Security Bulletin Archives - Tarheel Media Digital Marketing

Breaking News: Web Service Scandal Unfolds with Polyfill.io and Cloudflare

Mike W. — Fri, 28 Jun 2024 14:03:22 +0000

Polyfill.io supply‑chain incident: what happened

In the past few days a supply‑chain incident involving Polyfill.io disrupted a large number of websites. Polyfill.io, a service that delivers small JavaScript polyfills to add missing browser features, allegedly distributed suspicious code that injected into many sites. Some reports estimate the impact reached more than 100,000 domains. Operators and investigators took the Polyfill.io domain offline while they responded.

How Cloudflare responded

Cloudflare moved quickly to reduce exposure. The company replaced references to Polyfill.io with a secure mirror served through cdnjs and has said it never recommended Polyfill.io. Cloudflare’s action reduced the risk of further automatic propagation through CDNs and reverse proxies.

Polyfill.io’s response and ownership concerns

Polyfill.io has publicly disputed the allegations. At the same time, reporting shows the project was in the process of being acquired by a Chinese firm, which raised additional concern because of that buyer’s reported ties to the Chinese government. Polyfill.io’s public statement is here: https://twitter.com/Polyfill_Global/status/1805923380857897277.

Who this affects

We do not use Polyfill.io, so our systems were not directly dependent on it. However, sites that relied on CDNs, reverse proxies, or other intermediaries sometimes received Polyfill.io assets even if the site owner never included them directly. That’s why some organizations saw collateral impact despite not calling Polyfill.io in their own code.

What you should do now

Remove any references to Polyfill.io from your projects and replace them with a trusted alternative. Cloudflare’s cdnjs mirror offers a non‑breaking option that serves the same polyfill content. Also audit other third‑party front‑end dependencies, and prefer self‑hosting critical libraries or pinning and hosting copies you control when practical.

Offer of help and next steps

If you want assistance locating or replacing Polyfill.io references, or if you’d like a broader audit of third‑party scripts and CDNs, we can help. We will continue to monitor the situation and share verified updates as more information becomes available

The post Breaking News: Web Service Scandal Unfolds with Polyfill.io and Cloudflare appeared first on Tarheel Media Digital Marketing.

Email Phishing Alert

Mike W. — Mon, 10 Jun 2024 19:34:00 +0000

This morning after a report made by a customer, we have concluded that there is a wide-spread attempt to exploit login credentials from users of WordPress sites that are using their email address as their username (which is the default for any kind of 3rd party login).

It would seem the more popular we get, the more scammers and fraudsters target us and our customers.

The best defense for these attacks is to be informed and in effort to do just this, we will take you through 5 steps to take when getting a suspicious email claiming to be from your WordPress site or your vendor’s WordPress site.

1

CHECK SERVER MESSAGES

Most emails attempting to steal your username and password will fake the email and many email servers will alert you of this. Google and our own email servers will generally classify these emails as spam.

2

LOGIN MANUALLY – ALWAYS

When you get an email from your WordPress website asking you to login; go to your website manually and do not use any links included in that email (except for password resets).

3

RESETTING YOUR PASSWORD

Your WordPress website will NEVER prompt you to reset your password out of nowhere unless someone is trying to break into your website. Simply ignore the email if it is unexpected. If you have forgotten your password, visit the login page of your WordPress website and click “Forgot Password” and follow the instructions there.

4

CHECK UNIFORMITY

Most WordPress websites have the same “from” email address and name. If you notice that this changes, it usually means someone is attempting to mimic your website. Ignore the email and instruct your customers to ignore the email.

5

THE SMELL TEST

If it doesn’t pass the smell test, contact us. We’ll help you figure out whether or not something is very wrong with your website, or if someone is trying to steal your (or your customer’s) login credentials.

We are constantly striving to improve the security for our customers and their customers. If you have any questions or suggestions, please do not hesitate to reach out to us.

The post Email Phishing Alert appeared first on Tarheel Media Digital Marketing.

FBI WARNING: Dangerous new email scam

Mike W. — Sun, 02 Jun 2024 05:30:05 +0000

We issued a security bulletin back in October of 2023 which covered one of our customers who had their Microsoft account and emails compromised which led to a scammer to send out emails on behalf of that company and request invoices and all sorts of financial data from their customers, including banks.

SECURITY BULLITEN: Phishing Fraud and Account Security

As it turns out, this has now become a very big deal, even Linus and other popular YouTubers are sounding the alarms with the FBI issuing a new warning about this scam and a scam that uses the exact same tactics to appear as if someone is sending email from the FBI, itself.

For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.

How does this scam work?

