Ransomware…Old Hacks With New Tricks
Ransomware scams and threats are now being taken to a whole new level. Imagine receiving an email with your password in it, from someone you don’t know, requesting money or they’ll blackmail you. Now, hackers are capitalizing on an organization’s inability to keep passwords safe and leveraging cryptocurrency to maintain anonymity.
What’s the Ransomware Gossip?
In the basic elements of this sextortion email scam, hackers have sent out an email basically saying “I know this is your password and a video recording of you. Send me Bitcoin to this address and I won’t blackmail you.”
It is believed that hackers are utilizing old passwords, pulled from prior successful hacked networks more than 10 years ago, to get the attention of naïve or careless victims and/or worse, your employees. Like most B.E.C. (Business Email Compromise) campaigns, this one is fairly low-tech, relying instead on convincing social engineering to achieve its goals. While these attacks overall are progressing in sophistication, most still opt not to use malware or exploits, for example, meaning the attacks avoid detection by antimalware and intrusion detection systems.
According to the Verizon 2017 Data Breach Investigation Report, 81% of hacking-related breaches leverage either stolen, default, or weak credentials. While “credential harvesting” is often seen as equivalent to phishing, it uses different tactics.
Long gone are the days of the Nigerian prince scams, however, the modern day attacks are well designed and can be tough to recognize.
For example, the following credential harvesting phishing pages are indicative of today’s common threats:
As you can see from the examples, these pages are made to look exactly like the real login pages for these services, and they can be easily hosted on any web server. Most of the time, when the user enters their credentials, the page not only captures those credentials, but it also forwards them to the actual login page, which then logs in the user, and they never know that they just gave up their credentials. Even in cases where the user is not automatically logged in, the page will usually just show a “Bad username or password” error, prompting him/her to log in again. This typically goes unnoticed because all of us have mistyped a password before, once again leaving them oblivious to the harvesting of their credentials.
While credential harvesting is widely used by attackers – what they do with the stolen information can vary greatly. In some cases, the credentials will be used for subsequent attacks where the goal is to gain access to systems or network resources, or they can be monetized by taking over bank accounts or simply selling the information on the Darknet. Cyber attackers long ago figured out that the easiest way for them to gain access to sensitive data is through manipulation of the human and attacking the weakest link in the cyber defense chain. Credential harvesting has become the foundation of most cyber-attacks.
In this instance, hackers are hoping that your password has gone unchanged or is similar by adding a special character or number, and you will fall victim for their scam. Many companies have some cybersecurity policies in place, but unless employees are trained in the policies and procedures, things go missed. Passwords go unchanged and are likely similar or the same across all accounts.
What Happens If You Are a Victim of a Ransomware Attack?
Scams by way of email are very common. Phishing attempts by someone posing as the CFO asking you to wire money immediately. Sending you a link asking you to sign into what appears to be a normal login for a website. And now, password theft and blackmail!
To mitigate your level of risk, here are a few tips to ensure your passwords are safe and you are not the next victim.
Employee Cyber Training:
Educating users about the risk of phishing and the characteristics of these attacks is an essential first step.
Use Multi-Factor Authentication (MFA):
Since MFA requires multiple methods for identification (something you know, something you have, and something you are) What does this mean? This is a two-step verification that requires not only a password and a username, but also something that only the user has on them. This is an extra layer of security, putting hackers at a disadvantage. At Withum, our second layer is through a push to our phone. Acknowledging our identity in the phone allows us access to various files on our computers.
Do Not Store Passwords in Clear Text:
- Don’t store passwords in an excel spreadsheet named “passwords.xls”
- Don’t maintain passwords in your email
Use Encryption at Rest and as Needed for Sensitive Files in Transit
- Most commercial operating systems provide for encryption built-in to the software.
- If you are sending confidential information, you should use various encryption methods or solutions such as Zix, ShareFile, or PGP
Strong PassPhrases or Password Management Solutions
- Go beyond strong passwords. Create strong passphrases that you will be able to remember, and do not use the same password twice. The longer and more complex the password, the more difficult it is to hack.
- Suggestions for passphrases. Take the first letter from each word of that song lyric to get 8-9 letters for your password. Then add a number and special character to it to get your Base password. Finally, add 2 uppercase site-specific letters to the site to the beginning to get your complex, easy to remember and unique site-specific password.
Cover Your Webcam
Purchase a webcam cover or put a piece of tape over it. This ransomware sextortion scam is blackmailing the user. If your webcam is covered, this is not possible. (
Email scams happen daily. Educating you and your team is the first step to preventing these scams from occurring. If you’re looking to create policies and procedures, educate your team on ransomware prevention and protection and ensure your organization has a strong security posture, Withum’s Cyber and Information Security Team can assist.
|Joe Riccie, CPA, Partner
Market Leader, Cyber and Information Security Services
Founder & Managing Director, Digital4nx Group