If you receive an email from Netflix informing you that your credit card no longer works, be very careful how you respond.
Mailguard, an Australian cyber-security firm, is warning that fraudsters are using “brandjacking” emails in hopes of capturing consumers’ credit card information.
Brandjacking is an increasingly common tactic used in phishing scams. The email is designed to look like it’s coming from a well-known institution. It might be a major bank or a utility company.
In this case, the bogus email appears to come from Netflix — a video streaming service with millions of subscribers worldwide — and at first glance the email appears to be the real thing.
In bold letters at the top, the email informs the recipient that payment for Netflix services has been declined and that credit card information must be updated.
There is a button to click to update credit card information. But the link takes you to the scammer’s website where you are asked to enter credit card information, which will then be sold on the Dark Web.
This scam is dangerous because so many people who are receiving this email are Netflix customers. Their first response may be to click the button and provide the requested information.
But there is a safer course of action. Should you receive one of these emails, type the Netflix URL into your browser and log into your account. After you’re signed in, click on your personal icon in the upper right corner of the page, then click on “account.” Then click on “update payment info.”
If there is a legitimate problem with your credit card, you’ll see a message there informing you of that fact. If you’re still not sure, you can re-enter your credit card information or enter the information for a different credit card.
A closer look at the email, however, might save you the trouble. If the email mentions that your American Express card was declined, but Netflix uses your Visa, then the email is an obvious fake.
Also note the spelling of certain words. Emails sent to customers in the U.S. should refer to the “Help Center,” not the “Help Centre.”
Phishing scams can take different forms. Besides directing a potential victim to a phony website, they can also contain attachments that can unleash malware, including ransomware.
In your digital life, it’s quite possible that you may experience a cyber attack. Many of us have had this experience, either in mild forms (adware, browser hijackers) on in more impactful ways (banking Trojans, ransomware, etc.).
Given the frequency in data breaches, your private data could also become involved in such a breach, independently of your actions
So it’s important to have an action plan for when this happens, a plan that can guide your steps and help you manage the panic.
We actually created a guide for that particular situation, which I honestly hope you’ll never experience. It includes advice on how to behave, how to act and what to verify to ensure that your risks are minimized.
I hope you find it useful!
1. First of all, this is not a good time to panic. Take a deep breath and keep your calm.
The opposite, not caring, nor taking any measures, isn’t an option either.
You should be aware that things could quickly escalate in an unwanted direction. It doesn’t matter if you think the service is unimportant to you.
The breached data can be used to hack into other accounts of yours (especially if you use the same password for multiple accounts – please don’t), identity theft, financial damage, blackmailing and cause all sorts of other unwanted headaches.
2. Log into the account of the service that was hacked as soon as you find out about the breach.
Glance over the settings for your account, see if there’s anything fishy or changed there.
If you can’t access your account anymore, reset the password via email.
If you used a fake email for it, or you don’t have access to that email account anymore, you’ll have to contact the administrators of that website and prove it’s your account.
3. Change the password for that service. Use a strong, unique password.
If you’ve been reading our blog constantly, you most likely know how much we insist on this issue: never, ever reuse a password. You should have unique, strong passwords, that you change periodically.
However, if it’s too late for this and you recycled the password from the compromised website, change the password for all other services.
You can use a password generator, such as Norton Identity Safe Password Generator, in order to create strong passwords.
In the future, prepare for the worse and make sure you don’t reuse the passwords, in order to minimize the impact in case of a hacked account. You wouldn’t use the same key for your house and for you car, would you?
Remember to treat the answers to the password security questions the same as you treat your password. Don’t use real answers, instead generate strong passwords. The real answers can be easily discovered by attackers.
And never keep your passwords in a file on your computer, mail or cloud. Instead, you can use a passwords management application, like LastPass or Dashlane. This way, you won’t have to memorize 30-40 strong passwords, with all their capital letters and symbols and numbers, passwords that you regularly change. You’ll only have to remember the master password for your LastPass account, your other passwords will be safely encrypted.
