What is ‘Information Security’?
Information technology is very tightly related to computing – it’s about the usage and processing of information. Information security is about securing and protecting that information.
In this article, we’re going to discuss both antiquated and emerging information security attacks so that you can stay secure and informed.
1. Password Reset Phishing Scam
Very Quickly: What is Phishing?
We’ll go more in-depth about what phishing is later in the article, but in general, a phishing message is a type of message that lures a person to give away personal information of some kind (account details, bank accounts, etc).
Now, back to the reset scam…
This method of phishing is quite simple to pull off and we’ve recently seen more and more businesses fall victim to it. This is why we’ve decided to give this attack its own section at #1.
This method of phishing is so disruptive because it can be made to look like it’s coming from a trusted source – even a friend or family member.
What is the Password Reset Scam?
When you forget your password on a website or app, you’ll naturally find yourself clicking or tapping on that “Reset Password” link on the login page. Generally, you’ll receive a code, a one-time password, or a link to follow.
The password reset scam involves having the victim send the scammer this one-time password so that they can then reset the password and take control of the account.
How Does It Work?
This scam could be sent your way via social media, email, or even in person from an acquaintance. This is why it can be so devastating – because it’s late at night and you’re ready to go to bed, you might not give a second thought to helping out your aunt get back into her Instagram or Facebook account.
The most common way this scam is perpetrated is through social media. It’s not likely to be a clearly fake account with no user profile, either. Chances are, it’ll be the account of someone you know – someone who’s already fell victim to this scam – someone whose account is probably up for auction by the time you get the message.
The fact that you’re being messaged from an account that you know they own is what sells the scam – it’s not “User12389” messaging you, after all. If it’s late at night or you’re otherwise preoccupied, it’s not difficult to fall victim to this scam.
Did you know: A typical Instagram account with 10,000 followers is worth between £100-£500?
Your “friend” will privately message you telling you that they’ve lost access to one of their other accounts. You’re their only hope! Since you’re such a good friend or you’re a smart, technically minded person, they’ve set you as a ‘Trusted Friend’.
A ‘trusted friend’ is something that has actually existed on some social media platforms – you could pick a friend (or friends) who would help you log back into your account if you were ever locked out.
They’ll tell you that as a trusted friend of theirs, you’ll receive a code that will help them log back into their account.
I suppose you can already see where this is going?
That’s right, as soon as you give them that code – it’s over. Before you know it, they have access to your account and you’ve been signed out. Permanently. As soon as your account’s password and email have been changed it’s almost impossible to recover. Your efforts from this point on would be best spent re-creating the account and re-growing your audience.
You can take a quick look at how susceptible your accounts are with a Start Digital Health Check. Sign up for a free mini Health Check.
2. Locker Room Reset
Coined the ‘Locker room Reset’ because it gained notoriety earlier in 2022 in gym locker rooms where there were reports of an unidentified person or people sneaking into locker rooms and resetting people’s payment gateway passwords (Apple Pay, Google Pay, Paypal) with their phones, without needing to unlock them. There have even been reports of online bank account passwords being reset.
How Does It Work?
This kind of attack is down to how anyone can read the notifications on most phones’ lock screens by default. In a lot of cases, it also requires the victim to hand over their email address to the attacker, but this is not necessary for the attack to work.
If you’ve ever had to reset a password or have had a code sent to your phone, you’ve likely read it from your lock screen and typed it in on your computer – this is exactly how the attack works.
If the first part of your email address is somewhat short (about 10 characters or less) then depending on what kind of phone you have, any email notifications you get will show your email address – this is enough information to reset your passwords and gain access to your accounts.
Even if the hacker only sees “Johndoe@” in your email notification, all the hacker needs to do is go to Paypal, Apply Pay, Google Pay, or any other transaction processor and brute force enough email providers that start with “Johndoe@” EG: johndoe@gmail.com, johndoe@yahoo.com, etc.
Once a correct account has been found, the hacker will follow the “forgot password/reset password” option and simply enter the code sent to your phone which is clearly visible from the lock screen.
How to Hide Notifications on Your Lock Screen
Android
- Go to your settings.
- Tap “Notifications”.
- Tap “Notifications on lock screen”.
From here, you can choose how your notifications are displayed.
iPhone
- Go to your settings.
- Tap “Notifications”
- Select an app (in this case emails, or messages).
