial institutions. Once they gain access, they can monitor transactions between the institution and its customers. The attackers can then spoof the bank’s email address and send their own instructions to customers. This convinces the customer to follow the attackers’ instructions rather than the bank’s. As a result, an unwitting customer may end up putting money in the attackers’ hands.

6. Wi-Fi eavesdropping

Cybercriminals can set up Wi-Fi connections with very legitimate sounding names, similar to a nearby business. Once a user connects to the fraudster’s Wi-Fi, the attacker will be able to monitor the user’s online activity and be able to intercept login credentials, payment card information, and more. This is just one of several risks associated with using public Wi-Fi. You can learn more about such risks here.

7. Stealing browser cookies

To understand the risk of stolen browser cookies, you need to understand what one is. A browser cookie is a small piece of information a website stores on your computer.

For example, an online retailer might store the personal information you enter and shopping cart items you’ve selected on a cookie so you don’t have to re-enter that information when you return.

A cybercriminal can hijack these browser cookies. Since cookies store information from your browsing session, attackers can gain access to your passwords, address, and other sensitive information.

How to help protect against a man-in-the-middle attack

With the amount of tools readily available to cybercriminals for carrying out man-in-the-middle attacks, it makes sense to take steps to help protect your devices, your data, and your connections. Here are just a few.

  • Make sure “HTTPS” — with the S — is always in the URL bar of the websites you visit.
  • Be wary of potential phishing emails from attackers asking you to update your password or any other login credentials. Instead of clicking on the link provided in the email, manually type the website address into your browser.
  • Never connect to public Wi-Fi routers directly, if possible. A VPN encrypts your internet connection on public hotspots to protect the private data you send and receive while using public Wi-Fi, like passwords or credit card information.
  • Since MITB attacks primarily use malware for execution, you should install a comprehensive internet security solution, such as Norton Security, on your computer. Always keep the security software up to date.
  • Be sure that your home Wi-Fi network is secure. Update all of the default usernames and passwords on your home router and all connected devices to strong, unique passwords.

In our rapidly evolving connected world, it’s important to understand the types of threats that could compromise the online security of your personal information. Stay informed and make sure your devices are fortified with proper security.

Definition: Brute Force Attack

A brute force attack is an attempt to crack a password or username or find a hidden web page, or find the key used to encrypt a message, using a trial and error approach and hoping, eventually, to guess correctly. This is an old attack method, but it’s often still effective and popular with hackers.

Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years. In fact, IBM reports that some hackers target the same systems every day for months and sometimes even years.

Guessing a password for a particular user or site can take a long time, so hackers developed tools to do the job faster.

Dictionaries are the most basic tool. Some hackers run through unabridged dictionaries and augment words with special characters and numerals or use special dictionaries of words, but this type of sequential attack is cumbersome.

In a standard attack, a hacker chooses a target and runs possible passwords against that username. These are known as dictionary attacks.

Strong passwords are an important defense. One of the security plugins which ProtectYourWP.com installs on your web site will check your passwords against a database of usernames/email addresses and passwords which have been exposed in breaches (and therefore are available to hackers) and rejects any attempts set them as your new password.  ProtectYourWP.com also uses tools which recognize when multiple login attempts are being made and blocks the abuser’s attempts.

Definition: Phishing and Spear-Fishing

Phishing is when a fraudster sends an email or text message to a user that appears to originate from trusted source, such as a bank. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device or can be lured into entering their login details on a fake version of the trusted site. They may try to steal your passwords, account numbers, or Social Security numbers.

In the first case, the malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.

In the second, the user’s login details are recorded by the fake site. The user will often get a generic message indicating that the login failed or that the system is down for maintenance and they should try later.  Meanwhile, the criminals now have the actual login details and can clean out the account.

Spear Phishing is similar, but is more directed.  While phishing is often performed in a shotgun approach, where the scammer sends email or text to a list of random addresses, spear phishing aims at a particular person or company, and often refers to people or circumstances known to a specific circle of target email addresses.

Spear phishing can be quite convincing, whereas the shotgun style is often more easy to spot – for instance, if you don’t have an account with the bank or other service the scam email uses as bait.