4. If available, activate two-factor (or more) authentication.
The two-factor authentication (or two-steps verification) will add an extra layer of security, using your mobile phone. It works as a secondary authentication method, besides your password.
It will send you a one-time, unique digit code by SMS or generated by an authentication app installed on your phone.
Gmail, Twitter, Facebook and Amazon are among the ones who offer this option. You can find an extended list on TwoFactorAuth.org.
5. Change the password to your email or any other linked accounts.
As soon as you find out about the breach, change the password for the email you used to create the account for the service that got hacked.
Also look over the email settings, especially the Email Forwarding, Filters, Reply-to Address and Security Questions, to make sure that everything’s in order. An attacker will try to leave some kind of a back door opened, to come back into the account.
Your email address is most likely tied to many of your online accounts. If any of those is compromised, you’ll have to change the password to any other service that was remotely linked.
Also de-authorize all the third-party apps, that use your account.
Phishing is when an attacker misuses technology to trick someone into divulging sensitive information, such as usernames and passwords or credit card numbers. People often associate phishing with fraudulent email messages—think Nigerian prince scams—but
phishing also reaches victims through web pages, documents, text messages, social media content, instant messaging, advertisements, and even phone calls.
A phishing website lives, on average, for 15 hours. Cybercriminals take phishing websites down quickly so authorities can’t track them down.
Attackers use safe websites to hide their phishing websites to keep their operations going.
In 2016, cyber security researchers have found over 400,000 phishing websites each month! That’s almost 5 million phishing websites in a year!
Cybercriminals impersonated Google, PayPal, Yahoo and Apple the most this year, using them to manipulate users and trick them into revealing their confidential information.
Despite its humble beginnings, phishing has come a long way
since those first crudely constructed phishing emails. The
following are the most important findings from this report:
Strengthening an organization’s anti-phishing strategy means
moving beyond old techniques that use static phishing
domain or URL lists to highly automated technologies based
on sophisticated machine learning methods. These more
advanced technologies can quickly check the characteristics
and metadata for each requested webpage to look for signs of
phishing, then report a score or rating that the organization can
use to make automated decisions about allowing or denying
access to the page. When phishing sites can appear and
disappear in the length of a coffee break, highly automated
machine learning solutions are the only way to prevent
successful phishing attacks and the major data breaches they
FBI officials are warning potential victims of a dramatic rise in the business e-mail compromise scam or “B.E.C.,” a scheme that targets businesses and has resulted in massive financial losses in Phoenix and other cities.
The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.
There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.
Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
This amounted to more than $2.3 billion in losses.
Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
In Arizona the average loss per scam is between $25,000 and $75,000.
If your company has been victimized by a BEC scam:
Contact your financial institution immediately
Request that they contact the financial institution where the fraudulent transfer was sent
If you’re a Federal Agent who happens to fight cybercrime, what sort of stuff lands on your desk? The latest Internet Crime Report paints a picture. And as well as featuring an annual summary of the activities of the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), it also includes a useful roundup of trends to watch.
Based on nearly 300,000 complaints filed in the previous calendar year, here are the FBI’s “Hot Topics”: three specific threat types that the Feds say we should be most worried about…
Business Email Compromise (BEC)
We’re not talking about email hacking just for the sake of it here (that’s classed as Email Account Compromise – and although it’s a necessary part of BEC, it’s not the whole story).
With BEC, we’re dealing with a very specific kind of threat; a sophisticated scam based around wire transfer payments. With a little digging (LinkedIn, website bios, that sort of thing), a criminal can quickly identify who’s likely to hold the purse strings within an organisation. The scam is carried out when a hacker compromises legitimate business email accounts through social engineering or hacking techniques to conduct
unauthorized transfers of funds.
It’s a global problem. On this side of the Pond, we know it better as mandate fraud and only this month, City AM was reporting that fraudsters had used it to make off with £32 million in the previous year. The Met says that it’s now the third most popular way of scamming a business, behind fraudulent bank cards and employee theft.
So here’s a piece of research that shouldn’t come as any surprise: of all the people in your company most likely to be targeted in an email scam, your Chief Financial Officer comes top.
