Phishing Emails Disguised as Office365 File Deletion Emails

Phishing Emails Disguised as Office365 File Deletion Emails

Threat Level: High

A recently-discovered phishing scam pretending to be from the “Office 365 Team” is trying to trick users into their log-in credentials.

The alert notifies the user of an unusual volume of file deletions and urges users to review the activity.

When redirected, the users are encouraged to log-in to a page that is hosted on Azure, increasing the perceived legitimacy of the phishing campaign. The hackers have even gone as far as securing the page with a certificate signed by Microsoft.

It’s important to remember that Microsoft login forms will be coming from microsoft.com, live.com, microsoftonline.com, and outlook.com domains only.

If you think you may have been deceived by a phishing scam, it’s important to contact ITonDemand urgently to begin Incident Response.

For more information on avoiding phishing scams, download our phishing infographic below.

PHISHING

Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

ITonDemand was created over a decade ago to help support businesses and organizations IT services.  We kept hearing from businesses, like yours, that they just wanted their IT to work. And that is what we do.  We make your IT work for you.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471

info@itondemand.com

800-297-8293

 

Ransomware hit a Michigan Doctor’s Office, The Results were Catastrophic

Ransomware hit a Michigan Doctor’s Office, The Results were Catastrophic

In recent months, hackers have begun targeting doctors offices and hospitals, receiving roughly 34% of all ransomware attacks. In an unprecedented incident, it just cost two doctors their practice.

What happened

Last month, the offices of Brookside ENT in Battle Creek, Michigan, experienced a ransomware attack. The hackers encrypted patient information and demanded a ransom in exchange for a password to decode the information. 

Drs William Scalf and John Bizon decided not to pay the ransom.

The hackers then proceeded to delete all medical records for the patients. The doctors had no record of anything from appointments to surgery results.

Some who had just undergone surgery are having difficulty receiving follow up care because there is simply no record of their surgery.

And because there is no patient schedule the doctors have to wait at their practice for someone to show up. There isn’t even a way to call and inform their patients as there are no phone numbers on record.

Rather than try to rebuild their practice from scratch, Brookside ENT will permanently shut their doors on April 30th, 2019.

It could have been worse.

If the hackers would have been able to view the information, not only would that have resulted in a HIPAA violation on the part of the doctors but it also would have compromised the identity security of all the affected patients.

What other practices can learn

Protect Your Email

91% of all malware originates in an email. Because each email account is a potential vulnerability, it’s important to employ a spam filter as well as provide training to your employees on identifying threats.

“…Education about the risks and preparedness are as important as IT security measures for protecting individuals and assets from cyber attacks,” said Katherine Keefe, Beazley Breach Response Services Head in response to the Brookside Ransomware attack.

Use Endpoint Malware Security

In the event of a ransomware attack, endpoint malware security can block lateral movement. This isolates the attack to a single device rather than encrypting every device on a network.

Endpoint security can also block the ransomware’s download of encryption keys.

Small Business, Big Target

Repeatedly, hackers are targeting small business because they are viewed as easy targets.

61% of all cyber attacks target small business.

This doesn’t have to be the case for your business. ITonDemand offers affordable and scalable IT solutions to partner in the prevention of these types of attacks.

PHISHING

Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

ITonDemand was created over a decade ago to help support businesses and organizations IT services.  We kept hearing from businesses, like yours, that they just wanted their IT to work. And that is what we do.  We make your IT work for you.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471

info@itondemand.com

800-297-8293

 

Beware of TrickBot

Beware of TrickBot

Malware attacks are on the rise, but thankfully, so is the vigilance of individuals and IT MSPs.  

However the next big threat is on the horizon. On March 14th, the Cybersecurity and Infrastructure Security Agency, a unit of the Department of Homeland Security, released a report on malware called TrickBot.

What is TrickBot?

“TrickBot is a modular banking trojan that targets user financial information and acts as a dropper for other malware”, said the report. It is using man-in-the-browser attacks to steal the log-in credentials for finance-related sessions.