- Tap “Show Previews”.
From here, you can choose how your notifications are displayed.
3. A Man in the Middle Attack
This kind of attack is one of the more romanticised and well-known kinds of attacks. It’s generally one of the things most people will think of when we hear about cyber security.
A man-in-the-middle attack is an attack that looks for vulnerabilities in connections (generally between a computer and a server of some sort). The ‘man’ will then sit in the middle of these connections and can spy on everything going between them – more advanced hackers might be able to change the data being sent.
The ‘Server’ isn’t always a server, either. It could be a router, a CCTV system, or even a printer connected to a network. So a ‘man in the middle’ could look at the data being sent to and from a CCTV system, and even change what the CCTV camera is showing to a monitor.
Ways of Protecting Yourself Against a Man in the Middle Attack.
VPNs
You may have heard VPN companies talking about how their VPN will protect you from vulnerable public access wifi spots, and it’s true. VPNs work by encrypting data sent from your computer. A hacker that sits on a poorly secured wifi router and monitors what everyone is doing won’t be able to do too much everyone’s data is encrypted with VPNs.
Verifying Website Security Information
Another common way for a man-in-the-middle attack to take place is on insecure website websites. Websites without an SSL, or the lock icon next to the website’s address are considered insecure.
It’s generally advised you stay away from websites like this, but unless you’re entering personal details (EG Credit card information, email addresses, usernames) it’s very unlikely to hurt you in any way. If you’re ever asked to enter personal information on an insecure website – don’t! If a website is insecure, there’s every chance that a hacker is taking advantage of this and is watching you fill out all of your information.
You can double-check and find more security information by clicking on the lock icon.
Up to Date Firewalls & Anti-Virus
Keeping your firewalls, like Windows Defender, and antivirus up to date will help your computer automatically detect if the information you’re being sent from trusted third parties is actually being spoofed or altered in some manner by a malicious party.
Multi-Factor Authentication
If a hacker is dedicated enough, or they’ve found an easy vulnerability in your systems that you never thought about, you can always fall back on multi-factor authentication. After all, redundancy breeds security.
If, for example, passwords become compromised, your multi-factor authentication creates a second hurdle for would-be cyber thieves. A much larger hurdle that they’d need to jump through. Most cybercriminals will give up when prompted to enter a code from a secure authenticator, even if they successfully steal your login details.
Start Digital’s Health Checks & Tool Kits
New technology and new methods of attack are always being discovered and created. Having fully fleshed out cyber-security policies and procedures are vital to preventing and recovering from attacks.
Our Health Checks & Tool Kits help you ensure that your business’s security is looked after for as little as £50 per month. Find out more here.
4. Password Attacks & Breaches.
When you think of a password attack, your first thought might be a sophisticated and powerful computer randomly guessing thousands of different character combinations per second in order to crack an account’s password. This is called ‘Brute Forcing’, and is the most common form of password attack along with phishing.
How Does a Brute Force Work?
The most common way of brute forcing is simply purchasing a list of commonly used passwords, finding a list for free online, or using some research to figure out what kinds of passwords a lot of people are using and then using automation software to try different combinations on different accounts.
The Hollywood version of a brute force would have a hacker sat at a computer running a script that would try every letter combination imaginable to hack into an account, starting with AAAA, then AAAB, AAAC, etc etc until the correct password is guessed – this just isn’t the case for any sophisticated hack. This is why it’s so important to make sure your password is not just long, but unique.
What is Phishing?
Phishing might be the next thing you think of when you imagine a password attack. Phishing is generally a random message that tries to somehow get you to reveal personal information.
For example, one common form of phishing is in the form of an email. An email is sent out to a large number of people, perhaps claiming to be from a certain website or bank. This email’s core message might be something scary and poorly written – “Your account is under threat!” or maybe “You need to reset your password!”. Whatever the email’s message is, it will contain a link to a fake website that looks exactly like the real one. On the fake website you’ll be prompted to “log in” to what you think is a legitimate account. When you enter your username and password, this information is then sent to the hackers.
This is why it’s important to enter website addresses manually in the address bar instead of clicking on email links. Even emails that look genuine can be spoofed.
What is spoofing?
Spoofing in cyber security is a way of disguising an email address, link, or otherwise to look like something else. There are systems that can be used to send emails so that they look like legitimate sources, for example, this software would let you send emails as “John@google.com” or PaulLynam@halifax.co.uk.