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment.

They may

  • say they’ve noticed some suspicious activity or log-in attempts
  • claim there’s a problem with your account or your payment information
  • say you must confirm some personal information
  • include a fake invoice
  • want you to click on a link to make a payment
  • say you’re eligible to register for a government refund
  • offer a coupon for free stuff

Fighting Phish

  1. Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
  2. Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
  3. Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
    • Something you have — like a passcode you get via text message or an authentication app.
    • Something you are — like a scan of your fingerprint, your retina, or your face.
  4. Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
  5. Protect your data by backing it up. Back up your data and make sure those backups aren’t connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.

What to Do If You Suspect a Phishing Attack

If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: Do I have an account with the company or know the person that contacted me?

If the answer is “No,” it could be a phishing scam. Go back and review the tips in How to recognize phishing and look for signs of a phishing scam. If you see them, report the message and then delete it.

If the answer is “Yes,” contact the company using a phone number or website you know is real. Not the information in the email. Attachments and links can install harmful malware.What to Do If You Responded to a Phishing Email

If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost.

If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.

How to Report Phishing

If you got a phishing email or text message, report it. The information you give can help fight the scammers.

Step 1. If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If you got a phishing text message, forward it to SPAM (7726).

Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.

Definition: 2-Factor Authentication

You have probably heard the words “2 Factor Authentication” (2FA), but do you understand the concept and the increased level of security they provide? (Even despite the mild annoyance factor.)  And do you know the preferred way to set it up for your WordPress website?

The basic idea is that logging in requires more than just your user/password combination.  User names can be fairly easy for a hacker to discover, and there are many tools available for them to obtain likely passwords – from brute force attacks to “dark web” sites which sell lists of user/password or email/password combos stolen during the unfortunately high number of breaches over the years.

So we add a second factor – something you HAVE, which the hackers probably don’t have: typically your phone or other device. You enter the code from your device as the last step of logging in.

Note: there are methods which involve sending a code to a designated email account or send an SMS text to your phone.  The downside is that the hacker may already have gained access to your email too.  And text messages can be intercepted, as happened in 2019 to the CEO of Twitter.  Yes, any 2FA is safer than no 2FA, but email and text messages are not the safest way.

Right now (March 2020) the safest way to implement 2FA on your website is to use an Authenticator application – either on your phone or as a stand-alone device.

Some well known authenticators include:

Password managers 1Password and LastPass offer the service as well.

Rather than send you an SMS or email, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device rather than your phone number extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here’s some relief.

We suggest using one of the above Authenticators along with the 2FA available through Wordfence, which we install on all our clients’ sites.  Download the Authenticator of your choice to your phone/tablet, Log in to your web site as an administrator, go to the Wordfence menu in the left hand navigation, and go to Login Security.  

You should now see a QR code (with a text key below it).  Follow the instructions at https://www.wordfence.com/help/tools/two-factor-authentication/ to get it set up.

It would be wise to require all Administrator and Editor level users on your site to implement 2FA. You get used to the extra step pretty quickly.

 

If you want to get really hard core, Yubico’s YubiKey is a hardware-based 2FA solution. It’s a small card-like device with one end that slots into a standard Type-A USB port. It can verify authentication with a button press instead of manually entering a short code. YubiKeys are also very durable and waterproof making it difficult to ruin these devices. These are probably the most secure solution overall, but to my knowledge Wordfence does not yet support YubiKey.

 

 

 

Definition: Window of Vulnerability

A Window of Vulnerability in terms of the world of security research exists from the time that the security hole is discovered by someone – be it the software developer, a security researcher, or a malicious player – until the time in which a fix has been released. During this time the ideal scenario is that the software vendor is made aware of the problem and feverishly works to fix it. Software developers are typically very quiet about exploits for which there is no fix yet.

A Window of Vulnerability in terms of the world of security research exists from the time that the security hole is discovered by someone – be it the software developer, a security researcher, or a malicious player – until the time in which a fix has been released. During this time the ideal scenario is that the software vendor is made aware of the problem and feverishly works to fix it. Software developers are typically very quiet about exploits for which there is no fix yet.