Our support team have seen a few different types of malicious emails floating around over the last few weeks targeted at some of our customers so we thought we’d send a quick update out to address these types of emails and what you can do to keep them at bay. We have touched on many of these topics in previous blogs, but we felt it is worth re-iterating due to the increase of these types of emails over the past few weeks.
Emails targeting your passwords
There are new emails going around targeting individuals around their passwords. We’ve seen a few of these in the last few weeks. The subject of the email is a password you’ve used in the past (so it immediately gets your attention). The content of the email states the hacker has your password and all of your contacts, and unless you give them money, they will release webcam footage supposedly from your webcam to all your contacts that you may not necessarily want to be made public.
The email is bogus. They don’t have webcam footage or your contact list. What they do have is maybe an old email and password that you used on a site like LinkedIn (that publicly got hacked in 2012 and in 2016 and thousands of users credentials leaked). There have been quite a few big public cloud providers hacked and password information leaked on to the internet. Hackers then buy these lists of username/passwords and send out emails like this in the hope you believe them and wire them money. A recent article says there is a list going around with 1.4 billion (yes you read that correctly) leaked usernames and passwords. You can read more about this new threat here.
If you see an email like this, first thing, check if your email address and credentials have been leaked in a public cloud provider hack – see details here on this:
Next – change your passwords so you know they are absolutely secure. Especially the password that protects your email. If a hacker can get into your mailbox, they can do a lot of damage.
Third – consider MFA (Multi-Factor Authentication). This is a process where a text or message gets sent to your phone when you log in to provide another ‘factor’ in the login process, confirming it is you and only you access your information. Lucidity can help you enable MFA if you don’t have it turned on already.
Here’s a recent article we published on MFA and an Office 365 technology called Advanced Threat Protection.
Hacking your Office 365 Email Account and putting a forward on to someone else
Leading on from weak passwords (or a password that may now be publicly known), we’ve seen a few cases where a hacker has been able to get into an email account because the username and password are the same as the details exposed in one of the public security leaks in the past.
The hacker then goes and turns on a forward to another email address and now all your incoming email is syphoned off to the hackers email address.
Again, make sure your email password is secure and enable MFA if you can. MFA stops this kind of attack from ever happening as the hacker doesn’t have your phone so they can’t receive or intercept the second ‘factor’ in the login process.
Make sure you don’t use the same password all over the place, and that you change it from time to time. I know that’s easier said than done with the many passwords we now need in our digital lives, but your email password is probably one of the most important. If a hacker can get into your email, they can go and reset other passwords as generally the password reset request is sent to the user's email.
If you want to discuss the best way to keep your email accounts secure, contact one of our Account Managers – details here: https://www.lucidity.co.nz/contact-us
Phishing Attacks aimed at your Finance Team
We’ve had this one ourselves at Lucidity where the hacker impersonated someone from our management team, emailing our finance team to urgently load a payment for $50k USD. They worked on the premise that the team member had forgot to mention the payment to the finance team and now its urgent and we will incur penalties if we don’t get it paid ASAP. In reality, the emails aren’t from anyone at the company, but the attacker is impersonating that person, often pretending to email from an internal email address and using the signature of the person they are impersonating.
This attack looks pretty realistic and believable. We strongly suggest that you have a process within your business where more than one person signs off on payment runs to stop this kind of thing getting through. We notified our bank at the time we received these emails and they said its quite common. Horrific really!
The number one thing you can do to protect against weak passwords in your organisation is to enable Multi Factor Authentication. It’s very easy to use these days with everyone carrying around a mobile device. You can enable a push notification that you click OK on to let yourself in, so it’s even easier than phone calls or text messages.
Here’s a post we did a few months ago on some of the other internet trickery that our engineers see day to day:
Please consider making MFA a must in your business. It makes a huge difference to how secure your business data is online. Remember, your employee with the weakest password is all that separates your business’s shared files with anyone on the internet. Lucidity enabled MFA across all our accounts some time ago now, and it gives our management team the peace of mind that one users weak password isn’t the only thing between exposing private documents online.