Thursday, May 4, 2017

Massive phishing attack targets Millions of Gmail Users

View the original article from the BBC. Image courtesy of Getty Images.

Google says it has stopped a phishing email that reached about a million of its users.

The scam claimed to come from Google Docs - a service that allows people to share and edit documents online.

Users who clicked a link and followed instructions, risked giving the hackers access to their email accounts.

Google said it had stopped the attack "within approximately one hour", including through "removing fake pages and applications".

"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed," Google said in an updated statement.

"There's no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup."

During the attack, users were sent a deceptive invitation to edit a Google Doc, with a subject line stating a contact "has shared a document on Google Docs with you".

The email address hhhhhhhhhhhhhhhh@mailinator[.]com was also copied in to the message; Mailinator, a free email service provider has denied any involvement.

If users clicked on the "Open in Docs" button in the email, they were then taken to a real Google-hosted page and asked to allow a seemingly real service, called "Google Docs", to access their email account data.

Victims of the scam were asked to let a seemingly real service called "Google Docs" access their account data. Image copyright Talos Intelligence

By granting permission, users unwittingly allowed hackers to potentially access to their email account, contacts and online documents.

The malware then e-mailed everyone in the victim's contacts list in order to spread itself.
"This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party," Justin Cappos, a cyber security professor at NYU, told Reuters.

'Too widespread'

According to PC World magazine, the scam was more sophisticated than typical phishing attacks, whereby people trick people into handing over their personal information by posing as a reputable company.

This is because the hackers bypassed the need to steal people's login credentials and instead built a third-party app that leveraged Google processes to gain account access.

The Russian hacking group Fancy Bear has been accused of using similar attack methods, but one security expert doubted their involvement.

"I don't believe they are behind this... because this is way too widespread," Jaime Blasco, chief scientist at security provider AlienVault, told PC World.

Google said the spam campaign affected "fewer than 0.1%" of Gmail users. That works out to about one million people affected.

Last year, an American man pleaded guilty to stealing celebrities' nude pictures by using a phishing scam to hack their iCloud and Gmail accounts.

And in 2013, Google said it had detected thousands of phishing attacks targeting email accounts of Iranian users ahead of the country's presidential election.

Friday, February 10, 2017

Get Ready for Hospital Ransomware Attacks 2.0

Hollywood Presbyterian Medical Center
View the original article by Jack Danahy here at Becker's Hospital Review. Image courtesy of the LA Times

On February 5, 2016, staff members at Hollywood Presbyterian Medical Center began having difficulty accessing the hospital's computer network. The IT department was called in to investigate, and quickly, their worst fears were confirmed — the hospital's network had been infected with ransomware.

Shortly afterwards, hospital staff declared an internal state of emergency, and IT systems were forced offline, knocking out access to electronic health records. This decision triggered a chain reaction of service delays and outages that spread throughout the organization with serious effects: Staff reverted to communicating via fax machines. Paperwork was completed by hand. Lab work and test results were inaccessible. CT scanning and the radiation oncology department were temporarily shut down. Some emergency patients had to be diverted to other hospitals for care.

What had started out as files getting encrypted had quickly snowballed into hospital-wide operations grinding to a halt.

The disruption lasted for 10 days. In the end, the hospital determined that paying a ransom of $17,000 was "the quickest and most efficient way" to get things back up and running. Yes, they were paying to restore the encrypted data, but more importantly, they were paying to be back in business.

Still think the primary threat of ransomware is data loss?

Make no mistake — the ultimate objective of hackers targeting institutions like hospitals isn't to encrypt their files. The true goal is to frighten the victim into paying by creating widespread disruption. File encryption has simply been a common means to that end. As the attack becomes more debilitating to the victim's operations, it grows more and more likely that the attacker will be able to demand, and receive, a bigger ransom payment.

Hollywood Presbyterian wasn't the only healthcare provider to suffer through ransomware attacks and pay ransoms in 2016. Marin Medical Practices and Kansas Heart Hospital were two other prominent cases. Educated by these successes, criminals are now tailoring their attacks to make them even more effective. Here are three tactics we've seen in the wild that are likely to become more widespread in 2017.

Beyond encryption: 3 ways criminals are making their attacks more disruptive

1) Developing ransomware strains that spread like a virus

Imagine a ransomware attack that not only encrypts files but also turns them into ticking time bombs, designed to spread their infection to more machines and users as soon as it executes. That's the direction new variants like Virlock are taking to expand the scope of their disruption. By adopting traditional parasitic virus techniques, it does more than simply encrypt victim files, it also injects them with malicious code that kicks off new attacks to replicate itself from one machine to another.
The latest version of Virlock can even spread through cloud storage and collaboration applications, making it possible for one infected user to spread it across an entire enterprise network.

