Phishing attacks are getting more sophisticated. In this case many of our clients received a phishing email from multiple compromised accounts that used OneDrive to get around spam filters. We ignored all the red flags and clicked our way through the threat so you could see what happens.
Read MoreOneDrive Insurance Phishing Scam
This Friday (4/26/19) we investigated a phishing campaign for one of our insurance clients and we learned quickly that it spanned at least two other CNY area insurance companies. For that reason Jim and I thought it was appropriate to blast out an ad-hoc "alert" to all of our insurance contacts.
Details
Here's what we know so far:
It appears that the email accounts of some of our local insurance colleagues have been compromised
The bad actors are then spamming everyone in the user's address book (mostly insurance colleagues)
The email is a file share request from Microsoft's OneDrive
The incredible thing is in at least one case the file being shared is named "3rd Party Service Provider"
The text of the email is short and sweet, something like "please open the document"
The sender has "BCC'd" you, in other words, the "From" and "To" are both the same
In this case, "Think, Don't Click"
Here is a sample:
What if I clicked?
If you clicked on the OneDrive link, you're probably OK. Clicking on the OneDrive link takes you to a PDF in OneDrive that is the phish.
However, if you clicked on the link from the link you might be in trouble!
If you clicked on the link in OneDrive:
Change your email password immediately
If it's been more than, say, 30 minutes you might've been compromised and will need to have your account checked for signs of intrusion.
Either call us immediately, call your IT support staff, or check the following:
Check your Sent Items for emails you didn't send
Check your Deleted Items for emails you didn't send
In Outlook, click "Recover" at the top of your Deleted Items and check to see if there are emails you didn't send
If there are no emails in your "Recover Deleted Items Folder" you've probably got a problem
In Outlook, click "File" then "Manage Rules & Alerts" check for rules you didn't create
In Outlook, click "File", then click the link next to Account Settings that says "Access this account on the web"
Once there, make sure the "The new Outlook" slider in the upper-right corner is on
Then click the settings "gear"
Click "View all Outlook Settings" at the bottom
Click "Forwarding"
Ensure your email isn't being forwarded
Stay safe and have a good weekend. If you have questions please contact us, we're here to help!
Check your Antivirus
We’ve been involved with multiple organizations in the past three weeks that have responded to a serious security incident that was exacerbated by a lack of up to date anti virus. Each case took a very different turn:
one required significant effort by the company, their IT vendor and a forensic analysis by CDI;
the second is looking at probably $100,000 in lost business and professional remediation services;
a third instances caused a hospital about 80 hours of IT work, and countless time in lost productivity;
and the fourth business is trying to figure out how to pay $30,000 in Bitcoin, and how to stay in business.
The Common Threads
In each of these three cases, the company had premium, traditional antivirus, all from reputable vendors. However, in each case, at least one system, and in some cases many, were not properly protected. During the investigation of these companies, some systems had no antivirus, and some had out of date antivirus. In one case, the licensing had expired and the company was not receiving updates.
In all four cases, antivirus did not protect the systems and did not detect the issue. In two of the cases, Security Incident and Event Monitoring (SIEM) solutions detected and alerted the problem AS IT HAPPENED. In the other two cases, hours or even days went by before someone noticed the issue.
In almost every case, a email phishing attack was the culprit. This reinforces the cliche that you’re only as strong as your weakest link.
What you should do
Here’s a checklist you should perform right now, before it’s too late:
Verify that your antivirus is licensed and up to date
Check every computer, including especially your servers, to make sure that antivirus is enabled for real-time protection and is up to date
If you have more than 10 PC’s or server’s you should have a centrally managed antivirus solution that allows you to see what everything is up to date/protected (Symantec, TrendMicro and Sophos Central are good options).
Always PAY for antivirus. Free antivirus isn’t good enough. Trust us, your business depends on it.
Run Windows Updates
Again, if you have more than 10 machines, you should be using Windows Server Update Services (WSUS) or a similar product to centrally manage windows updates (it’s free folks with Windows!)
Remind every employee of the importance of using caution with emails and potentially dangerous websites. Limit casual web browsing.
Check your backups! Test that you can restore data.
Over the next few weeks you should:
Look into “Next Generation Anti-Malware” products. These provide additional coverage beyond what the “traditional” antivirus companies provide
Malwarebytes, Sophos Intercept X, Carbon Black, etc. all fall into this category
Perform phishing exercises and security awareness training
Call Cyber Defense if you are interested in such a product/service
Review, update, and tabletop your incident response plan
Get a copy of your backups off site. Preferably 30 miles away or more.
Call Cyber Defense with any questions. We’re here to help prepare you for a big incident, but can get you started if something bad does happen.
Hurricane Florence and Disaster Recovery Planning
As Hurricane Florence is set to smash into the Carolinas today, it may have you thinking about how your business might fare an unexpected disaster. Even if it didn’t, it sure crossed our mind.
Some businesses have a strong record of surviving disasters, even using it as a competitive advantage. Below, is a link to a 2011 article about just such an advantage that Waffle House and Home Depot have over the competition. While the article is about supply chain management, it’s still a very interesting read as it applies to IT disaster recovery, and business continuity as a whole.
Visit our LinkedIn page to join the conversation if you’d like, or give us a call to talk about your DR plans and strategies. We have years of DR experience in various industries that can help you be as prepared as possible.