“Mega Breach” – So What?

We’ve all heard that the software company Adobe (maker of Flash, Acrobat and many more) was hacked and details of 150+ million users were stolen and then circulated on Russian Darknet forums.

yourdata

So you ask yourself – so what?  How does this affect me and my organization? Do I even have an Adobe account?

Well, thechances are that your organization is using Adobe products and many have either opened an account when downloading a sample product or had one created for them by their procurement division when purchasing an Adobe license for them to use (usually without their knowledge).

First of all, let’s review what was actually stolen – a list containing (per each user) a serial number (not interesting), the user’s email (very interesting), an encrypted password (which is easy to break if you know how) and the retrieval question.

So the main risk here appears to be that a hacker will break into the account (by guessing or cracking the password), steal the credit card details and use them. Right?

Well, this is certainly possible (and happens more often than most of us think), but the real risk is email address exposure.

A large percentage of all intrusion into large organizations occur through the use of “spear-phishing”, meaning a targeted email sent to a person within the organization.  

The employee receives a credible-looking email, appearing to be sent from a business partner, conference organizer etc.

The email contains an attachment (most likely a PDF file, Excel sheet or Word doc) or a link.

Opening/clicking the link runs a malicious code that secretly installs itself, and from that moment forth, the network is open to the intruder.

Creating a spear-phishing email is easy. What was difficult until now was obtaining corporate email addresses (previously, hackers had to use social engineering to obtain these). No more! Literally millions of these addresses are now visible to all, making employees whose details have been leaked easy targets. So what needs to be done (because the breach and subsequent exposure can’t be undone)? Here are our actionable recommendations:

  • Cancel the credit card which was used to make the purchase on the site
  • Change the password of users of the Adobe site
  • Conduct a full scan of the computers for malicious files
  • Brief all employees that have leaked Adobe accounts/emails about this breach and the potential spear-phishing attempts that can follow it, and avoid opening any attachments from suspicious and unknown email addresses.

As the (even more recent) Target breach proves, we have not seen the last of these “mega information breaches”, so whenever such an incident is made public, we all need to ask ourselves – does this affect me? And, if so – what do I need to do? Remember, cyber security is not “the IT department’s problem”. We are all an important part of the solution.

How to Avoid Phishing Scams Using LinkedIn Invitations?

Image

Hi! As a well-connected individual (with well over a thousand connections on LinkedIn) who receives invitations to connect on a daily basis, I wasn’t surprised to learn that Websense Security Labs researchers found that the most successful headline for a phishing campaign is “Invitation to connect on LinkedIn”.

(http://community.websense.com/blogs/websense-insights/archive/2013/12/10/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries.aspx)

The reason for this being so popular (which it must be according to its success rates) is because unlike emails received from banks and credit card companies, social media messages (and especially LinkedIn, which is a respectable network of professionals) are not perceived as as source-threatening content.

So you receive a legitimate looking LinkedIn invitation email, something like the email below:

Image

All the obvious signs (funky looking email address, funky name, broken English) are absent. Until today, one would simply click the “View Profile” link or “Accept” button. Now we know that these are potentially phishing messages and we need to take better precautions. So what can we do to identify if this is a legitimate request? Simply hover with the mouse over the “View Profile” link or “Accept” button to see the actual link address. If the link is different to http://www.linkedin.com, then you should not click it.

Image

Another method for identifying if this is indeed a scam is to open your LinkedIn account from your browser (or phone app) and check your Inbox for invitations. If the same message does not appear there it must surely be a scam. Once you have established this is SPAM, you can mark this as SPAM in your outlook.