2) Creating new versions of ransomware that disable the victim systems

The popularity of file encryption as the primary threat in ransomware began, at least in part, because that type of transformation is straightforward, leaving the system capable of connecting to the network for payment and decryption, and showing the victim the comforting, if frustrating, local presence of their valued files. As the frequency and public reporting of ransomware has increased, organizations have moved to improve their recovery strategies, particularly in the form of more comprehensive and tightly managed backups. In the presence of these backups (a common best practice in any case), paying the ransom is much less likely, since restoration of data is a sure thing without paying criminals.

Seeing this, some attackers have changed their tactic to disabling the system entirely. Ransomware variants such as Petya attack systems at the boot-level, preventing rebooting to any but the Petya screen, and encrypting the tables which describe the locations of all of the data on the disk. An attack like Petya, combined with parasitic expansion capabilities like Virlock, would create campaigns that could routinely cause the kind of debilitating breach that would take days or weeks to resolve.

3) Turning ransomware attacks into data breach events

Threatening to permanently destroy encrypted files is a common ransomware tactic. Many variants even incorporate a countdown element, adding a sense of urgency to the victim's decision to pay.

New strains are taking things a step further. Instead of threatening to destroy encrypted information, they're threatening to release it publicly — a tactic known as doxxing. An example is Jigsaw, which not only encrypts a victim's data, but threatens to send copies of those stolen files to all of the victim's contacts. This shift in tactics is especially relevant for hospitals and other healthcare service providers who are required to report exposures of private patient medical records, and who can be fined extensively for violations.

This changes the ransom equation completely, since the very best backup will not be able to put the private data genie back into the secure storage bottle. Criminals are raising their demands accordingly. On January 11, an Indiana-based cancer services agency received a demand for $43,000 in exchange for the hackers not releasing the data of thousands of cancer patients. This was done interactively, by a human, but with tools like Jigsaw available, the automation and anonymization of this tactic is not far off.

Prescription: A tight focus on prevention
The best way for healthcare organizations to avoid extensive damage from the next evolution of ransomware attacks will be to avoid them in the first place.

While attack tactics and technology change constantly, one relative constant has been the entry point that criminals target most often — users and their endpoints. By committing to improving user training and establishing better endpoint security that protects users even if they do make a mistake, hospitals can reduce their risk considerably and block attacks before they spiral out of control.

Tuesday, January 17, 2017

Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited

Image Source: Shutterstock
There is a highly effective phishing technique stealing login credentials that is having a wide impact, even on experienced technical users.

The Phishing Attack: What you need to know

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.

You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see in there. It looks like this….

You go ahead and sign in on a fully functional sign-in page that looks like this:

GMail data URI phishing sign-in page

Once you complete sign-in, your account has been compromised. A commenter on Hacker News describes in clear terms what they experienced over the holiday break once they signed in to the fake page:

“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list.

For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”

The attackers signing into your account happens very quickly. It may be automated or they may have a team standing by to process accounts as they are compromised.

Once they have access to your account, the attacker also has full access to all your emails including sent and received at this point and may download the whole lot.

Now that they control your email address, they could also compromise a wide variety of other services that you use by using the password reset mechanism including other email accounts, any SaaS services you use and much more.

What I have described above is a phishing attack that is used to steal usernames and passwords on Gmail. It is being used right now with a high success rate. However, this technique can be used to steal credentials from many other platforms with many variations in the basic technique.

How to protect yourself against this phishing attack

You have always been told: “Check the location bar in your browser to make sure you are on the correct website before signing in. That will avoid phishing attacks that steal your username and password.”

In the attack above, you did exactly that and saw ‘‘ in the location bar, so you went ahead and signed in.

To protect yourself against this you need to change what you are checking in the location bar.

This phishing technique uses something called a ‘data URI’ to include a complete file in the browser location bar. When you glance up at the browser location bar and see ‘data:text/html…..’ that is actually a very long string of text. If you widen out the location bar it looks like this:

GMail phishing data uri showing script

There is a lot of whitespace which I have removed. But on the far right you can see the beginning of what is a very large chunk of text. This is actually a file that opens in a new tab and creates a completely functional fake Gmail login page which sends your credentials to the attacker.