This scam works by an attacker first compromising the email of a victim, usually a business owner or someone very high up in that business that other victims wouldn’t generally question. They sit and watch how they conduct business and then will very closely mimic language and regiments of that business owner or business person.

Once they have enough information to construct a conversation that would appear to be exactly that person, they attack by sending out emails requesting money or private information (PII) which helps them collect money in fraudulent bank accounts from other victims.

What we have done

The attack on our customer only happened through Microsoft because it cannot happen on our servers. We are using both SPF and DMARC DNS records for our email services which specifically lets other email providers know when there is something wrong – that is someone who sent out an email that did not physically come from the IP address listed in those records. Unless the receiving provider doesn’t check these records, it is an impossibility for someone to get an email from one of our customers and not know something is amiss.

Otherwise, there isn’t much we can do further until other technologies develop.

The post FBI WARNING: Dangerous new email scam appeared first on Tarheel Media Digital Marketing.

Important Update: Let’s Encrypt SSL Certificate Changes Affecting Device Compatibility

Mike W. — Sat, 16 Mar 2024 01:23:38 +0000

At Tarheel Media, we prioritize the security and functionality of your websites. That’s why we’re reaching out to inform you of an upcoming change that could impact the compatibility of Let’s Encrypt SSL certificates with certain devices.

Let’s Encrypt, a trusted provider of free SSL certificates, has been issuing certificates through two chains: the ISRG Root X1 chain and the ISRG Root X1 chain cross-signed by IdenTrust’s DST Root CA X3. The cross-signed chain has been crucial in ensuring widespread trust for Let’s Encrypt certificates across various devices.

However, Let’s Encrypt is now making a vital change that may affect the compatibility of these certificates. Specifically, they are removing the root from the trust store, which could result in older devices – such as those running Android 7 – being unable to use or trust these certificates.

This change is significant as it may impact the security and accessibility of websites, especially for users accessing them from devices that rely on the now-unsupported chain. We understand the importance of ensuring seamless browsing experiences for all users, which is why we want to bring this update to your attention.

As your trusted web development partner, we are here to assist you in navigating through these changes. If you have any concerns or questions regarding your SSL certificates and their compatibility, please don’t hesitate to reach out to us. Our team is dedicated to ensuring that your websites remain secure and functional for all users, regardless of device compatibility challenges.

We appreciate your attention to this matter and your continued trust in Tarheel Media for your web development needs.

The post Important Update: Let’s Encrypt SSL Certificate Changes Affecting Device Compatibility appeared first on Tarheel Media Digital Marketing.

SECURITY BULLITEN: Phishing Fraud and Account Security

Mike W. — Tue, 03 Oct 2023 11:40:51 +0000

We were alerted yesterday that one of our customers local to Goldsboro, North Carolina had been targeted in a very sophisticated and elaborate phishing scam. Phishing is a fraud that consists of targeting a victim into thinking they are communicating or interacting with a legitimate company in an effort to steal sensitive data such as passwords, financial data, or any other data that in some way benefits the attacker.

As we are aware of this situation, the fraudster contacted our customer masquerading as one of their customers, and when our unsuspecting customer tried downloading an attachment they were asked to enter their Microsoft login details to download the file. Upon doing so, it took only seconds for the pre-programmed bot the fraudster already had in place to login to our client’s Microsoft account and download all the data it could before the customer was notified by Microsoft of a suspicious login.

This kind of breach is the most dangerous because it is a breach into everything on the computer and connected with that Microsoft account including the very login to that PC as Microsoft now requires that all PC logins be “online” and connected to Microsoft’s website.

There are far more implications as well. Because Outlook is also connected to your Microsoft account and login details to our servers are saved in your Outlook, this breach could have also been a breach into our mail server limited and localized to the customer’s email account. That meant the fraudster now could have had access to every email the customer had ever sent to their clients.

Soon after the breach that went unnoticed by the customer, the fraudster created a domain name that mimicked the customer’s domain name. Imagine for a moment if your company’s domain name was “google.com”, and the fraudster registered “google.co” and began emailing the customers of our customer pretending to be our customer. The sophistication of this act was far greater than any breech we’ve been told about to date and we’ve seen some very sophisticated breeches from local businesses right here in Goldsboro.

The fraudster very tediously mimicked everything about the company including the owner’s constant carbon copying of his son in every email, but of course, his son never got that email because it was carbon copied to “sons-name@google.co”.

After 2 weeks of gaining our customer’s customers trust, the fraudster made their move and began requesting the invoices be paid via ACH Debit. One of those customers of our customers reached out to our customer and wanted to know why they could no longer pay their invoices via check. The jig was up when our customer learned that emails were being received he didn’t send.

