010 001 2960 [email protected]

What is Phishing?

Phishing is an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. by impersonating a trusted entity using mass emails that attempt to bypass spam filters. Emails impersonating popular social websites, banks, auction sites, or IT administrators are often used to lure the unsuspecting public. This is a form of criminally fraudulent social engineering.

Top Phishing Techniques

There are many different techniques used to obtain personal information from users. As technology advances, so do cybercriminals.

To prevent Internet phishing, users must know how cybercriminals do it.

To prevent Internet phishing, users should have knowledge of how cybercriminals do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims.

Spear Phishing

Think of spear phishing as professional phishing. While traditional phishing campaigns send mass emails to as many people as possible, spear phishing is more targeted. Hackers have specific individuals or organizations they want to compromise and want more valuable information than credit card details. They research their targets to make their attacks more personalized and increase their chances of success.

Session Hijacking

In session hijacking, phishers exploit web session control mechanisms to steal information from users. In a simple session hacking technique called session sniffing, a phisher uses a sniffer to intercept relevant information and gain unauthorized access to a web server.

Email/Spam

The most common phishing technique is to send the same email to millions of users requesting personal information. These details are used by phishers for illegal activities. Most messages contain urgent notices asking users to update their account information, change their details, or enter their credentials to verify their account. You may be asked to complete a form to access the new service via a link within the email.

Content Injection

Content injection is a technique in which a phisher modifies part of the content of a page on a trusted website. This is done to trick the user into going to a page other than the legitimate her website and prompting the user to enter personal information.

Web Based Delivery

Web-based delivery is one of the most sophisticated phishing techniques. The hacker, also known as the “man-in-the-middle”, sits between his original website and the phishing scheme. Phisher tracks details during transactions between her legitimate website and users. If you continue to share information, phishers will collect it without your knowledge.

Phishing through Search Engines

Some phishing scams involve search engines redirecting users to product pages that may offer low-priced products and services. When a user tries to purchase a product by entering their credit card details, the phishing site collects them. There are many fake banking websites of his that offer credit cards and loans at low interest rates, but they are actually phishing websites.

Link Manipulation

Link spoofing is a technique by which phishers send links to fake websites. When the user clicks on the fraudulent link, it opens the phisher’s website instead of her website mentioned in the link. Hovering over a link to show the actual address prevents users from falling for linking.

Vishing (Voice Phishing)

In voice phishing, phishers call users and ask them to dial a number. The purpose is to obtain personal bank account information over the phone. Vishing is most often done using fake caller IDs.

Keyloggers

A keylogger refers to malware that is used to identify keyboard input. This information is sent to hackers who crack passwords and other types of information. To prevent keyloggers from accessing your private information, secure websites offer the option to type on a virtual keyboard using mouse clicks.

Smishing (SMS Phishing)

Phishing is carried out using Short Message Service (SMS), a phone-based text message service. For example, smishing text attempts to trick victims into providing personal information via links leading to phishing websites.

Trojan

A Trojan is a type of malware designed to mislead users with seemingly legitimate actions that actually allow unauthorized access to user accounts in order to gather credentials about the local computer. The information obtained is sent to cybercriminals.

Malware

Malware phishing scams require malware to be running on the user’s computer. Malware is usually attached to emails that phishers send to users. Clicking on the link will start the malware. Malware can also be attached to downloadable files.

Malvertising

Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploitation in Adobe PDF and Flash are the most common methods used for malvertising.

Ransomware

Ransomware denies access to your device or files until the ransom is paid. PC ransomware is malware that is installed on users’ workstations using social engineering attacks to trick users into clicking links, opening attachments, or clicking malvertising .

Website Forgery

Fake websites are created by hackers to look exactly like legitimate websites. The purpose of the fake website is to trick users into entering information that can be used for fraud or further attacks on victims.

Evil Twin Wi-Fi

Hackers use devices like pineapples. Pineapple is a tool used by hackers containing two radios to set up their own Wi-Fi network. They use generic names like AT&T Wi-Fi, which are pretty common in many public places. If you do not pay attention to a network controlled by hackers, information you enter during your session can be intercepted, including: B. Bank Details.

Social Engineering

Users can be tricked into clicking on questionable content for various technical and social reasons. For example, a malicious attachment may look like a work invoice at first glance. Hackers rely on victims not to think twice before infecting a network.

Source: What Is Phishing?

Phishing and Malicious Emails

…Are Still the Primary Initial Attack Vector

According to new data from Acronis, as cybercriminals continue to develop their techniques, they continue to rely on phishing as the most successful proven initial attack method.

In security vendor Acronis’ Mid-2022 Cyberthreat Report, they found that phishing continues to dominate as the preferred initial access method for cyberattacks.