As you can see on the far left of the browser location bar, instead of ‘https’ you have ‘data:text/html,’ followed by the usual ‘….’. If you aren’t paying close attention you will ignore the ‘data:text/html’ preamble and assume the URL is safe.

You are probably thinking you’re too smart to fall for this. It turns out that this attack has caught, or almost caught several technical users who have either tweeted, blogged or commented about it.  There is a specific reason why this is so effective that has to do with human perception. I describe that in the next section.

How to protect yourself

When you sign in to any service, check the browser location bar and verify the protocol, then verify the hostname. It should look like this in Chrome when signing into Gmail or Google:

Gmail phishing secure URI example

Make sure there is nothing before the hostname ‘’ other than ‘https://’ and the lock symbol. You should also take special note of the green color and lock symbol that appears on the left. If you can’t verify the protocol and verify the hostname, stop and consider what you just clicked on to get to that sign-in page.

Enable two factor authentication if it is available on every service that you use. GMail calls this “2- step verification” and you can find out how to enable it on this page.

Enabling two factor authentication makes it much more difficult for an attacker to sign into a service that you use, even if they manage to steal your password using this technique. I would like to note that there is some discussion that indicates even two factor authentication may not protect against this attack. However I have not seen a proof of concept, so I can not confirm this.

Why Google won’t fix this and what they should do

Google’s response to a customer asking about this was as follows:

“The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are – obviously – trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http[s] page just as well.”

This is likely a junior person within the organization based on the grammatical errors. I disagree with this response for a few reasons:

Google have modified the behavior of the address bar in the past to show a green protocol color when a page is using HTTPS and a lock icon to indicate it is secure.

Gmail phishing secure URI example

They also use a different way of displaying the protocol when a page is insecure, marking it red with a line through it:

During this attack, a user sees neither green nor red. They see ordinary black text:

That is why this attack is so effective. In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected. [Read more: Gestalt principles of human perception and ‘uniform connectedness’ and Content Blindspots]

 In this case the ‘data:text/html’ and the trusted hostname are the same color. That suggests to our perception that they’re related and the ‘data:text/html’ part either doesn’t matter or can be trusted.

What Google needs to do in this case is change the way ‘data:text/html’ is displayed in the browser. There may be scenarios where this is safe, so they could use an amber color with a unique icon. That would alert our perception to a difference and we would examine it more closely.

Update: How to check if your account is already compromised

There is no sure way to check if your account has been compromised. If in doubt, change your password immediately. Changing your password every few months is good practice in general.

If you use GMail, you can check your login activity to find out of someone else is signing into your account. Visit for info. To use this feature, scroll to the bottom of your inbox and click “Details” (very small in the far lower right hand corner of the screen). This will show you all currently active sessions as well as your recent login history. If you see active logins from unknown sources, you can force close them. If you see any logins in your history from places you don’t know, you may have been hacked. [Thanks Ken, I pasted your comment in here almost verbatim. Very helpful.]

There is a trustworthy site run by Troy Hunt who is a well known security researcher where you can check if any of your email accounts have been part of a data leak. Troy’s site is and it is well known in security circles. Simply enter your email address and hit the button.

Troy aggregates data leaks into a database and gives you a way to look up your own email in that database to see if you have been part of a data breach. He also does a good job of actually verifying the data breaches he is sent.

Spread the word.

Friday, December 16, 2016

Yahoo Says 1 Billion User Accounts Were Hacked                                           

The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password.

View the original article from The New York Times here.

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts.

The two attacks are the largest known security breaches of one company’s computer network.
The newly disclosed 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.

It is unclear how many Yahoo users were affected by both attacks. The internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.
Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

And critics say the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and series of spam attacks — a mass mailing of unwanted messages — the following year.

“What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward,” said Jay Kaplan, the chief executive of Synack, a security company. “Yahoo has a long way to go to catch up to these threats.”

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log into some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.

In July, Yahoo agreed to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate the terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the latest disclosure Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Mr. Lord said Yahoo had taken steps to strengthen Yahoo’s systems after the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo email and account.

In the hacking disclosed Wednesday, Mr. Lord said Yahoo believed an “unauthorized third party” managed to steal data from one billion Yahoo user accounts. Mr. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but that the company believed the attack occurred in August 2013.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as email, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that its customers use Yahoo Account Key, an authentication tool that verifies a user’s identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company. “It’s not just one sophisticated adversary that gets in,” said Ben Johnson, co-founder and chief security strategist at Carbon Black, a security company. “Typically companies get compromised multiple times due to the same vulnerability or employee culture.”