The moral? Regardless of what she tells you, your CFO hasn’t got “more important things to do” than turn up to your next cyber security scrumdown.
Never mind a year; a week is a long time in cyber security. Last year, IC3 apparently received 2,673 complaints linked to ransomware with losses of over $2.4 million.
Although it has long been on the radar of the cyber security community, it’s fair to say that as 2016 drew to a close, the issue of ransomware wasn’t yet mainstream headline news. The WannaCry attack in May – closely followed by Petya – changed all that.
WannaCry infected an estimated 300,000 endpoints and such was the scale of the attack that it warranted a meeting of the UK government’s Cobra crisis committee.
Threat detection, strategic backup, proper patch management and adequate hygiene (not least, making sure your people know what and what not to click on): these are the areas all businesses should be focused on to reduce the threat.
Tech support fraud
IC3 received 10,850 complaints relating to this type of fraud, with losses exceeding $7.8 million. Again, it’s a highly-targeted strategy, only this time it’s more likely to involve your IT team than your accounts staff.
The perpetrator makes contact with the business and offers what sounds like a fantastic tech support package. The victim bites – and is subsequently asked for remote access to a device. The request sounds reasonable (after all this person is now the company’s remote ‘support guy’). Once in, there’s the potential to cause all manner of damage, from a quick “smash and grab” of customer account data through to the installation of spyware.
The fact that this has been flagged up by the FBI is a reminder of the importance of doing your homework. A swish website, a convincing salesman, a too-good-to-be-true deal: these should never be enough in themselves to cause you to enter into any kind of relationship with a third party provider.
What do all three of the FBI’s “Hot Topics” have in common? For one, they each demand some action on the part of your people to become live. And especially when it comes to BEC and tech support fraud, these are honed, targeted and personal attacks. If you’re worth compromising, chances are that threat actors will be willing to do a little digging to get the attack right. So be ready for it.
A new Netflix phishing attack leverages fake emails from the streaming service to trick users into handing over their credit card credentials. The attack starts when a user receives an email from what appears to be Netflix warning them that they need to update their membership information. You can see that the sender email address, support@onlineorders[.]desk-mail[.]com, has nothing to do with Netflix. So it’s not surprising that clicking on the “Update” link leads somewhere other than the streaming service. In fact, it directs the user to hxxp://see-all[.]norafix[.]com/, a location which immediately redirects them to the subdomain hxxp://account[.]norafix[.]com/ch/customer_center/customer-IDPP00C274/js/?country.x=&locale.x=en_.
That page prompts the user to enter in their Netflix credentials followed by their payment card details.
Once it’s succeeded in stealing that information, the scam confirms that the user’s account is now updated. It then provides them with a link to Netflix’s actual homepage.
So what happens then?
Well, the attacker could abuse the user’s stolen credentials to gain access to Netflix content for free. They could also leverage the credit card information to make fraudulent purchases. But they could also reuse the stolen login details in an attempt to gain access to some of the user’s other accounts.
Most of us know spam when we see it, but seeing a strange email from a friend—or worse, from ourselves—in our inbox is pretty disconcerting. If you’ve seen an email that looks like it’s from a friend, it doesn’t mean they’ve been hacked. Spammers spoof those addresses all the time, and it’s not hard to do. Here’s how they do it, and how you can protect yourself.
Spammers have been spoofing email addresses for a long time. Years ago, they used to get contact lists from malware-infected PCs. Today’s data thieves choose their targets carefully, and phish them with messages that look like they came from friends, trustworthy sources, or even their own account.
It turns out that spoofing real email addresses is surprisingly easy, and part of why phishing is such a problem. Systems Engineer, aspiring CISSP, and Lifehacker reader Matthew tipped us off to how it works, but also took us by surprise by emailing a few of us at Lifehacker from other Lifehacker writers’ email addresses. Despite the fact that we knew it was possible—we’ve all gotten spam before—it was more disconcerting to actually be tricked by it. So, we talked to him about how he did it and what people can do to protect themselves.