How it’s working

This malspam is embedding itself in email attachments in familiar formats like Word or Excel documents disguised as accounting reports or invoices. Once opened, the attachment will “prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware.”

It makes sure it is not running in a “sandbox environment” and then attempts to disable your antivirus programs.

Once it has established itself on a device, TrickBot will begin two different attacks.

Redirection attacks send victims to fraudulent banking site replicas when they navigate to certain banking websites. This fake website is hosted on the cyber threat actor’s (CTA) malicious server and harvests the victim’s login information.

A server-side injection intercepts the response from a bank’s server, injects additional client-side code into the webpage, and can steal the victim’s banking credentials through form grabbing. Form grabbing records sensitive information typed into HTML forms, rather than capturing all keystrokes as with a keylogger.

TrickBot is also using the Server Message Block Protocol to spread itself laterally across networks.

What you should do

Prevention
Familiarize yourself and your staff with common phishing tactics. Education is the ultimate end-user security practice. This is a necessity for network security.

For ITonDemand clients, spam filtering and endpoint malware security are in place to secure you from the majority of cyber attacks.

For more information on phishing, download our infographic below.

Incident Recovery

  1. If you think you have been infected, take the device offline as soon as possible. This protects you from any further data loss or further system/network corruption.
  2. Change all passwords from the infected device from a secure device.
  3. Contact the ITonDemand HelpDesk to see what further damage mitigation needs to be done.

For the full white paper issued by CIS, click here.

PHISHING

Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

ITonDemand was created over a decade ago to help support businesses and organizations IT services.  We kept hearing from businesses, like yours, that they just wanted their IT to work. And that is what we do.  We make your IT work for you.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471

info@itondemand.com

800-297-8293

 

Does this email smell phishy to you?

Does this email smell phishy to you?

How to identify if an email is a phishing attack

91% of all cyber attacks are delivered through an email. A company of 5,000 employees will receive an estimated 14,400 malicious emails per year.

It’s not abnormal to receive phishing emails. It’s only dangerous if you fall for the bait.  So how can you tell a phishing scam apart from a task that needs attention?

  • Look at the email address
  • Urgency
  • Hover, Don’t Click
  • Vague Pronouns
  • It’s Better to be Safe than Sorry

Look at the email address

This step usually begins by checking for spelling mistakes. They will usually appear as something related to the account they trying to gain access to. A few of my favorites are Oatlook, Paiypal, and Faceboook. Clearly, these aren’t correct but upon delivery in the context of your inbox, you tend to glaze over small pieces like that. Generally, they are small, subtle mistakes.

But even the from field can be manipulated; fairly easily might I add. Using open source software such as PHP Mailer, phishing attackers can manually type in both To and From addresses. When the email is delivered, the recipient will see an email that looks like it’s from the email account listed in the ‘From’ field, regardless of where it came from. It’s really that easy. That is how emails avoid spam filters and end up in your inbox.

Urgency

Phishing uses a false sense of urgency. This is intended to make users take action quickly without much thought to any inconsistencies in the email.

This can often look like “There was unusual activity detected on your account,” or “Your password is expiring today”.

The hope is that you are so concerned with losing access to an account that you make a decision (or mistake), that you wouldn’t normally.

PHISHING

Download our infographic and learn how to identify a phishing scam when you see one.

Hover, Don’t Click

You can examine the URL in question by hovering over a link rather than clicking directly. It will appear in your browser window in the bottom left corner. You can see in the photo to the right.

If it looks questionable, don’t click it and forward it to your security provider or response team.

Vague Pronouns

Mass Phishing Attacks will generally use vague pronouns such as “Valued Customer”. Even mass corporate communications will use your full/correct name.

In more direct, high-value attacks, known as spearphishing, hackers may do deep research to create a seemingly trustworthy email. In this instance, hyper-vigilance is necessary and a trustworthy IT partner to monitor breach detection and incident recovery.

