<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://nakedsecurity.sophos.com/2017/03/15/latest-phishing-tactics-infected-pdfs-bogus-friend-requests-fake-hr-emails/">https://nakedsecurity.sophos.com/2017/03/15/latest-phishing-tactics-infected-pdfs-bogus-friend-requests-fake-hr-emails/</a><br><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:18px;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59);background-color:rgb(252,252,252)">There’s good and bad news on <a href="https://blogs.sophos.com/2014/03/31/what-is-phishing-anatomy-of-a-phishing-attack-plus-five-security-tips-video/" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">the phishing front</a>.</p><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:18px;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59);background-color:rgb(252,252,252)">The good news: attackers don’t seem to be coming up with many new tactics to target their victims. The bad news: they don’t have to. They’re doing just fine hooking their prey with the same old tricks.</p><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:18px;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59);background-color:rgb(252,252,252)">A recent Naked Security article outlined the bad guys’ efforts to infect their prey using <a href="https://nakedsecurity.sophos.com/2017/02/21/watch-out-for-phishing-scams-when-preparing-your-tax-return/" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">scams centered around tax season</a>, with the Internal Revenue Service (IRS) warning of fresh email schemes targeting tax professionals, payroll staff, human resources personnel, schools and average taxpayers. In another scam, <a href="https://nakedsecurity.sophos.com/2017/01/11/beware-phishing-scams-in-amazon-listings/" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">attackers polluted Amazon listings</a> with links that redirected victims to a very convincing Amazon-looking payment site.</p><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:18px;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59);background-color:rgb(252,252,252)">Now come fresh reports that attackers are using malicious PDF attachments and messages that look like they’re from their company HR departments, as well as bogus Facebook friend requests.</p><h2 style="box-sizing:inherit;margin:1em 0px;padding:0px;border:0px;font-variant-numeric:inherit;font-weight:300;font-stretch:inherit;font-size:1.77689em;line-height:1em;font-family:klinic_slablight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;clear:both;color:rgb(21,46,59);background-color:rgb(252,252,252)">Bad PDFs and friend requests</h2><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-variant-numeric:inherit;font-stretch:inherit;font-size:18px;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59);background-color:rgb(252,252,252)">Microsoft Malware Protection Center team member Alden Pornasdoro <a href="https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/" rel="nofollow" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">warned of the malicious PDF files</a> in a blog post. He wrote:</p><blockquote style="box-sizing:inherit;margin:2rem auto;padding:1.5rem;border-width:1px 0px;border-style:none;border-color:initial;font-style:italic;font-variant-numeric:inherit;font-stretch:inherit;font-size:18px;line-height:1.77689em;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;quotes:none;color:rgb(102,102,102);width:620.562px;background-color:rgb(252,252,252)"><p style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, </p><span style="font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif">hey rely on social engineering to lead you on to phishing pages, where you are then asked to divulge sensitive information. One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity. When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel.” But it’s actually a link to a (malicious) website.<br></span><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59)">In the other case, reported by ZDNet, security company MWR Infosecurity reviewed 100 simulated attack campaigns for 48 of its clients and discovered that <a href="http://www.zdnet.com/article/phishing-would-you-fall-for-one-of-these-scam-emails/" rel="nofollow" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">sending a bogus friend request</a> was the best way to get someone to click on a link – even when the email was being sent to a work email address. From the ZDNet report:</p><blockquote style="box-sizing:inherit;margin:2rem auto;padding:1.5rem;border-width:1px 0px;border-style:none;border-color:initial;font-variant-numeric:inherit;font-stretch:inherit;line-height:1.77689em;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;quotes:none;width:620.562px"><p style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Almost a quarter of users clicked the link to be taken through to a fake login screen, with more than half going on to provide a username and password, and four out of five then going on to download a file. A spoof email claiming to be from the HR department referring to the appraisal system was also very effective: nearly one in five clicked the link, and three-quarters provided more credentials, with a similar percentage going on to download a file.</p></blockquote><h2 style="box-sizing:inherit;margin:1em 0px;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-weight:300;font-stretch:inherit;font-size:1.77689em;line-height:1em;font-family:klinic_slablight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;clear:both;color:rgb(21,46,59)">Social engineering is alive and well</h2><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59)">Recent developments show that the ancient technique of <a href="https://blogs.sophos.com/what-is/social-engineering/" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">social engineering</a> is alive and well. Understanding it is the first step in mounting a better defense. Sophos described it this way in the corporate blog a few months ago:</p><blockquote style="box-sizing:inherit;margin:2rem auto;padding:1.5rem;border-width:1px 0px;border-style:none;border-color:initial;font-variant-numeric:inherit;font-stretch:inherit;line-height:1.77689em;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;quotes:none;width:620.562px"><p style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Social engineering is the act of manipulating people into taking a specific action for an attacker’s benefit. You might think it sounds like the work of a con artist – and you’d be right. Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it’s tricky to prevent. If you’ve ever received a phishy email, you’ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step – getting the victim to open a dodgy </p><span style="font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif">attachment or visit a malicious website.<br></span><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59)">As the Sophos Blog post noted, phishing can’t work unless the first step – the social engineering – convinces you to take an action.</p><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59)">To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations – essentially phishing fire drills — which can show employees up close how easy it is to be duped by social engineering. Sophos offers a simulator called <a href="https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/Sophos-Phish-Threat-Datasheet.pdf?la=en" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Phish Threat</a> for that purpose.</p><h2 style="box-sizing:inherit;margin:1em 0px;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-weight:300;font-stretch:inherit;font-size:1.77689em;line-height:1em;font-family:klinic_slablight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;clear:both;color:rgb(21,46,59)">Other defensive tips</h2><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59)">Though such simulations are an effective way to raise awareness, companies need to follow that up with concrete instructions to help employees stay above the fray. Here are a few helpful tips:</p><ul style="box-sizing:inherit;margin:0px 0px 1em 1.333em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;list-style-position:initial;color:rgb(21,46,59)"><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"><span style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:flamamedium,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline">Be careful what you click. </span>This one is painfully obvious, but users need a constant reminder.</li><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"><span style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:flamamedium,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline">Check the address bar for the correct URL. </span>The address bar in your web browser uses a URL to find the website you are looking for. The web address usually starts with either HTTP or HTTPS, followed by the domain name. The real websites of banks and many others use a secure connection that encrypts web traffic, called SSL or HTTPS. If you are expecting a secure HTTPS website for your bank, for example, make sure you see a URL beginning with <tt style="box-sizing:inherit;margin:0.1875rem;padding:0.1875rem;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:0.75rem;line-height:1.77689em;font-family:monaco,consolas,"lucida console",monospace;vertical-align:baseline;display:inline;color:rgb(238,98,72);border-radius:4px;background:rgb(243,243,244)">https://</tt>before entering your private information.</li><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"><span style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:flamamedium,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline">Look for the padlock for secure HTTPS websites. </span>A secure HTTPS website has a padlock icon to the left of the web address.</li><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline"><span style="box-sizing:inherit;margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:flamamedium,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline">Consider using two-factor authentication for more security. </span>When you try to log into a website with <a title="Security essentials: What is two-factor authentication?" href="https://nakedsecurity.sophos.com/2013/10/10/security-essentials-what-is-two-factor-authentication/" target="_blank" style="box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,126,195);margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">two-factor authentication</a> (2FA), there’s an extra layer of security to make sure it’s you signing into your account.</li></ul><p style="box-sizing:inherit;margin:0px 0px 1em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;color:rgb(21,46,59)">To defend against the poisoned Amazon listings described above:</p><ul style="box-sizing:inherit;margin:0px 0px 1em 1.333em;padding:0px;border:0px;font-style:normal;font-variant-numeric:inherit;font-stretch:inherit;line-height:inherit;font-family:flamalight,"helvetica neue",helvetica,arial,sans-serif;vertical-align:baseline;list-style-position:initial;color:rgb(21,46,59)"><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Trust your gut and be on guard: If that deal is too good to be true, it likely is</li><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">Don’t pay for anything on Amazon outside of Amazon.com or the official Amazon app</li><li style="box-sizing:inherit;margin:0px 0px 0.5625rem;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;font-stretch:inherit;font-size:inherit;line-height:inherit;font-family:inherit;vertical-align:baseline">If you’re in doubt about a deal by an “affiliated retailer” ask Amazon’s official customer service</li><li></li></ul></blockquote></blockquote></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>