This is the point I was called. The customer believed that their email had been hacked. We quickly traced this breach back to the Microsoft breach from the phishing email and even found that our own email servers were too hardened for the attacker to break into even with the username and password through Outlook. Instead of logging directly into our email server, they had to resort to creating their own domain name to send emails from.

We want people to be very aware of how these scams work. As you read, paying close attention to the domain name is the best defense against phishing of any kind. Today, it is very hard to deliver email to a domain the email did not come from in an authorized manner because of SPF records, DMARC records, and other security features on DNS servers that alert mail servers to what IP addresses are authorized to send email from that domain name. Our servers are equipped with these security features as well as errant login detection that stops logins that doesn’t seem to be within the norms of a customer’s geographical location for logins. This has proven to be a valid defense which is why the fraudster was unable to login with the customer’s credentials. We are well aware that customers have complained about the minor inconveniences this has seldomly caused, but this security feature really did pay off in a big way in the past few weeks.

In hindsight, it’s always great to go over what went right and what went wrong; the basics of after-action problem solving that I was all too acquainted with from my time in the US Army. This could have been anyone and the likelihood of this happening to someone in the future is many orders higher than you even think – it’s 100%. Don’t think about “if it happens” think about “when it happens”. In this case, the customer made the right call to get help and that should be your first step. Upon contacting us, we’re going to step you through this process, the same process we have outlined in our company policy if we are ever breached:

STOP THE BREACH

Changing passwords, logging out unauthorized users, and securing all of your accounts are essential and nothing else matters until this is completed. I cannot express how important it is to secure the breach before doing anything else at this point, you must shut down the attacker’s access to your company or everything that follows becomes a circular event.

ALERT YOUR CUSTOMERS

It is not only the right thing to do, it is the law. Let your customers know you experienced a data breach and exactly what information you suspect “could have been” obtained – even if there is the slightest chance they got a credit card number, you need to let those customers know “your financial data may have been exposed”. In a situation like what was experienced in this article, education is the best defense and the only immediate way of stopping it. Educating your customers on how to identify a phishing email stops the fraudster’s ability to phish.

ALERT AUTHORITIES

The North Carolina State Attorney General’s office has a hotline specifically for this: 1-877-5-NO-SCAM

ALERT SERVICE PROVIDERS

Filing abuse reports and DCMA takedowns outright disables any further progress from the fraudster. We in addition to a normal abuse report, include a “Letter of Preservation” which notifies the service provider of the fraudster to SAVE ALL DATA associated with that account before deleting it in case the NC Department of Justice prosecutes it. We will file these for our customers, especially if we have active contracts on hand as they allow us and give us the legal authority to do so (a quasi- and very limited power of attorney in these situations).

Note: Our timely abuse reports and DMCA takedowns in this case resulted in total shut-down in less than 6 hours.

REGISTER SIMILAR DOMAINS

In this situation, specifically registering the .co variant to the domain name would have outright prevented this kind of attack on our customer and their customers. This could be a $200 per year expense but it is far cheaper than the liability that could have been caused. We are more than willing to sit down with any customer and go through the variants that should be registered to help prevent an event like this from happening.

EDUCATE YOUR EMPLOYEES

As I said in alerting your customers, education is key, but not just the education of your customers. Ensuring that your employees know how to identify a phishing email effectively removes the most common vector of attack substantially reducing the risk of future breaches of any kind. We will be happy to offer a proactive service to any company to spot-check your employees to see if they can be tricked by a controlled phishing email – an email that does not legitimately represent your company but does not leak data other than to alert someone in your company that the particular employee was tricked and needs to be educated on how to identify these emails.

If you have any questions on this article or on how best to secure your company in data breaches, please visit our support center or call 919-648-1333 option 1.

Copyright Notice EXCLUSIVE to this article: All content and photos in this article may be copied for the purpose of news, awareness, or education so long as it is clear that MLW & Associates, LLC, Tarheel Media’s parent company maintains the copyrights.

The post SECURITY BULLITEN: Phishing Fraud and Account Security appeared first on Tarheel Media Digital Marketing.

Safeguard Your Digital Fortress: The Importance of Website Security

Michael Gilmore — Sat, 20 May 2023 09:32:57 +0000

In today’s digital landscape, where businesses heavily rely on their online presence, website security has become paramount. The rise in cyber threats and the ever-evolving tactics of hackers underscore the importance of safeguarding your digital fortress. In this blog post, we’ll explore why website security is crucial and shed light on why hackers relentlessly target websites.

Protecting Your Valuable Assets

Your website is more than just a virtual storefront; it’s a hub of valuable assets. From customer data and financial information to proprietary business secrets, your website holds sensitive data that can be a goldmine for hackers. Implementing robust security measures ensures the protection of these valuable assets and safeguards your business’s reputation.

