​This week, a guest article from MalwareBytes on avoiding phishing attacks.
Posted: June 26, 2017 by Wendy Zamora 
So how can we learn from these lessons? Let’s start by identifying the different types of phishing in use today.
Types of Phishing
The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.
Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.
Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, senator, or someone who has access to financial assets. CFO fraud is an example of whaling.
Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.
Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system’s host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.
Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.
Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it’s being entered. This type of phishing is more difficult to detect because attackers continue to pass on users’ information (after collecting it) so as not to disrupt any transactions.
And finally, search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.
There truly are a lot of phish in the sea.
So, if your head isn’t completely swimming in fish puns, it’s time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks. I asked Labs researchers to tell me their top indications that an email, text, or other form of communication is a phish and compiled a list of their, and my, recommendations.
Something’s Phishy If:

• The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
• The URL shown on the email and the URL that displays when you hover over the link are different from one another.
• The “From” address is an imitation of a legitimate address, especially from a business.
• The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
• The content is badly written. Sure, there are plenty of wannabe writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English? Take a closer look.
• Speaking of content, a phishing email almost always sounds desperate. “Whether they’re claiming that your account with be closed, an urgent request is needed, or your account has been compromised, think twice before double-clicking that link or downloading that attachment,” says Umawing.
• The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
• The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

If you suspect or can verify that you’ve been phished, it’s best to report the attempt directly to the person or organization being spoofed. You can also contact the Federal Trade Commission (FTC) to lodge a complaint. Once completed, delete the email, then empty your trash. (Same goes for texts.)
Now the next time someone attempts to scam you with fraudulent emails, you won’t have to wonder if the message is for real. You’ll scope out a phish hook, line, and sinker.

This week, a guest article from MalwareBytes on avoiding phishing attacks.
Posted: June 26, 2017 by Wendy Zamora 

“Dear you,
 It appears you need to update your information. Click here to tell us all your secrets.
 No really, it’s totally safe. We’re not going to steal your identity, we swear.”

If only phishing attempts were that obvious. Instead, these days it’s hard to tell a phish apart from a foul, if you catch my drift. Modern-day phishing campaigns use stealthy techniques to target folks online and trick them into believing their messages are legit. Yet for all its sophistication, phishing relies on one of the basest of human foibles: trust. Detecting a phish, in its various forms, then requires you to hone a healthy level of skepticism when receiving any kind of digital communication, be it email, text, or even social media message. In order to understand how we got here, let’s go back to the first instance of phishing.

The Nigerian Prince and Early Phishing
Back in the early days of the Internet, you could marvel at your “You’ve Got Mail” message and freely open any email that came your way. You’d get one email a day, tops, from your new best friend you met in the “grunge 4EVA” chat room. There was no such thing as junk email. The only promotions you received were CD copies of AOL in the snail mail. It didn’t cross your mind that going online could bring about danger. Then came the Nigerian prince. Unfortunately, where innovation and progress lead, corruption and crime will inevitably follow. One of the nation’s longest-running scams, the Nigerian prince phish came from a person claiming to be a government official or member of a royal family who needed help transferring millions of dollars out of Nigeria. The email was marked as “urgent” or “private,” and its sender asked the recipient to provide a bank account number for safekeeping the funds. Gone were the innocent days of trusting your inbox.

Over the years, the Nigerian prince scam has fooled millions, raking in hundreds of billions of dollars. Why has this scam been so successful? Simple. It uses a time-honored criminal technique—the ole bait and switch—to fool folks into believing that they are being contacted by a legitimate organization with a legitimate concern. Threat actors use this social engineering method to trick unwilling participants into clicking on malicious links and handing over personal information. The end goal, as with most cybercrime, is financial gain.

