Category: Phishing

Screenshot from networksolutions.com requesting that users change their password.
Cyber Security BreachPhishingSecurityVulnerabiltyWeb Development

Cybersecurity Incident or Full Blown Breach at Web.com, Register.com, and NetworkSolutions.com

As painful as it is to announce this, what some consider the 5th largest domain registration company in the world has been breached. Or should we call it a cybersecurity incident as they claim in their mea culpa, comforting customers that, “No credit card data was compromised as a result of this incident?” (Emphasis ours). The mea culpa is posted on a subdomain of their website: https://notice.web.com/ where they publish the following FAQ.

Frequently Asked Questions

What happened? On October 16, 2019, Web.com determined that a third-party gained unauthorized access to a limited number of our computer systems in late August 2019, and as a result, account information may have been accessed. No credit card data was compromised as a result of this incident.

What are you doing about it? Upon discovery, we took immediate steps to stop the intrusion. We promptly engaged a leading independent cybersecurity firm to investigate and determine the scope of the incident. We notified the proper authorities and began working with federal law enforcement.We are notifying affected customers through email and via our website, and as an additional precaution are requiring all users to reset their account passwords.

What data/information was involved? Our investigation indicates that account information for current and former Web.com customers may have been accessed. This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder.We encrypt credit card numbers and no credit card data was compromised as a result of this incident.

What can I do to protect my account? We have already taken additional steps to secure your account, and there is nothing you need to do at this time. The next time you log in to your account you will be required to reset your password.As with any online service or platform, it is also good security practice to change your password often and use a unique password for each service.

Is my credit card information at risk? We store credit card numbers in a PCI (Payment Card Industry) compliant encryption standard and do not believe your credit card information is vulnerable as a specific result of this incident. That said, it is good practice to monitor your credit card account and we encourage you to notify your credit card provider if you see any suspicious charges.

Should I reset my password as part of this? We have already taken additional steps to secure your account, and there is nothing you need to do at this time. The next time you log in to your account you will be required to reset your password.As with any online service or platform, it is good security practice to change your password often and use a unique password for each service.

FAQ on the Important Safety information at notice.web.com

KrebsOnSecurity was among the first if not the first to break the news to the public in an article published on October 30th. According to Krebs.

Web.com encourages customers to call them with any questions. The phone number is available on the notice page they published.

Our word of advice here: please do not reuse passwords and setup multifactor authentication where possible.

AntivirusMalwarePhishingSecurityVulnerabilty

Warning – Major WannaCry-like Windows Security Exploit

If you have a Windows computer different from Windows 10 and Windows 8, you need this update!

Windows 7, Windows XP, Windows Server 2003, Windows Server 2008 R2 and similar all need updates right now.

More on this

Here: https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/

and here: https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches

AntivirusLittle TipsMalwareNetworkingPhishing

Microsoft SharePoint Under Attack – CVE-2019-0604

SharePoint is under attack as attackers have discovered and are exploiting vulnerability CVE-2019-0604. Find out more about the vulnerability in the linked security advisory by Microsoft below:

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

– Microsoft SharePoint Remote Code Execution Vulnerability

According to an article by HelpNetSecurity, the attackers are able to install a web shell that then “allows them to achieve continuous access to the system and, potentially, to the internal network on which it resides.” The article also reports that, “According to the Canadian Centre for Cyber Security, researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors.”

Data Leaked Cover Page
BackupLittle TipsPhishingSecurity

EXACTIS Database Laked – Likely Most Comprehensive Data Breach Announced

Word just go out that the marketing firm EXACTIS has in its possession a database with close to 340 million individual records available until recently ( as of June 2018) on a publicly accessible server. The balk of the database comprises “close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses,” claims the magazine WIRED. In their article on the subject, WIRED provides further details:

While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children. “It seems like this is a database with pretty much every US citizen in it,” says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he’s searched for in the database, he’s found.

You may need to go check https://haveibeenpwned.com/ by Troy Hunt to see if your email address was among the leaked data and to sign up for a notification should your email address appear in such a leak and become available to ‘;–have i been pwned? (HIBP).

As HIBP suggests in one of their recent emails,  monitoring Have I Been Pwned for data breaches is a great start, you should take two more steps to protect all your accounts:

  1. Protect yourself with strong, unique passwords for each website with a password manager like 1Password or LastPass or any of good one of your choice.
  2. Enable 2 factor authentication and store the codes inside your password manager.

Further recommendation would be that you keep an eye out on your credit records and any other possible social engineering attacks against you or your family.

AntivirusLittle TipsMalwarePhishingSecurity

Spam Alert: These People Never Get Tired Of Trying To Get You

 

Here is little warning and reminder not to get too comfortable thinking that scammers are gone or that your email spam filter is so good they will never get to you. Here is your wake up call: These people never get tired of trying. They use all sorts of means to disguise themselves including shortening their links by means of “short url” machines like in the case of the above picture.

Spam Email Example

Example of an email that hides a dangerous link behind a tinyurl link under the UPGRADE NOW button.

In fact, I just got right in my inbox one of those messages with a malicious link to some phishing scam hosted on https:// [some_malicious_place] .us.archive.org. But the link that was actually in the big blue button was not pointing there directly. It was disguised behind a https:// tinyurl.com/ [some_extension_goes_here]. It took running the link through Google’s online virus scanner virustotal.com to detect that the final destination of the link is an archive.org-hosted malicious content and site.

So, when you get an email that makes you uncomfortable as to why you are getting it or one that it looks suspicious, you probably are right. It is probably suspicious and dangerous. Get your IT friend look at it or just do not click on any links or attachments in it until you can get it verified by someone who has the tools. If you know how to extract the links without activating them, then do that and report the links if malicious to places like virustotal.com or to your antivirus software so they can include it in their next update. Please note that sometimes the email may come from an address of a person you actually know (after their mailbox was hijacked or is being spoofed).

Google is full of resources on how to tell if the email you are looking at is Spam. Seriously. Just type such a question and you will find a plethora of reputable sites with good examples. Emphasis on reputable. Do not fall for more phishing while trying to detect some.

virustotal.com reveals the actual final destination of a tinyurl or Shortened URL.

This screenshot from virustotal.com details page shows us the final URL the tinyurl link or Shortened URL that was in the phishing email would have led to.