Email Phishing Alert

Mike W. — Mon, 10 Jun 2024 19:34:00 +0000

This morning after a report made by a customer, we have concluded that there is a wide-spread attempt to exploit login credentials from users of WordPress sites that are using their email address as their username (which is the default for any kind of 3rd party login).

It would seem the more popular we get, the more scammers and fraudsters target us and our customers.

The best defense for these attacks is to be informed and in effort to do just this, we will take you through 5 steps to take when getting a suspicious email claiming to be from your WordPress site or your vendor’s WordPress site.

1

CHECK SERVER MESSAGES

Most emails attempting to steal your username and password will fake the email and many email servers will alert you of this. Google and our own email servers will generally classify these emails as spam.

2

LOGIN MANUALLY – ALWAYS

When you get an email from your WordPress website asking you to login; go to your website manually and do not use any links included in that email (except for password resets).

3

RESETTING YOUR PASSWORD

Your WordPress website will NEVER prompt you to reset your password out of nowhere unless someone is trying to break into your website. Simply ignore the email if it is unexpected. If you have forgotten your password, visit the login page of your WordPress website and click “Forgot Password” and follow the instructions there.

4

CHECK UNIFORMITY

Most WordPress websites have the same “from” email address and name. If you notice that this changes, it usually means someone is attempting to mimic your website. Ignore the email and instruct your customers to ignore the email.

5

THE SMELL TEST

If it doesn’t pass the smell test, contact us. We’ll help you figure out whether or not something is very wrong with your website, or if someone is trying to steal your (or your customer’s) login credentials.

We are constantly striving to improve the security for our customers and their customers. If you have any questions or suggestions, please do not hesitate to reach out to us.

The post Email Phishing Alert appeared first on Tarheel Media Digital Marketing.

SECURITY BULLITEN: Phishing Fraud and Account Security

Mike W. — Tue, 03 Oct 2023 11:40:51 +0000

We were alerted yesterday that one of our customers local to Goldsboro, North Carolina had been targeted in a very sophisticated and elaborate phishing scam. Phishing is a fraud that consists of targeting a victim into thinking they are communicating or interacting with a legitimate company in an effort to steal sensitive data such as passwords, financial data, or any other data that in some way benefits the attacker.

As we are aware of this situation, the fraudster contacted our customer masquerading as one of their customers, and when our unsuspecting customer tried downloading an attachment they were asked to enter their Microsoft login details to download the file. Upon doing so, it took only seconds for the pre-programmed bot the fraudster already had in place to login to our client’s Microsoft account and download all the data it could before the customer was notified by Microsoft of a suspicious login.

This kind of breach is the most dangerous because it is a breach into everything on the computer and connected with that Microsoft account including the very login to that PC as Microsoft now requires that all PC logins be “online” and connected to Microsoft’s website.

There are far more implications as well. Because Outlook is also connected to your Microsoft account and login details to our servers are saved in your Outlook, this breach could have also been a breach into our mail server limited and localized to the customer’s email account. That meant the fraudster now could have had access to every email the customer had ever sent to their clients.

Soon after the breach that went unnoticed by the customer, the fraudster created a domain name that mimicked the customer’s domain name. Imagine for a moment if your company’s domain name was “google.com”, and the fraudster registered “google.co” and began emailing the customers of our customer pretending to be our customer. The sophistication of this act was far greater than any breech we’ve been told about to date and we’ve seen some very sophisticated breeches from local businesses right here in Goldsboro.

The fraudster very tediously mimicked everything about the company including the owner’s constant carbon copying of his son in every email, but of course, his son never got that email because it was carbon copied to “sons-name@google.co”.

After 2 weeks of gaining our customer’s customers trust, the fraudster made their move and began requesting the invoices be paid via ACH Debit. One of those customers of our customers reached out to our customer and wanted to know why they could no longer pay their invoices via check. The jig was up when our customer learned that emails were being received he didn’t send.

This is the point I was called. The customer believed that their email had been hacked. We quickly traced this breach back to the Microsoft breach from the phishing email and even found that our own email servers were too hardened for the attacker to break into even with the username and password through Outlook. Instead of logging directly into our email server, they had to resort to creating their own domain name to send emails from.