Phishing attacks aim to collect personal data—including login credentials, credit card numbers, social security numbers, and bank account numbers—for fraudulent purposes. The attack is most commonly delivered as an email communication that spoofs a known enterprise, such as a bank or online shopping site, but it can also appear to come from an individual of authority or of personal acquaintance. These emails always contain a link that sends users to a decent facsimile of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

“Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective,” says Adam Kujawa, Director of Malware Intelligence. “That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”

The Evolution of Phishing
While the Nigerian prince attack vector remains in use today, most savvy Internet users can now spot this scam a mile away (hence the multitude of memes that have popped up over the years). The campaign has lost its edge and fooled way fewer users. Plus, email technology has progressed so that spam filters readily pick up on this phish and block it. And this is why cybercriminals have had to advance their tactics.
“Phishers had no other choice but to evolve and improve on where they fell short,” says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes. “Nowadays, most sophisticated modern-day phishing emails are so polished and well-designed that one cannot easily differentiate them from legitimate ones.”
Case in point: Recent phishing campaigns have had great success impersonating big-name companies and fooling big-name recipients. In May 2017, a phishing email targeted one million Gmail users by purporting to be from a contact sharing Google Docs. In Minnesota alone, state employees were scammed out of $90,000 due to the Google Docs fiasco. Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, famously had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

Next week, Part 2 will cover the different types of phishing and some best practices for avoiding them. 

Finding the balance between Facebook privacy and Facebook fun can be challenging. It’s a double-edged sword that allows us to connect with friends no matter where they live, but it also publicly shares information that just a few years ago, we’d never dream of putting online. You can search for people based on where they went to school, town they live in, clubs they belong to, who they’re related to…but when is it too much?
Your birthday is the first piece of info collected when you sign up, and it’s great getting birthday wishes from friends and family when it appears in their newsfeed. But while Facebook is sending you balloons and funny memes, your birthday is now public knowledge. It seems harmless, but when you call your bank or other institution, what’s the first question they ask to verify your identity? Your birthday! Some password recovery systems even ask questions like ‘which high school did you go to?’ assuming this is knowledge that only you would know. Except…you’ve just publicly shared it on Facebook. Whoops!

We’ve all heard stories of people who’ve lost their jobs after less-than-wholesome pictures or statements have gone public. If you have a reputation to keep, you definitely don’t want pictures from last weekend’s private party showing up, especially if you really let your hair down. While you can’t control what others do with photos they take of you, you can control whether or not you’re tagged in them.
​
Fortunately, there are settings in Facebook that allow you to control who sees what information and what happens when you’re tagged. Despite what you may have heard or seen floating around in a Facebook share hoax, you do have complete control over your Facebook privacy, and it’s easy to adjust.
 
How to Check and Adjust Your Facebook Privacy Settings1. See what your account looks like to an outsider
From your Facebook homepage, click your name on the blue bar at the top of the page. Click the three dots next to ‘View Activity Log’ and then select ‘View as…’

2. Run a quick privacy checkup
Click the question mark in the top right corner and choose ‘privacy checkup’.
Think about what you really need to share – do people need to know the YEAR of your birth or just your birthday? Your friends will still get the notification, and you’ll still get the balloons.

3. Edit advanced privacy
While the checkup covers the most obvious info, you can go much deeper. Click the V-shaped dropdown to the right of the question mark. Go to settings and choose privacy.

4. Adjust timeline and tagging
In the privacy settings, you can explicitly control who can tag you, who can see or share the tagged content, and what shows up on your newsfeed.

Tightening your Facebook privacy only takes a few minutes, but it can save you a whole lot of trouble in the future. If you need help with this, just give us a call at 715-255-0325.

This week, we are featuring a guest article about Virtual Private Networks (VPNs) by Emsisoft. In this second part, we look at how a VPN works and some guidelines on choosing a VPN provider. As always, if you have any questions, give us a call at 715-255-0325!

In Security Knowledge by Haylee on June 15, 2017 http://blog.emsisoft.com/2017/06/15/vpn-privacy/

How Does a VPN Work? 
A VPN or Virtual Private Network is two or more computers connected via an encrypted connection across the internet. This is a simplified depiction of how a VPN works:




​

When a user connects to a VPN, a “tunnel” is created. This tunnel acts as a secure line of communication. The information passed through it can’t be read if intercepted because it has been encrypted. The VPN client on your computer and the VPN Server know the key to the encryption so data is only encrypted in transit, but instantly decipherable at the source and destination.
 