Mr. Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases. “When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.

Correction: December 14, 2016
An earlier version of this article misstated the day Yahoo announced 1 billion user accounts had been compromised. It was Wednesday, not Thursday.

Monday, November 28, 2016

Passengers Ride Free on San Francisco Subway after Ransomware Attack

Hard-drive-scrambling ransomware menaced more than 2,000 systems at San Francisco's public transit agency on Friday and demanded 100 bitcoins to unlock data.

San Francisco Subway Car in Station

View the original article from The Register here.

Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving shopping day for the city – while IT workers scrambled to clean up the mess.

A variant of the HDDCryptor malware infected 2,112 computers within the San Francisco Municipal Transportation Agency, the ransomware's masters claimed in email correspondence seen by El Reg.

These systems appear to include office admin desktops, CAD workstations, email and print servers, employee laptops, payroll systems, SQL databases, lost and found property terminals, and station kiosk PCs. We told that the worm-like malware automatically attacked the agency's network, and was able to reach the organization's domain controller and compromise network-attached Windows systems. There are roughly 8,500 PCs, Macs and other boxes on the agency's network.

After the vulnerable computers were infected and their storage scrambled, they were rebooted by the malware and, rather than start their operating system, they instead displayed the message: "You Hacked, ALL Data Encrypted, Contact For Key ( ID:601."

HDDCryptor and its cousins encrypt local hard drives and network-shared files using randomly generated keys and then overwrite the hard disks' MBRs, where possible, to prevent systems from booting up properly. A machine is typically infected by an employee accidentally opening a booby-trapped executable in an email or download, and then the infection spreads out across the network.

When the 100-bitcoin ransom – right now about $73k – is paid, the crooks supposedly hand over a master decryption key to restore the ciphered drives and files. A bitcoin wallet into which the transit agency is expected to pay remains empty.

The extortionists behind the malware have complained that no one at the agency has so far spoken to them let alone offered to pay. The crooks said they will give Muni officials another day or so to get in touch before walking away. They also offered to decrypt one machine for one bitcoin to prove restoration is possible.

"Our software [is] working completely automatically and we don't [launch] targeted attacks ... SFMTA's network was very open and 2,000 server/PCs [were] infected by software," the ransomware's masterminds claimed in a statement in broken English on Sunday via email. "So we are waiting for contact [from] any responsible person in SFMTA but I think they don't want a deal. So we close this email [account] tomorrow."
You've been hacked ... Message left on a PC screen at a San Francisco Muni kiosk on Saturday (Photo by Colin Heilbut)

Buses and the underground-overground Muni rail system continue to run. The Muni's turnstiles were left open from Friday night, though, allowing people to travel for free. Ticketing systems were halted with "out of service" messages in the wake of the infection.

"There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact," the transit agency's spokesman Paul Rose said on Saturday. "Because this is an ongoing investigation it would not be appropriate to provide additional details at this point."

San Francisco's public transit system joins the ranks of hospitals, businesses, police stations and other organizations hit by ransomware. Some cough up cash to the extortionists who spread the file-encrypting software nasties, some don't. Meanwhile, Cisco-owned Talos has an open-source tool for protecting MBRs from ransomware and other malware. ®

Friday, November 4, 2016

Computer Virus Forces Hospitals to Cancel Operations

A computer virus has forced three hospitals offline and caused the cancellation of all routine operations and outpatient appointments.

The hospital says the "major incident" means patients should avoid visiting if possible.
Image: ZDNet

View the original article from ZDNet here.

The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus.

"A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive, according to the BBC.

The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack.

As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been cancelled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.

The NHS Trust hasn't provided specific information about the sort of virus or malware which has infected its systems -- or how it managed to breach any defenses.

The hospital says that from Wednesday appointments in some areas -- audiology psiological measurement, antenatal, community and therapy, chemotherapy, pediatrics, and gynecology -- will be going ahead and it will be contacting patients who are able to be seen.

Northern Lincolnshire and Goole NHS Foundation Trust says it is reviewing the situation on an hourly basis and offers its apologies to patients who are being affected.

Monday, October 3, 2016

October 2016 Security Awareness

Throughout October, Technology Services will offer interactive educational activities to help you achieve those goals—for each activity you complete, you will be entered into a drawing at the end of the month for an Apple TV. As well, participation in each week’s activity will gain you access to the weekly drawing for a $25 Amazon gift card!
Watch CougarTrack for the weekly activity announcement!