Best Practices for Password Policy
To stop yourself from getting brute forced, your passwords should be long, unique, and memorable.
It’s largely believed that a strong password has a mix of upper and lower case letters, symbols, and numbers. While this is true, the most important factor is length. The reason for this is twofold: short passwords are easier for the random brute forcing we discussed earlier – a 4 character password can take seconds to brute force. At 8 characters, it might take hours. 16 characters would take years.
Longer passwords also force creativity, so if you’re setting a password policy for your business, consider setting a recommended minimum of 9-10 characters, over the standard 8 to force people to use different and hopefully more unique passwords.
You can get a more exhaustive list of best practices for passwords and password policy in our Health Checks & Tool Kits – learn more.
Techniques for Choosing a Good Password
Using a password manager like Dashlane or LastPass to both securely store and create strong passwords is a strong idea for password security.
Don’t search online for strong passwords to use. If they’re already online, it’s probable that they’re already in a password list somewhere.
Don’t use your location, date of birth, favourite sports team, or a name as the password. These are common in passwords and will almost certainly all be in lists.
A Good method for choosing a memorable password is to look at your closest co-worker, and choose a password that relates to them or an item they possess – a ‘phone’, for example. Then think of a word to describe the phone – Let’s say ‘grey’. Do this again for another co-worker or item and you’ll end up with something like ‘GreyPhoneSquareBag’. According to security.org, this password would take 6 trillion years to brute force, and is almost certainly not in any common password lists. You can, of course, add some numbers and symbols in there for good measure.
This kind of password is easier to remember too, as you’ll always have the visual triggers if you do remember it.
Social Engineering
Social engineering is, essentially, deceiving someone into handing over certain information or resources.
It’s called social engineering because there’s always a level of relationship and communication involved – phishing is a form of social engineering as it requires and email or a message to be sent out. A Brute force attack is not social engineering because there’s no communication involved.
Avoiding Social Engineering Scams
It can be tricky at times to identify a smart, well executed, and well thought out scam. The best way to avoid them is to be aware of them. We’ll be posting and updating a full article of different scams soon so that you’ll always be aware of any current and new scams.
The Story of J&R Inc. and How Scammers Stole over £10,000 unnoticed.
Here’s one story that we have been made aware of on the topic of social engineering scams. All names and domains have been changed for privacy reasons.
James was the owner and founder of a company “J&R Inc.” and had a CFO called Rodger.
James was a regular poster on LinkedIn and had been talking about how he needed and was looking forward to taking a break with the family.
Not long after posting about his break, Rodger received a short email from james@JRinc.com – “Hi Rodger, can you send £2,000 to The following account? I almost forgot to pay them” followed with a payment account.
Not wanting to disturb James’ well needed break with a follow up, Rodger did just that and sent £2,000 to the account. It was a small amount to the business, so Rodger forgot about it and never brought it up with James.
Rodger received quite a few emails over the coming years from James asking for him to pay various amounts, all around £2,000. It wasn’t until James sent an email to Rodger as they were in a meeting did Rodger actually discuss this with James in person. James had never sent those emails.
The emails in Rodger’s account were either spoofed emails or emails with a very similar domain name, possibly using foreign letters in place of standard English ones to fool the human eye.
It turns out that the scammers had stolen over £10,000 over a two year period and there was absolutely no legal recourse or insurance reimbursement as the money had left the company accounts with the proper authorisation and the accounts were not linked to an identity.
How Did They Get Away With it for so Long?
The scammers had been tracking James on his LinkedIn and would ask Rodger for money at times they knew James wouldn’t be in the office. Rodger had become accustomed to recieving emails from James asking him to send money, so he never thought to question it, and it was such a small amount to them that it wasn’t concerning.
They were caught out as James had cancelled plans and returned to the office.
How Could This Have Been Prevented?
By simply calling James, Rodger would figured out the original email was fraudulent. A policy in place whereby disussions of money took place face-to-face, or at the very least over the phone would have prevented this.
Keep Your Business Secure
Start Digital offer dozens of Health Checks and Tool Kits to help you ensure your business is running safely and and is able to scale securely. You can download a free mini Health Check by signing up for a free account.
Contact us today for more information on how we can help your business.