Preserving User Trust

Customers expect their online interactions to be secure and their information to be handled responsibly. A security breach can severely damage the trust your users have placed in your business. By prioritizing website security, you demonstrate your commitment to safeguarding their data, fostering trust, and encouraging continued engagement.

Avoiding Costly Downtime

A compromised website can lead to prolonged downtime, which translates into lost revenue, missed opportunities, and dissatisfied customers. Hackers may exploit vulnerabilities to disrupt your website’s functionality or install malicious code that disrupts operations. Proactive security measures help minimize the risk of such incidents, ensuring uninterrupted business continuity.

Preventing Data Breaches

Data breaches have become an all-too-common occurrence, with severe consequences for businesses. Hackers exploit vulnerabilities to gain unauthorized access to databases, compromising sensitive customer information. Such breaches can result in legal consequences, financial penalties, and irreparable damage to your brand’s reputation. Robust security protocols act as a shield against data breaches, reducing the risk of costly fallout.

Thwarting Malicious Intent

Hackers have various motivations for targeting websites, ranging from financial gain to political activism or simply causing chaos. They may inject malware, deface webpages, or steal sensitive information for their nefarious purposes. By bolstering your website security, you actively thwart their attempts and create a formidable barrier against malicious intent.

Staying One Step Ahead

Cyber threats are constantly evolving, with hackers employing sophisticated techniques to breach security defenses. Regularly updating and maintaining your website’s security protocols allows you to stay one step ahead of potential threats. By keeping pace with the latest security standards, you ensure your website remains resilient against emerging vulnerabilities.

Conclusion

Investing in website security is not an option but a necessity in today’s digital landscape. By prioritizing security, you protect your valuable assets, preserve user trust, avoid costly downtime, prevent data breaches, and thwart malicious intent. Stay proactive, leverage robust security measures, and work with experienced professionals to fortify your digital fortress against ever-present threats. Remember, safeguarding your website is an ongoing commitment that helps safeguard your business’s future.

The post Safeguard Your Digital Fortress: The Importance of Website Security appeared first on Tarheel Media Digital Marketing.

Outdated WordPress Plugins make 60,000 Websites Vulnerable

Michael Gilmore — Wed, 17 May 2023 18:27:20 +0000

The security firm, Cyllective, identified around 5,000 plugins on WordPress.org that contained various security exploits such as SQL Injections. The Penetration Testing Team lead, Dave Miller said what started as a random experiment turned into a treasure trove for hackers. Once they started the experiment, they were quickly surprised at how relaxed the security was on WordPress.org’s repository in allowing old and exploitable plugins to remain and be installed.

If that wasn’t bad enough, Dave’s team came across remote code execution vulnerabilities or RCE’s. RCE’s are usually where bad code allows an attacker to gain administrative or super-user privileges and entirely take over a website or the entire information system.

Dave’s team, however, focused in on the SQL injections – a way of appending your own SQL query from code that does not escape its $_POST variables which is the variable where the stuff you submit to a website is stored. After just 3 months of research, Dave’s team found a staggering 35 plugins that had already been exploited by unauthorized users or hackers. While 35 sounds like a low number, those 35 plugins were in operation and were exploited on over 60,500 WordPress websites.

“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Dave said.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

Dave explained that this would allow an attacker to create their own administrator account and entirely take over the WordPress website. Dave went on to say that he hopes this research forwards the ability to quickly identify security exploits in the future and minimize website intrusions.

After dealing with these WordPress Plugins and WordPress.org a pretty heavy blow, Dave did applaud the WordPress team for how well the disclosure process went in allowing Dave’s team to reach out and get these updates out there to these vulnerable websites that desperately needed it.

The post Outdated WordPress Plugins make 60,000 Websites Vulnerable appeared first on Tarheel Media Digital Marketing.

Increased Attack Rates

Mike W. — Thu, 08 Dec 2022 13:02:43 +0000

We’re observing an increased attack rate of brute force attacks against client email and WordPress accounts.

We began to see an uptick in brute force attacks Monday, December 5, 2022 at about 3:40 am. These attacks begin subsiding around 7:00am. These attacks increased in intensity by about twice the rate of Monday’s attack on Wednesday morning and lasted throughout the night Thursday Morning.

OUR ADVISORY

Please change your WordPress “Display Name” to something other than your username. If your login is ‘iplaybb’ ensure your display name is ‘John Doe’ and not ‘iplaybb’. These attacks on WordPress seem to attempt to use the display name as the login.
Please be sure to change your passwords regularly to something that is not easily guessed and ensure it does not contain a common word or phrase.

The post Increased Attack Rates appeared first on Tarheel Media Digital Marketing.