We want people to be very aware of how these scams work. As you read, paying close attention to the domain name is the best defense against phishing of any kind. Today, it is very hard to deliver email to a domain the email did not come from in an authorized manner because of SPF records, DMARC records, and other security features on DNS servers that alert mail servers to what IP addresses are authorized to send email from that domain name. Our servers are equipped with these security features as well as errant login detection that stops logins that doesn’t seem to be within the norms of a customer’s geographical location for logins. This has proven to be a valid defense which is why the fraudster was unable to login with the customer’s credentials. We are well aware that customers have complained about the minor inconveniences this has seldomly caused, but this security feature really did pay off in a big way in the past few weeks.

In hindsight, it’s always great to go over what went right and what went wrong; the basics of after-action problem solving that I was all too acquainted with from my time in the US Army. This could have been anyone and the likelihood of this happening to someone in the future is many orders higher than you even think – it’s 100%. Don’t think about “if it happens” think about “when it happens”. In this case, the customer made the right call to get help and that should be your first step. Upon contacting us, we’re going to step you through this process, the same process we have outlined in our company policy if we are ever breached:

STOP THE BREACH

Changing passwords, logging out unauthorized users, and securing all of your accounts are essential and nothing else matters until this is completed. I cannot express how important it is to secure the breach before doing anything else at this point, you must shut down the attacker’s access to your company or everything that follows becomes a circular event.

ALERT YOUR CUSTOMERS

It is not only the right thing to do, it is the law. Let your customers know you experienced a data breach and exactly what information you suspect “could have been” obtained – even if there is the slightest chance they got a credit card number, you need to let those customers know “your financial data may have been exposed”. In a situation like what was experienced in this article, education is the best defense and the only immediate way of stopping it. Educating your customers on how to identify a phishing email stops the fraudster’s ability to phish.

ALERT AUTHORITIES

The North Carolina State Attorney General’s office has a hotline specifically for this: 1-877-5-NO-SCAM

ALERT SERVICE PROVIDERS

Filing abuse reports and DCMA takedowns outright disables any further progress from the fraudster. We in addition to a normal abuse report, include a “Letter of Preservation” which notifies the service provider of the fraudster to SAVE ALL DATA associated with that account before deleting it in case the NC Department of Justice prosecutes it. We will file these for our customers, especially if we have active contracts on hand as they allow us and give us the legal authority to do so (a quasi- and very limited power of attorney in these situations).

Note: Our timely abuse reports and DMCA takedowns in this case resulted in total shut-down in less than 6 hours.

REGISTER SIMILAR DOMAINS

In this situation, specifically registering the .co variant to the domain name would have outright prevented this kind of attack on our customer and their customers. This could be a $200 per year expense but it is far cheaper than the liability that could have been caused. We are more than willing to sit down with any customer and go through the variants that should be registered to help prevent an event like this from happening.

EDUCATE YOUR EMPLOYEES

As I said in alerting your customers, education is key, but not just the education of your customers. Ensuring that your employees know how to identify a phishing email effectively removes the most common vector of attack substantially reducing the risk of future breaches of any kind. We will be happy to offer a proactive service to any company to spot-check your employees to see if they can be tricked by a controlled phishing email – an email that does not legitimately represent your company but does not leak data other than to alert someone in your company that the particular employee was tricked and needs to be educated on how to identify these emails.

If you have any questions on this article or on how best to secure your company in data breaches, please visit our support center or call 919-648-1333 option 1.

Copyright Notice EXCLUSIVE to this article: All content and photos in this article may be copied for the purpose of news, awareness, or education so long as it is clear that MLW & Associates, LLC, Tarheel Media’s parent company maintains the copyrights.

The post SECURITY BULLITEN: Phishing Fraud and Account Security appeared first on Tarheel Media Digital Marketing.

Increased Attack Rates

Mike W. — Thu, 08 Dec 2022 13:02:43 +0000

We’re observing an increased attack rate of brute force attacks against client email and WordPress accounts.

We began to see an uptick in brute force attacks Monday, December 5, 2022 at about 3:40 am. These attacks begin subsiding around 7:00am. These attacks increased in intensity by about twice the rate of Monday’s attack on Wednesday morning and lasted throughout the night Thursday Morning.

OUR ADVISORY

Please change your WordPress “Display Name” to something other than your username. If your login is ‘iplaybb’ ensure your display name is ‘John Doe’ and not ‘iplaybb’. These attacks on WordPress seem to attempt to use the display name as the login.
Please be sure to change your passwords regularly to something that is not easily guessed and ensure it does not contain a common word or phrase.

The post Increased Attack Rates appeared first on Tarheel Media Digital Marketing.

security Archives - Tarheel Media Digital Marketing