OneDrive Insurance Phishing Scam

This Friday (4/26/19) we investigated a phishing campaign for one of our insurance clients and we learned quickly that it spanned at least two other CNY area insurance companies.  For that reason Jim and I thought it was appropriate to blast out an ad-hoc "alert" to all of our insurance contacts.
 

Details

Here's what we know so far:

  • It appears that the email accounts of some of our local insurance colleagues have been compromised

  • The bad actors are then spamming everyone in the user's address book (mostly insurance colleagues)

  • The email is a file share request from Microsoft's OneDrive

  • The incredible thing is in at least one case the file being shared is named "3rd Party Service Provider"

  • The text of the email is short and sweet, something like "please open the document"

  • The sender has "BCC'd" you, in other words, the "From" and "To" are both the same

In this case, "Think, Don't Click"

Here is a sample:

Phishing Scam



What if I clicked?

  • If you clicked on the OneDrive link, you're probably OK.  Clicking on the OneDrive link takes you to a PDF in OneDrive that is the phish.

  • However, if you clicked on the link from the link you might be in trouble!

If you clicked on the link in OneDrive:

  1. Change your email password immediately

  2. If it's been more than, say, 30 minutes you might've been compromised and will need to have your account checked for signs of intrusion. 

  3. Either call us immediately, call your IT support staff, or check the following:

    1. Check your Sent Items for emails you didn't send

    2. Check your Deleted Items for emails you didn't send

    3. In Outlook, click "Recover" at the top of your Deleted Items and check to see if there are emails you didn't send

      1. If there are no emails in your "Recover Deleted Items Folder" you've probably got a problem

    4. In Outlook, click "File" then "Manage Rules & Alerts" check for rules you didn't create

    5. In Outlook, click "File", then click the link next to Account Settings that says "Access this account on the web"

      1. Once there, make sure the "The new Outlook" slider in the upper-right corner is on

      2. Then click the settings "gear"

      3. Click "View all Outlook Settings" at the bottom

      4. Click "Forwarding"

      5. Ensure your email isn't being forwarded

Stay safe and have a good weekend.  If you have questions please contact us, we're here to help!

Check your Antivirus

We’ve been involved with multiple organizations in the past three weeks that have responded to a serious security incident that was exacerbated by a lack of up to date anti virus. Each case took a very different turn:

  • one required significant effort by the company, their IT vendor and a forensic analysis by CDI;

  • the second is looking at probably $100,000 in lost business and professional remediation services;

  • a third instances caused a hospital about 80 hours of IT work, and countless time in lost productivity;

  • and the fourth business is trying to figure out how to pay $30,000 in Bitcoin, and how to stay in business.

The Common Threads

31115332341_b6db2b18f1_z.jpg

In each of these three cases, the company had premium, traditional antivirus, all from reputable vendors. However, in each case, at least one system, and in some cases many, were not properly protected. During the investigation of these companies, some systems had no antivirus, and some had out of date antivirus. In one case, the licensing had expired and the company was not receiving updates.

In all four cases, antivirus did not protect the systems and did not detect the issue. In two of the cases, Security Incident and Event Monitoring (SIEM) solutions detected and alerted the problem AS IT HAPPENED. In the other two cases, hours or even days went by before someone noticed the issue.

In almost every case, a email phishing attack was the culprit. This reinforces the cliche that you’re only as strong as your weakest link.

What you should do

Here’s a checklist you should perform right now, before it’s too late:

  • Verify that your antivirus is licensed and up to date

  • Check every computer, including especially your servers, to make sure that antivirus is enabled for real-time protection and is up to date

  • If you have more than 10 PC’s or server’s you should have a centrally managed antivirus solution that allows you to see what everything is up to date/protected (Symantec, TrendMicro and Sophos Central are good options).

  • Always PAY for antivirus. Free antivirus isn’t good enough. Trust us, your business depends on it.

  • Run Windows Updates

  • Again, if you have more than 10 machines, you should be using Windows Server Update Services (WSUS) or a similar product to centrally manage windows updates (it’s free folks with Windows!)

  • Remind every employee of the importance of using caution with emails and potentially dangerous websites. Limit casual web browsing.

  • Check your backups! Test that you can restore data.

Over the next few weeks you should:

  • Look into “Next Generation Anti-Malware” products. These provide additional coverage beyond what the “traditional” antivirus companies provide

    • Malwarebytes, Sophos Intercept X, Carbon Black, etc. all fall into this category

  • Perform phishing exercises and security awareness training

    • Call Cyber Defense if you are interested in such a product/service

  • Review, update, and tabletop your incident response plan

  • Get a copy of your backups off site. Preferably 30 miles away or more.

  • Call Cyber Defense with any questions. We’re here to help prepare you for a big incident, but can get you started if something bad does happen.

Hurricane Florence and Disaster Recovery Planning

As Hurricane Florence is set to smash into the Carolinas today, it may have you thinking about how your business might fare an unexpected disaster. Even if it didn’t, it sure crossed our mind.

Some businesses have a strong record of surviving disasters, even using it as a competitive advantage. Below, is a link to a 2011 article about just such an advantage that Waffle House and Home Depot have over the competition. While the article is about supply chain management, it’s still a very interesting read as it applies to IT disaster recovery, and business continuity as a whole.

Visit our LinkedIn page to join the conversation if you’d like, or give us a call to talk about your DR plans and strategies. We have years of DR experience in various industries that can help you be as prepared as possible.

Waffle House, Home Depot cited as examples of emergency preparedness

 

PCI-DSS 3.2.1 is Here

Recently, the Payment Card Industry (PCI) released an update to their Data Security Standard (DSS) that is used by anyone that accepts credit cards within their organization.  This new release, version 3.2.1, is a minor update to version 3.2 which we've been using for the past two years.  The minor changes are as follows, and should generally come as no surprise:

  1. Some requirements had a "Best practice" that wasn't required until February, 2018.  Seeing as which February has come and gone, the "best practices" are now required.  
  2. The appendix has been updated to reflect that SSL/early-TLS is now required
  3. "Multi-factor authentication" has been removed as an example Compensating Control.  Since Multi-Factor is now required, it makes sense it can't be a compensating control.

What's this mean for you?  In general, if you've been following PCI 3.2 (which you should be), and you implemented TLS 1.2 or 1.3,  then nothing has changed.  You can confirm this by going to https://www.ssllabs.com/ssltest/ and testing your site for SSL, TLS 1.0 or TLS 1.1.  Even if you use a payment gateway such as PayPal to process the actual transaction, PCI still applies if you are passing information to the gateway and back.

If you need more information, or would like advice on how to handle PCI compliance in your environment, give us a call or send us an email.  We'd be glad to help!