According to the report:

• 1% of all emails are malicious in nature
• Q2 increased by 10% compared to Q1 in the number of malicious URLs identified

Among all the malicious emails:

• 58% of them are related to scams
• 28% contains malware
• 81% are part of phishing campaigns
• The average campaign targets 10 organizations

And the goal?
Based on the data, Acronis claims that leaked or stolen credentials are the cause of nearly half of all breaches reported in the first half of 2022, making it clear that cybercriminals understand the price value of a business credential.

This should clearly focus on the organization’s cybersecurity to prevent its users from falling prey to the social engineering tactics used in phishing attacks. Security solutions are part of the answer, but users themselves must be trained through security awareness training to play the part of a vigilant employee who is always on the lookout for email attacks and searches. Find their credentials on the web.

By enabling users to help prevent these attacks, organizations greatly reduce the threat surface and reduce the likelihood of a successful cyberattack of any kind.

Source: Phishing and Malicious Emails Are Still the Primary Initial Attack Vector

Darkverse emerging from Metaverse

ARN just reported. However, security he provider Trend Micro warned in a recent research report that cybercriminals could abuse the technology for their own purposes. Security researchers predict that a kind of darknet structure could emerge, similar to today’s Internet. Cyber ​​gang conspiracies can even take place in protected rooms that can only be accessed via valid authentication tokens from specific physical locations. This prevents law enforcement from accessing the underground market. In fact, it could be years before the police can operate effectively in the Metaverse.

Possible metaverse threat scenarios
Researchers warn that the Darkverse could become a platform for cyber threats such as:

– Attackers are targeting non-fungible tokens (NFTs), which are becoming increasingly popular as a means of defining ownership in the metaverse for phishing, ransomware, fraud, and other attacks.

– Criminals use the Metaverse to launder money in overpriced virtual real estate and NFTs.

– Criminals and state actors create manipulative narratives that influence vulnerable and vulnerable groups. Social engineering, propaganda, and fake news are having a huge impact on the cyber-physical world.

– Data protection is redefined.  Room operators like the Metaverse have unprecedented insight into user behavior. Data protection as we know it no longer exists.

“The Metaverse is a multi-billion dollar high-tech vision that will define the next internet age. We already have to think about how we can build our own to meaningfully protect society,” commented Udo Schneider, IoT Security Evangelist at Trend Micro.

“Given the high costs and legal challenges, law enforcement will typically struggle to monitor the metaverse for the first few years,” Schneider said. He demands: “The IT security industry must step in now.” Otherwise, “a new Wild West will emerge at our digital front door.” .

Source: https://blog.knowbe4.com/researchers-warn-of-darkverse-emerging-from-the-metaverse

2022 Microsoft Vulnerabilities Report

Now in its ninth year, the Microsoft Vulnerabilities Report provides a unique analysis of the vulnerability landscape in the Microsoft ecosystem.  Each year in the past, the report has provided a holistic overview of vulnerabilities across Microsoft’s platforms and products, making an indisputable business case for the importance of removing administrative privileges to mitigate risk.

Click Here to Read Full Report

Regulations, compliance standards, security best practises and, increasingly, cyber insurance providers dictate that we identify and respond appropriately to the latest threats. Analysing the threat landscape annually can also help your organisation address the problem more effectively. However, implementing an efficient process to effectively combat threats and remediate or mitigate vulnerabilities in a timely manner is a different problem altogether.

B

Cyber Security – General Overview

Although cyber attacks are rapidly growing in volume and sophistication, the fact of the matter is that organizations are still struggling to fight back, but you might ask yourself why do i even bother to learn cyber security basics? I’m already protected and nothing can happen to the company I work for. This is a common misconception since cybercriminals find new vulnerabilities each day and no one can say that they are out of danger, so you can help by understanding the basic cyber security dangers and by staying alert. Please watch the video and slides below for a general overview, and if you need any help, please don’t hesitate to give us a call.

 

A Decade of Technology – 2015

Continuing our 10 year anniversary celebrations, this month we take a look at 2015.

It’s been a great year for tech and the gadget obsessed amongst you have been spoiled for choice. Wearables finally became cool, the usual plethora of app releases kept us focused on our smart devices.