Better Safe than Sorry

If you are worried about something, forward it to your IT team for threat detection. Worst case scenario, we send it back to you saying everything’s fine. If it is malicious, not only will we have secured this threat but also helped to identify any future threats.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

ITonDemand was created over a decade ago to help support businesses and organizations IT services.  We kept hearing from businesses, like yours, that they just wanted their IT to work. And that is what we do.  We make your IT work for you.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471

info@itondemand.com

800-297-8293

 

Office365 “Non-Delivery” Phishing Scam

Office365 “Non-Delivery” Phishing Scam

Below are two emails alleging to be Office365 informing the recipient of undelivered messages.  Can you spot which one is the phishing scam?

 

Email 1

Email 2

If you guessed that Email 1 is the phishing scam, you are correct! 

In a new phishing scam targeting Office365 users, hackers are attempting to steal login credentials to infiltrate business’ systems. When the user clicks “Send Again”, it takes users to a fraudulent Office365 login screen. After the information is entered, the site redirects to outlook, leaving the user believing they are in no danger.

This is an example of a high-level phishing scam. 

Quick Ways to Identify Phishing Scams

1. Always look at the URL

If the URL looks in any way incorrect, don’t enter your account information.

If redirected in this case, the URL on the fraudulent landing page is incorrect.

2. Specificity

Phishing scams will generally omit specific names, addresses, or titles and use phrases like “Dear User”

In this case, the email says “Your messages couldn’t be delivered” rather than “Your message to email@address.com couldn’t be delivered.”

3. Display Name

Make sure that the display name matches the URL from the email.

In the fraudulent email, the address is sent from the URL us.ibm.com, rather than as from Microsoft Outlook. 

What can you do?

“Education and vigilance are the best line of defense against these types of attacks,” said Steve Condit, Director of Partner Development for ITonDemand. Keeping you and your staff informed on what to look for is the most effective way to stay secure. 

If you have fallen victim to this scam, the best course of action is to make sure you change the affected passwords as well as any accounts or applications that may have been connected to the affected email address. 

If you still have concerns on how to keep your business secure, contact us here.

PHISHING

Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

ITonDemand was created over a decade ago to help support businesses and organizations IT services.  We kept hearing from businesses, like yours, that they just wanted their IT to work. And that is what we do.  We make your IT work for you.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471

info@itondemand.com

800-297-8293

 

5 steps to protect yourself from phishing scams on Cyber Monday

5 steps to protect yourself from phishing scams on Cyber Monday

 

Cyber Monday is filled with online deals on products and electronics.  But did you know, Cyber Monday poses the biggest security threat to your data through phishing scams?

 

Opportunistic hackers regularly use heavy online days, like Cyber Monday, to launch phishing scams. 

Here are 5 steps to protect yourself:

 

Don’t Click That Link

Refrain from clicking any links or download any attachments in the suspicious email. Instead, open up your web browser and go to the website in question by typing it into the URL bar.

 

Read The URL

Phishers are known to use company logos and write in a matter that seems legit.  The URL link often times will be very close to the actual site URL with a minor misspelling or change.  If you notice a link that is close but not quite right you could be redirected to a spoofed domain.

 

Never respond to validate your account without you initiating

If you receive an email asking you to validate a login or account, don’t. If you did not initiate a password reset or account validation then you should not receive communication.  If you are still concerned, go to the site in your browser and log in with your credentials.

 

Never open account login email on a public wifi

Information sent through public wifi is highly susceptible to rerouting.  This means a user may think they are logging into a site.  Instead, a user may be rerouted to a duplicate site where their login information is captured.

 

If you can validate verbally

Many sites are now allowing you to confirm your login or credential changes over the phone.  This is used to protect users from the previously listed dangers.  If this option is available to you, use it.

 

All in all, vigilance will save you the headaches and pain of having your accounts hacked.  Your MSP can and should protect your business.  However, there are still precautions you should take to keep your data secure.

 

PHISHING

Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

ITonDemand was created over a decade ago to help support businesses and organizations IT services.  We kept hearing from businesses, like yours, that they just wanted their IT to work. And that is what we do.  We make your IT work for you.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471

info@itondemand.com

800-297-8293