Note: What follows is a rather technical writeup, designed for more computer-savvy individuals. If you want a more basic rundown on avoiding spam and scams, we’ve got one of those too.
A Little History: Why Email Addresses Are So Easily Spoofed
Today, most email providers have the spam problem resolved—at least to their own satisfaction. Gmail and Outlook have strong, sophisticated spam catching algorithms and powerful filtering tools. Back in the early 2000s, though, that wasn’t the case. Spam was still a huge problem that mail servers had yet to seriously tackle, much less develop advanced tools to manage.
In 2003, Meng Weng Wong proposed a way for mail servers to “verify” that the IP address (the unique number that identifies a computer on the internet) sending a message was authorized to send mail on behalf of a specific domain. It’s called the Sender Permitted Form (renamed to “Sender Policy Framework” in 2004), and Matthew explains how it works:
Each time an email message was sent, the receiving email server would compare the IP of origin for the message with the IP address listed in the SPF record for the email address’s host (the “@example.com” part.)
If the two IP addresses match, then the email could pass through to the intended recipient. If the IP addresses did not match, then the email would be flagged as spam or rejected altogether. The burden of deciding the outcome was completely in the hands of the receiving server.
When you register a domain, you also register a number of DNS records that go along with it. Those records tell the world which computers to talk to depending on what they want to do (email, web, FTP, and so on). The SPF record is an example, and ideally it would make sure all the mail servers on the internet knew that people sending email from, say, @lifehacker.com, were actually authorized users and computers.
However, this method isn’t perfect, which is part of why it didn’t catch on completely. SPF records require administration—someone actually adding new IP addresses and removing old ones, and time for the record to propagate across the internet every time a change is made. (Update: We previously tied SPF checks to user IP addresses, when the technology is actually used by mailhosts to verify that the server through which a message passes is an authorized sender on behalf of a given domain, not that the device used is authorized to send on behalf of a given address. Sorry for the confusion, and thanks to the commenters who pointed this out!) Most companies use a soft version of SPF anyway. Instead of risk false positives by blocking useful mail, they implement “hard” and “soft” fails. Email hosts also loosened their restrictions on what happens to messages that fail that check. As a result, email is easier for corporations to manage, but phishing is easy, and a big problem.
The DMARC boils down to two important flags (although there are 10 total) – the “p” flag, which instructs receiving servers on how to deal with potentially phony emails, either by rejecting, quarantining, or passing; and the “rua” flag, which tells receiving servers where they can send a report about failed messages (usually an email address at the domain admin’s security group). The DMARC record solves most of the issues with SPF records by taking the burden of deciding how to respond away from the recipient.
The problem is, not everyone uses DMARC yet.
This handy tool allows for you to query any domain’s DMARC record – try it out on a few of your favorites (gawker.com, whitehouse.gov, redcross.org, reddit.com). Notice anything? None of them have published DMARC records. That means that any email host that tries to conform to the rules of DMARC wouldn’t have any instructions on how to handle SPF failed emails, and would probably let them through. That’s what Google does with Gmail (and Google Apps), and that’s why phony emails can get through to your inbox.
To prove that Google does pay attention to DMARC records, look at the DMARC record for facebook.com – the “p” flag idicates that recipients should reject emails, and send a report about it to the postmaster at Facebook. Now try to fake an email from facebook.com and send it to a Gmail address—it won’t go through. Now look at the DMARC record for fb.com – it indicates that no email should be rejected, but a report should be made anyway. And if you test it, emails from @fb.com will go through.
Matthew also noted that the “postmaster report” is no joke. When he tried spoofing a domain with a DMARC record, his SMTP server was blocked in less than 24 hours. In our testing, we noticed the same. If a domain is set up properly, they’ll put an end to those spoofed messages quickly—or at least until the spoofer uses a different IP address. However, a domain that doesn’t have DMARC records is fair game. You could spoof them for months and no one on the sending end would notice—it would be up to the receiving mail provider to protect their users (either by flagging the message as spam based on content, or based on the message’s failed SPF check.)
