Tame the FUD Factor!

Friday, June 28, 2019

Is it SAFE?

Before I click on any link or open a file attachment sent to me via email, I have Déjà vu of the 1976 movie Marathon Man, where Dustin Hoffman was continually asked 'Is it safe?' while being tortured. While clicking on an email link may not be as physically painful, the angst involved can be just as real.

So, how does one determine if a link or file is safe?
  • First is this email from an entity or person you know?  If not, DELETE!
  • If it is a file, were you expecting a file?  If not, DELETE!
  • Is it a shortened URL (like those sent via Twitter or in text messages)?  DELETE!
  • If it is a link, do you really need to click on that link, or is it just another cat video on YouTube? DELETE (ok, I enjoy ICanHasCheezeburger as much as the next guy, but I type in the web address for my fix)
  • If the email is from a financial service provider (bank, Schwab, etc) - the first choice is to open your browser and type in their web address (or use a previously saved shortcut) - or even better, use LastPass to open the website and log you in.

Step 1: Copy the link to your clipboard. To do this, hover your mouse over the link and then RIGHT CLICK (emphasis on RIGHT mouse button click) on the link and select 'Copy'.

Step 2: Open your browser and go to: https://www.virustotal.com
Step 3: Select the URL tab in the center, then click in the 'Search…' box and either press 'CTRL-V' to paste the link you just copied or, right click and select 'Paste…' and then press the ENTER key.

Virus Total (a Google company spinoff) will then check that link against 4+ dozen different scanners. If they do not all come back as ‘Clean’ (the number in the upper Left should be ZERO)– then…DELETE!

For a file attachment do the following:
Step 1: Save the file without opening it to your computer. How you do this can vary based upon your email program, provider – for some, there is a small arrow you click on and select ‘Save As’. In Gmail, if you hover your mouse over the filename, the image will change and a down-arrow will appear to Download the file. Select a location and save the file but DO NOT open it.
Step 2: From the Virus Total website select ‘File’, then click on the ‘Choose file’ button.
When you click on ‘Choose file’ a dialog box will open where you can find and select the file. Click on ‘Confirm Upload’.

After the file is uploaded, Virus Total will check it using 50+ different scanners. If the number in the upper left is not ZERO, then DELETE!

Another useful tool/website that I use for checking links is called URLScan (https://urlscan.io). This works in the same manner as VirusTotal, but it also will show you a thumbnail of the webpage which can be helpful as well as a lot of the technical info to tell what this site is really doing.  
Paste the link into the search box and then click on ‘Public Scan’
The results are really geeky and technical and will look like the following –

This tool contains a lot more technical info that may not be as helpful to most, so start with VirusTotal and if you still have concerns, check it on URLScan.

If this seems a bit inconvenient…it is. That is the nature of security. But the consequences can be much worse.

If a link is not worth the trouble of taking 30 seconds to scan it with VirusTotal, can it really be that important?

Monday, June 17, 2019

Spear Phishing

noun: spear phishing
1.    the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
"spear phishing represents a serious threat for every industry"

The incidence of spear phishing continues to increase. At Henssler, even though our in-bound email is filtered through two different 3rd party services, well-crafted spear phishing attempts can still make it through. Why? Because it is almost impossible for the filters to tell the fake emails from the legitimate.  These emails are simply requests for routine functions that we perform on a regular basis. What set these apart is the criminals have taken the time to get the correct names, and in some cases format the request in a very believable manner.

We have seen multiple incidences of criminals purporting to be clients and employees trying to fool us into wiring money and changing payroll direct deposit accounts. Some of these have been ‘a cut above’ the usual stuff our staff easily identifies as bogus. Fortunately, thanks to regular employee training as well as policies and procedures designed to confirm and verify these type of requests, none have been successful. However, we are always diligent and attempt to learn from each attempt, as the bad guys need only succeed once, whereas we must get it right 100% of the time.

How the criminals obtain access to this information varies, but it shows a level of sophistication much greater than the average email scam artist. What makes this even more disconcerting is there are international gangs that specialize in these tactics, a few of which have been identified by authorities, but prosecution of cybercrime is extremely difficult and the possibility of recovered assets, almost nil.

The simplest and most effective way for you to protect yourself from these type of attempts is also the most old fashioned - simple one to one contact, either in person or via telephone. However, when using the phone, do NOT rely on a phone number that was provided in the suspicious email, instead look up the number separately. For example, if you receive an email purporting to be from a friend, financial or government representative requesting you to send or electronically transfer money, you should independently verify that request using a phone number you have for that individual. If you do not know them well enough to recognize their voice…should you really be sending them money?
One thing these scams tend to have in common is they try to instill a sense of urgency and when pressed, they have excuses why you cannot reach them through your known contact methods. If you think that you would never fall for something like this… so did many of those exploited by these scams every day, totaling an unknown number of billion$ lost by people throughout the world. [the estimated cost of cybercrime worldwide for 2018 was over $600 billion, the true cost can never be calculated as much of it goes unreported and unidentified ]. 

When in doubt, DON’T send it out!