Some other noteworthy events, products and services:

  • Ross Ulbricht, the man behind the website Silk Road, was convicted on February 4.
  • Taking to the skies: A drone from Flirtey made a medical delivery on July 17 and became the first government-approved drone delivery.
  • In March, Facebook released React Native, an open-source JavaScript framework for developing mobile apps on Android and iOS/
  • Google split into two companies on August 10. The new company known as Alphabet is now responsible for Google, Nest, Google Capital, Google Fiber, Calico, Google X, Sidewalk Labs, and Google Ventures.
  • Swift was open-sourced to encourage community-driven development of the language itself.
  • Google announced it discontinued Google Code on March 12. Thousands of the Google open-source products were moved to GitHub.
  • Google launched YouTube Gaming.
  • Apple introduced Apple Music, Apple Pencil, and Live Photo
  • Apple officially released the Apple Watch on April 24.
  • YouTube Music was released on November 12.
  • Microsoft released the Surface Pro 4 and the Surface Book on October 26.
  • The Internet browser Brave was released in 2015.
  • On July 18, eBay spun off PayPal as an independent company.
  • In May, Broadcom was purchased by Avago Technologies Ltd. for $37 billion. After the purchase, the company was renamed to Broadcom Limited.
  • Google made TensorFlow open-sourced for public use in November.
  • After seven years of development PHP 7.0.0 was released in December

Follow us next month to see what happened in 2016.

You and the Cybercrimes Act

The Cybercrimes Act

The Cybercrimes Act was signed into law in South Africa on the 26th May 2021 and comes into effect the beginning of July 2021.   Complying to this law applies to both individuals and companies and non-compliance has severe consequences ranging from hefty fines to imprisonment or both!

Although Cybercrime is on the increase and the aim of the Act is to keep people safe from criminal activity, most of the Act has a negative practical impact on all organizations and individuals.

What is the impact on you?

Private Organisations (including Insurance providers, Media Houses and Direct Marketers)

  • If you do not process any data as prescribed by any law, or without the authorization of one that can do it lawfully, you could be fined or face imprisonment for up to 5 years.
  • If you access personal information unlawfully, even if it is contrary to the conditions of the POPI Act, or alternatively possess personal information that someone else acquired unlawfully, you could be fined or imprisoned for 10 years.
  • If law enforcement finds you in possession of data, like personal information, that they think was acquired unlawfully by anyone, and you cannot explain it, you could be fined or imprisoned for 5 years.
  • If you do anything with software or hardware tools that could be used to commit a Cybercrime, you could be fined or imprisoned for 10 years.
  • You must help law enforcement to catch cyber criminals at your own cost or else you could be fined or imprisoned for 2 years.
  • A court can order you to preserve any evidence at your cost.

Financial Institutions (including Banks)

  • As for the Private Organisations as well as,
  • If you become aware that a crime has been committed, you must report the offense to the SAPS and preserve any evidence in the manner prescribed by the Minister of Police at your costs.  If you do not, you could be fined R50 000.

ICT Companies (Service Providers, ISP’s, Network Operators, Vendors)

  • All the above as well as,
  • If you sell a tool that could be used to commit a cybercrime, you are probably going to have to shut down the business, as selling such a tool is a cybercrime.
  • You are going to have to initiate an extensive compliance program to ensure you process data in accordance with the law because your customers are going to look to you if they get into trouble.

Individual users of computers

  • If you send a message, via e-mail, another messenger app or on social media, that is harmful (directly or indirectly) you could be fined or imprisoned for 3 years.
  • If you have a tool ( eg an app on your phone that bypasses WiFi passwords) that could be used to commit a cybercrime, you could be fined or imprisoned for 10 years.
  • If you share your password or access code, you could be fined or imprisoned for 10 years.
  • If law enforcement finds you in possession of a password that they think you are going to use to commit a cybercrime and you cannot explain why you have it, you could be fined or imprisoned for 5 years.
  • If you commit an offence with regards to the computer system of a financial institution or the state, you will be fined more or imprisoned longer.
  • Law enforcement has extensive powers to search, access and seize your data, computer, or phone.

Parents

  • If your child is cyberbullied, you will have a better chance of getting law enforcement to help you to stop the bully.  On the flip side, if your child is accused of cyber-bullying, the consequences could be severe.
  • If someone is distributing nude pictures of your child, you will have a better change of stopping them and could get an interim order preventing anyone else from sharing the pictures online.

 

Reference: The practical impact of the Cybercrimes Act on you – Michalsons

A Decade of Technology – 2014

Continuing our 10 year anniversary celebrations, this month we take a look at 2014.

The biggest story for 2014, was the stepping down of Bill Gates as CEO of Microsoft.  His successor, Sadya Nadella took over on the 4th of February.  On April 25, the Nokia/Microsoft deal was completed, making Nokia now Microsoft Mobile in a deal totalling $7.17 billion.  On September 15, Microsoft announced that it purchased Mojang, the makers of Minecraft, for $2.5 billion.