How Spammers Spoof Email Addresses
The tools necessary to spoof email addresses are surprisingly easy to get. All you need is a working SMTP server (aka, a server that can send email), and the right mailing software.
Any good web host will provide you with an SMTP server. (You could also install SMTP on a system you own, port 25—the port used for outgoing email, is usually blocked by ISPs. This is specifically to avoid the kind of mass-emailing malware we saw in the early 2000s.) For his prank on us, Matthew used PHP Mailer. It’s easy to understand, easy to install, and it even has a web interface. Open PHP Mailer, compose your message, put in the “from” and “to” addresses, and click send. On the recipient’s end, they’ll get an email in their inbox that looks like it came from the address you typed in. Matthew explains:
The email should have worked without issue, and appears to be from whomever you said it’s from. There’s very little to indicate this didn’t come from their inbox, until you view the source code of the email (“View original” option in Gmail). [ed note: see image above]
You’ll notice that the email “soft” failed the SPF check, yet it came through to the inbox anyway. It’s also important to note that the source code includes the originating IP address of the email, so it’s possible that the email could be traced, if the recipient wanted to.
It’s important to note at this point that there is still not a standard for how email hosts will treat SPF failures. Gmail, the host I did most of my testing with, allowed emails to come in. Outlook.com, however, did not deliver a single falsified email, whether soft or hard failed. My corporate Exchange server let them in without issue, and my home server (OS X) accepted them, but flagged them as spam.
That’s all there is to it. We’ve skimmed over some details, but not many. The biggest caveat here is if you click reply on the spoofed message, anything sent back goes to the real owner of the address—not the spoofer. That doesn’t matter to thieves though, since spammers and phishers are just hoping you’ll click links or open attachments.
The tradeoff is clear: Since SPF never really caught on in the way it was intended, you don’t need to add your device’s IP address to a list and wait 24 hours every time you travel, or want to send email from your new smartphone. However, it also means that phishing remains a major problem. Worst of all, it’s just so easy that anyone can do it.
What You Can Do to Protect Yourself
This all may seem arcane, or seem like a lot of fuss over a few measly spam emails. After all, most of us know spam when we see it—if we ever see it. But the truth is that for every account where those messages are flagged, there’s another where they aren’t and phishing emails sail into user inboxes.
Matthew explained to us that he used to spoof addresses with friends just to prank friends and give them a little scare—like the boss was angry with them or the receptionist emailed to say their car was towed—but realized that it worked a little too well, even from off the company network. The spoofed messages came through the company mail server, complete with profile pictures, corporate IM status, auto-populated contact information, and more, all helpfully added by the mail server, and all of which make the spoofed email look legit. When I tested the process, it wasn’t much work before I saw my own face looking back at me in my inbox, or Whitson’s, or even Adam Dachis’, who doesn’t even have a Lifehacker email address anymore.
Even worse, the only way to tell that the email isn’t from the person it looks like is to dig into the headers and know what you’re looking for (like we described above.) That’s a pretty tall order for even the tech-savvy among us—who has time for that in the middle of a busy workday? Even a quick reply to the spoofed email would just generate confusion. It’s a perfect way to cause a little chaos or target individuals to get them to compromise their own PCs or give up login information. But if you see something that’s even a little suspicious, you at least have one more tool in your arsenal.
So, if you’re looking to protect your inboxes from messages like this, there are a couple of things you can do:
Turn up your spam filters, and use tools like Priority Inbox. Setting your spam filters a little stronger may—depending on your mail provider—make the difference between a message that fails its SPF check landing in spam versus your inbox. Similarly, if you can use services like Gmail’s Priority Inbox or Apple’s VIP, you essentially let the mail server figure out the important people for you. If an important person is spoofed, you’ll still get it, though.
Learn to read message headers, and trace IP addresses. We explained how to do this in this post about tracking down the source of spam, and it’s a good skill to have. When a suspicious email comes in, you’ll be able to open the headers, look at the IP address of the sender, and see if it matches up with previous emails from the same person. You can even do a reverse lookup on the sender’s IP to see where it is—which may or may not be informative, but if you get an email from your friend across town that originated in Russia (and they’re not traveling), you know something’s up.
