A recent spate of phishing attacks has seen criminals stealing passwords for business Office 365 accounts. The criminals are then using compromised email accounts to target the victim’s contacts. We have seen an increasing number of SMEs caught out by this over the last two months. Find out how to recognise and respond to these attacks by reading on.
The attacks begin with an email that you receive from a known contact. The email looks like other emails that you may have had from that contact, therefore it looks legitimate. The email encourages you to click on a link, just like many phishing attacks do. The linked web page asks you to sign in using Office 365. If you sign in, the criminals obtain your password and can log on to your email account. They then continue the attack by emailing your contacts from your email address, potentially damaging your reputation in the process.
The following screenshot is one example of these phishing emails that we have seen:
The victim is encouraged to click on a link to view a document that could not be attached to the email. If the victim clicked on the link, they were taken to a Microsoft sign in form like that shown below:
Strange links are a big giveaway for phishing attacks, however in this case the URL didn’t seem so strange: https://1drv.ms/.
The screenshot below shows another example of these phishing emails:
In this case the email mimics Adobe Document Cloud. Clicking the link took the victim to an Adobe Document Cloud sign in form like that shown below:
Notice that the sign in button says “Sign in with Office 365”.
These attacks are similar to many phishing attacks. The key factor to the success of these recent attacks is that they come from a known contact, rather than from a strange email address. The following list details some common factors to watch out for:
Firstly if you receive one of these emails, or a similar email that seems strange, don’t click the link and definitely don’t sign in! We recommend you verify that the email is legitimate, ideally by contacting the sender on a known phone number. Remember that if criminals were able to send a strange email, they could have altered the phone number shown in the sender’s email signature.
If you clicked one of these links and typed your password, or if a contact reported that they received a strange email from you, then you need to investigate and take steps to protect your business.
Firstly, you should change your password to stop the criminals accessing your account. You should also change your password anywhere else where you use the same password. We recommend using a password manager to help avoid password reuse.
Next, you need to investigate the extent of the breach and ensure the impact is remediated. For example: In many cases the criminals have attempted to maintain access to their victim’s email by configuring auto-forwarding rules that may allow them to continue receiving your emails and sending emails from your email account.
We recommend reviewing and tightening the security of your Office 365 configuration to significantly reduce the chance of a compromise. The following are some ways you can improve your Office 365 security:
If in doubt, contact us. We can help you to secure your Office 365 environment or, in the unfortunate event of a data breach, we can help you to investigate the full impact of that breach and protect your business going forwards.
“I am well aware prague one of your pass word” the email might begin, causing an instant sensation of fear. You may not use it now, but you once did use prague as your password. How do they know your password? What else do they know, and what do they have access to? Scam artists rely on provoking emotions such as fear to cause their victims to take action. A criminal knowing your password is almost certain to evoke that fear.
Stolen data sometimes finds its way on to the Internet following a data breach. The data often includes email addresses and passwords stolen anywhere from small gaming websites to companies as big as LinkedIn. It’s this data that the scammers are using to find and scare their victims.
The good news is that the scammers probably didn’t hack your computer and can’t do what they’re threatening to. The bad news, is that the scammers may actually know one of your passwords.
If you receive an extortion or blackmail email that states a password you do (or did) use, don’t panic! Do not make a payment or try to contact the scammers. You should change the password if you still use it, and change it everywhere you use it. We recommend using a password manager to generate complex and unique passwords for every account you have. Where possible we also recommend using two-factor authentication (2FA) to make it harder for criminals to compromise your accounts.
Consider reporting the incident to Action Fraud, unless you paid the fine in which case you should report the incident to the police.
You can find data breaches where your email address and password may have been stolen using the website “Have I Been Pwned”. Be sure to change your password on any sites your data was stolen from if you haven’t changed it since the date of the breach.
Update: WordPress have now released an updated version (version 4.9.7). Install the update to ensure your websites are protected.
A newly reported security vulnerability affects all current versions of the WordPress content management system (CMS). A user requires the author or editor role to exploit the vulnerability to gain complete control of your website.
An attacker can exploit this vulnerability to delete files from your server. By deleting the CMS configuration file (wp-config.php), they can re-run the WordPress installation process and become the website administrator. From there they can potentially modify theme or plugin code to take over the underlying server.
An official fix for the vulnerability does not currently exist (update: version 4.9.7 has since been released and fixes this vulnerability).
Several unofficial solutions are available. Cognitous recommend tightening the file system permissions on your web server. Remove write permission to the WordPress files from the web server user in order to prevent unauthorised alterations. For example, under a typical Apache installation, the www-data user should not have write permission to files under /var/www/html. Unfortunately, this will prevent the built-in auto-update feature from working.
An alternative solution involves adding code to the functions.php file of your active theme.
WordFence includes a fix, however free users won’t receive that until the end of July.
Full technical details can be found via RIPS Technologies, who reported the vulnerability privately in November 2017.
If your organisation has servers running Adobe ColdFusion and they haven’t been updated recently then now would be a good time to update them. This is particularly important if you’re using a feature called “Flex Integration”.
Adobe’s latest ColdFusion security update fixes a critical vulnerability identified by Cognitous director Nicky Bloor. The vulnerability could enable an attacker to take complete control of affected servers. A second critical vulnerability was fixed in this security update that could enable an attacker to steal files from affected servers (reported by Matthias Kaiser of Code White GmbH).
In addition to applying the latest security update, users should update Java on the affected servers. Be sure to also review Adobe’s lock down guides for guidance on further security improvements.
Technical details of the critical vulnerability discovered by Nicky Bloor can be found on his blog: Another ColdFusion RCE – CVE-2018-4939.
Cognitous can help with all aspects of securing your IT systems, get in touch to see how we can help you.