Some other noteworthy events, products and services:

  • Information on the Shellshock vulnerability was first released to developers in September.
  • The largest bug bounty was awarded, when Unix specialist Stéphane Chazelas discovered the Shell Shock vulnerability in the widely used Bash shell.
  • The FIDO Alliance released their first official specification on December 9.
  • Apple introduced the Swift programming language on June 2.
  • Android TV was released on June 25.
  • Google announced on January 13, that it had reached an agreement to acquire Nest for $3.2 billion in cash. Nest was the manufacturer of the Nest thermostats and smoke alarms.
  • On January 26, Google announced it had agreed to acquire DeepMind Technologies for $650 million.
  • Google announced on June 20, that it would acquire Dropcam, the video home monitoring company for $555 million.
  • On September 30, Google announced it would stop the Orkut social networking site.

Fun Facts:

The ALS Ice Bucket Challenge went viral in July.

On October 1, a Japanese man was sentenced to two years in prison for manufacturing 3D printed guns. He becomes the first person to serve time for a 3D printed gun.

A Decade of Technology – 2013

Continuing our 10 year anniversary celebrations, this month we take a look at 2013.

The year when Hotmail was not so hot anymore.  In February, Microsoft announced that it would be moving away from Hotmail brand and begin moving over 300 million users to the new Outlook.com e-mail service. It was also the year in which Edward Snowden began leaking classified NSA information.

Some other highlights include:

  • Yahoo! announced it would purchase Tumblr for $1.1billion on May 20th.
  • Facebook introduced Graph Search in January as it offered some users early beta access to the service. Graph Search was later released to everyone and allowed people to use natural language in the Facebook search.
  • The popularity of drones grew rapidly.
  • In May, Facebook released the first version of the React JavaScript library and React Native framework, giving developers new options when developing web applications.
  • At 23:30:26 UTC on January 25, the largest known prime number containing 17,425,170 digits was discovered by GIMPS.
  • One of the biggest cyberattacks in Internet history happened on March 29, as a massive DDoS attack targeted The Spamhaus Project.
  • On June 24, Apple announced it had no intentions of continuing to develop Safari for the PC or Microsoft Windows.
  • Google announced it would purchase Waze, a popular mobile social map application for $1.1 billion on June 11.
  • Google introduced the Chromecast on July 24.
  • IDG announced on July 10, that the August edition of PC World magazine would be the last print edition of the magazine.
  • The Furusawa group at the University of Tokyo succeeded in demonstrating complete quantum teleportation of photonic quantum bits on September 11. This achievement helped bring quantum computers even closer to reality.
  • The trojan virus Cryptolocker was discovered in September.
  • Android version 4.4 (KitKat) was released on October 31.
  • The FBI shut down the Silk Road on June 23. The Silk Road 2.0 came online on November 6.
  • Apple introduced the iPhone 5c and 5s with Touch ID and Secure Enclave on September 10.
  • Apple introduced iOS7 on September 18.
  • Microsoft discontinued Messenger in favour of Skype.

Cryptocurrencies launched in this year:

  • Ripple
  • Primecoin
  • Gridcoin
  • NXT

A Decade of Technology – 2012

Continuing our 10 year anniversary celebrations, this month we take a look at 2012.

One of the most note-worthy events of 2012 happened on 15 August when employees of Saudi Aramco noticed their computers were acting strangely. They later discovered that they are victims of the largest cyber-attack to date. The attack resulted in the data of at least 35,000 computers being partially or totally wiped out. The company’s network did not come back online until five months later.

Other highlights of a very busy year in the technology industry includes the following:

  • Computer Hope, Craigslist, Google, Reddit, Twitter, Wikipedia, and more than 115,000 other websites go dark in protest of the SOPA (Stop Online Privacy Act) on January 18.
  • On January 4, Trident Microsystems, Inc. and Trident Microsystems Ltd., filed for chapter 11 bankruptcy.
  • The Julia programming language was released.
  • Google introduced Google Play on March 6.
  • Google released Google Drive, an online file storage service.
  • The first Chromebox came out on May 29.
  • Raspbian, a free operating system, was released in July.
  • Apple released macOS X Mountain Lion for desktops on July 25.
  • Apple introduced the iPad mini on October 23.
  • Tinder was introduced.
  • The Bitcoin Foundation, a non-profit organization, was founded to promote Bitcoin.
  • Facebook announced its intentions of purchasing Instagram for 1 billion dollars in cash and stock in April. The deal was later finalized on September 6.
  • IPv6 – the networking standard went live in June, replacing the previous decades-old standard for allocating IP addresses on the internet for a new era of connectivity that spans an endless ecosystem of smart devices.
  • The virtual reality headset market as we know it began with Oculus.

Fun facts:

  • It wasn’t the end of the world on December 21, 2012, as the Mayans predicted but the video Gangnam Style hit over 1 billion views on YouTube.
  • In December 2012, Time magazine noted that selfie was among its the “top 10 buzzwords” of 2012.
  • The Tesla Model S changed the game for electric cars in the US. The company’s second car after the Tesla Roadster was—at $50,000—a more affordable four-seat sports sedan, which was named Motor Trend Car of the Year.