Never click unfamiliar links or download unfamiliar attachments. This may seem like a no-brainer, but all it takes is one employee in a company seeing a message from their boss or someone else in the company to open an attachment or click a funny Google Docs link to expose the entire corporate network. Many of us think we’re above being tricked that way, but it happens all the time. Pay attention to the messages you get, don’t click links in email (go to your bank’s, cable company’s, or other website directly and log in to find what they want you to see), and don’t download email attachments you’re not explicitly expecting. Keep your computer’s antimalware up to date.
If you manage your own email, audit it to see how it responds to SPF and DMARC records. You may be able to ask your web host about this, but it’s not hard to check on your own using the same spoofing method we described above. Alternatively, check your junk mail folder—you may see messages in there from yourself, or from people you know. Ask your web host if they can change the way your SMTP server is configured, or consider switching mail services over to something like Google Apps for your Domain.
If you own your own domain, file DMARC records for it. Matthew explains that you have control over how aggressive you want to be, but read up on how to file DMARC records and update yours with your domain registrar. If you’re not sure how, they should be able to help. If you’re getting spoofed messages on a company account, let your corporate IT know. They may have a reason for not filing DMARC records (Matthew explained his said they couldn’t because they have external services that need to send using the company domain—something easily fixed, but that kind of thinking is part of the problem), but at least you let them know.
As always, the weakest link in security is the end-user. That means that you’ll need to keep your BS sensors turned all the way up every time you get an email you weren’t expecting. Educate yourself. Keep your anti-malware software up to date. Finally, keep an eye on issues like these, since they’ll continue to evolve as we continue to fight spam and phishing.
When your alarm goes off in the morning, what’s the first thing you check?
Most people will tap on one of two apps: their email app or their go-to social media account. You probably can’t even remember what your morning routine looked like before this. I know I can’t.
For most of us (myself included), email is our digital home. That’s where we keep our contacts for the people we love and for the people we work with. It’s where we hoard newsletters subscriptions and wishlists, pictures and documents, love and hate digital letters and SO much more.
So no matter what click-bait titles tell you, email is not dead. Not at all!
In fact, people all over the world rely on email for a big chunk of their communication. In 2015, 205 billion emails travelled from outbox to inbox every single day
Emails used to register accounts for important online projects, such as an Amazon seller shops, web domains, etc; should not also be used as work emails.
When you keep the account information email separate from the work email, you minimize the chance of cybercriminals locking you out of your project in case the work email gets compromised
Cybercriminals will often try to prey on your inattention and carelessness. One of the simpler methods they use is by making the name of an executable malware seem like a different program.
For instance, they might name it something like: VID004.mpeg.exe or Job Position.docx.exe.
If you are in a rush and just glance over the first few words and then click it, you will accidentally execute the malware and infect your computer.
Dangerous File Extensions
The easiest way to identify whether a file is dangerous is by its file extension, which tells you the type of file it is. For example, a file with the .exe file extension is a Windows program and should not be opened. Many email services will block such attachments.
However, .exe isn’t the only type of dangerous file extension. Other potentially dangerous file extensions that can run code include: .msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf, .cpl, .jar and more. This is not an exhaustive list — there are many different file extensions in Windows that will run code on your computer when executed.
Office files with macros are also potentially dangerous. If an Office document extension ends with an m, it can — and probably does — contain macros. For example, .docx, .xlsx, and .pptx should be safe, while .docm, .xlsm, and .pptm can contain macros and can be harmful. Of course, some businesses use macro-enabled documents. You’ll have to exercise your own judgment.
In general, you should only open files with attachments that you know are safe. For example, .jpg and .png are image files and should be safe. .pdf, .docx, .xlsx, and .pptx are document files and should also be safe — although it’s important to have the latest security patches so malicious types of these files can’t infect you via security holes in Adobe Reader or Microsoft Office.