Though it all sounds very complicated, as far as the user is concerned, this process is a simple as logging in. The rest is taken care of for you by the chosen VPN provider.

Choosing Your VPN Provider
We’ve explained how a man-in-the-middle attack can occur on an unencrypted network and how a VPN service prevents this from happening. What you may have worked out by now is that the use of a VPN simply allows you to elect a trusted man-in-the-middle to look after your data. Your VPN provider encrypts your traffic for you, meaning they have access to the original traffic, where it came from and all that it contains. For this reason, choosing a VPN provider is a matter of trust. While trust isn’t easily built, below we have selected a few key criteria to help with your selection.

Paid vs Free VPNs
Please don’t use a free VPN service. Really. If your VPN service is not making money from your subscription fees then it is making it elsewhere, like selling your personal information to a third-party who can spam you senseless. For VPN companies to maintain their servers is very expensive and the old adage holds true: if you’re not paying for it, you’re the product. We mean it. Don’t use a free VPN service.

True Anonymity Is a Myth
It is growing more and more difficult to be 100% anonymous online. So when you sign up for your VPN, you want to be giving as few identifiable details as possible. If you can’t pay in Bitcoin or with gift cards, you are not signing up for an anonymous service. Emsisoft Tip: If your chosen VPN provider asks you for more than an email address on sign-up, you are not anonymous. It is not common to seek perfect anonymity when purchasing a service but it is available with the right VPN provider if you are looking for it.

Not All Encryption Is Created Equal
Understand which encryption protocols your provider offers. Open VPN is highly configurable and regarded as the most secure VPN protocol. Ideally, your VPN of choice will utilize this encryption method. IKEv2 is also very good but try to avoid using the PPTP protocol, which has known security risks.

VPN Logging Leaves Traces
It is important for you to understand what logs your VPN provider will be keeping. Ideally, your VPN provider will not keep any logs of any kind and be transparent about what data they keep. Additionally, look for a service with a multi-chain hop. If your traffic is being monitored externally, the hops help to further anonymize your traffic. Each hop represents a different VPN server, usually in a different jurisdiction, so your location and IP are changed multiple times before reaching its final destination. Make sure your provider’s no-log policy includes not tracking of IP addresses and timestamps.
 
US Services Aren’t Really Private
Because of the surveillance laws in the United States, it is best to use VPN services that are based outside of the US and the other 14 eyes countries who monitor each other’s citizens.
 
​Third Parties Lead to Spam
Ensure your VPN has clear policies and easy opt-out options for affiliates. The last thing you want is to set up your VPN service to find it bundled with spam pop-ups or hidden third party access to your data. If your provider has no affiliates, all the better for you. As we mentioned earlier, the benefits of using a paid service far outweigh those of a free service. You can’t always be sure that a service will keep your data secure, but if your provider is receiving money for their service they are less likely to be selling your email address or other personal information to third parties. Additionally, paid providers typically have faster connections.

Anonymized Support
It wouldn’t make much sense to have worked so hard to keep yourself anonymous only to give yourself away when you approach your VPN provider for customer support. Make sure you are able to communicate via an anonymous chat service or encrypt your email communications.

VPN Across Devices
VPN protection is not just for your computer. Set it up on your mobile phone, tablet or on your home router to automatically protect all devices connected to your network. Make sure to choose a provider that allows enough simultaneous connections to cover your needs.

Downsides to VPN
As with any technology, there will be a small learning curve to get your head around the more technical aspects. Additionally, as your traffic is being encrypted as it passes through the tunnel, your download speeds can suffer slightly. Complete anonymity is virtually impossible but a VPN gives you extra protection necessary for basic privacy. Finally, some websites may refuse to work if they detect a VPN. Netflix has clamped down on site visitors masking their geolocations to stream US Netflix outside of the States.

​Summary
There are many considerations when we think about our online privacy. Firstly, be actively aware of your country’s surveillance laws, and the privacy policies of your Internet Service Provider. Read the fine print of any VPN service you use and continue to think before you click.