|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
A recent email came into the firm and it was sent from payment@paychex.com with a “wetransfer” file. Enough red flags that of course I wanted to see
[See the full post at: Patch Lady – beware of email credential harvesting]
Susan Bradley Patch Lady/Prudent patcher
Two-factor authentication is fantastic. Not only does it make the login process much more secure, but it notifies you whenever anyone is trying to log into your account by sending you a text message.
Ooh I like that reverse.it service! I assume you didn’t _open_ the PDF (as that could itself activate malware if there is an unknown/unpatched Adobe vulnerabity), you just uploaded the attachment to reverse.it and let them open it in their sandbox? That’s so much easier than having to maintain an in-house VM for testing this kind of stuff…
On a VM that I didn’t care about I merely downloaded the pdf from the site to get it into a place so I could then upload it to reverse.it. Merely putting the url didn’t get me the info I needed.
Susan Bradley Patch Lady/Prudent patcher
As you can tell I STILL use a VM just to make sure, but yes you can merely download the PDF not open it. Reverse.it site actually opens it up in their sandbox and takes pictures so you can see what it was and what it intended to do.
Susan Bradley Patch Lady/Prudent patcher
Very cool site Susan. As always thanks so much for all you do.
Red Ruffnsore
Any advice on how to stop the constant VoIP spoofing from “Lower Interest,” or “Free Caribbean Cruise?”
Yes!! Sign up for a service called “Nomorobo”. It’s VOIP-based, if I remember correctly and, best of all, it’s free for landlines and very low cost per month for cellular phone lines. Their website’s right here.
My intent was simply to answer the poster’s question. Any further discussion about this will need to be started in a new thread.
Susan, did I read that right, that they were asking for e-mail credentials in order for you to access a WeTransfer file?
I’ve used WeTransfer a number of times, and I’ve never been asked to provide credentials. You simply click on a link for the WeTransfer website that the sender, presumably someone you know, asked WeTransfer to email to you. (Maybe my experience with the service isn’t extensive enough?) A request for credentials to view the document, such as we see on that reverse.it page, is a bad sign.
I would advise never to follow up on something like that without checking first with the supposed sender… and if I didn’t already know the sender, it would go straight into the recycling bin or junk mail folder.
Caveat receptor!!
I periodically receive WeTransfer files from a known sender. Same story here. No two-factor authentication required.
Some emails could trigger vulnerabilities in your browser if it is a webmail or your email program if it is local, although I don’t think those are common and you would often need to have the preview feature activated, which automatically displays the email content without having to open it.
When the Yahoo breach happened, I think a lot of people got their account hacked and it was not due to them opening a tainted email. This risks to happen more as it is easier to exploit vs trying to exploit a vulnerability when browsers and email programs are automatically patched.
I wouldn’t worry too much about that particular situation, although two-factor authentication is a great addition when considering the larger issue of email security and I would highly recommend it. Don’t forget that if you save a device as authorized to not be always bothered with two-factor authentication when logging in on this device and this device gets compromised by a trojan or something that would spy on you and could be remote controlled, the hacker could theoretically access the email from your compromised authorized device, although there is a risk you would see him do so.
For best security at the expense of convenience, you should always have to enter the code sent to another device you have when accessing with one device. I like using Google Authenticator on the phone to access gmail on the desktop, but yes, you have to enter a code each time you want to check email on the desktop. The gmail account is not my main account. If you find that is too much hassle because you consult your email often, it is still better to have two factors authentication activated and save some “safer” device like an Iphone than the Windows desktop, but even if you save the Windows desktop as authorized, it is better than not having the two factors authentication activated, as it will still block access attempts from outside of those devices, which is a lot in the case of hackers stealing a password database, plus it warns you of access attempt. That’s great!
I can’t speak for anyone else but hopefully any corporate email account will have a number of protections in place. 2 factor authentication is great and it would be a good idea to use this for any personal email account….and not just email but any site you visit that deal with financial transactions, personal banking, credit cards, etc.
Red Ruffnsore
One cannot use two-factor authentication for accessing one’s home email account when that option does not exist in said account, because ISPs usually do not provide it.
Well, at least you might have made clear that this discussion does not concern home users.
Now, if someone would also explain that strange thing about the cellphone (or other “devices”) and the PC…
I am morbidly curious, that’s why.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
Many millions of home users use the Microsoft or Google accounts mentioned in the article for email and do therefore have two-factor authentication available when logging in from a new computer. This would provide protection for anyone who fell for such a phishing email and revealed their password. The most common method is having a six-digit code sent to your phone as a text message when your email password is used from a new computer: Mobile-phone two-step authentication
Sorry for the confusion, Oscar.
I was trying to respond in a manner as comprehensive as possible to anonymous asking if he was safe from this kind of emails even without two-factor authentication. I will try to be more clear for you and others, although I might clear up some confusion and add more at the same time, so feel free to ask more clarifications.
If the email is simply asking you for personal information or redirects you to a fake web site that asks you this information after you click on a link in it, you might not be at risk looking at the web site or simply deleting the email, using two-factor authentication or not. However, there is no way to know for sure the email trick is only that dumb. It seems the example Patch Lady reported here was this kind of quite basic harvesting, harmless for those who would never put their credentials when asked like that even if there are fancy icons and it looks legit. This example doesn’t seem to automatically harvest anything from your computer that you would not have to submit yourself manually. So, likely, it is not very dangerous, to answers anonymous question, if you only look at the email or click on it without giving any information away. But my larger point is you never know that for sure. If I was a hacker, I could create a clever thing like this that looks basic, but rely on curiosity to silently infect you when you click on the link to see the form or whatever thinking you are so smart not giving your info. But for that to work, it might be as hard to pull off as it is to infect you when browsing, so don’t panic.
I was merely pointing out an email link you click could redirect you to a website that would silently infect you even if you don’t submit any information, or the email message itself could do it by exploiting a vulnerability in your local email program when you preview or open the email locally if you didn’t patch your email program or if it is a not yet undisclosed vulnerability (which we call 0-days). Just like you shouldn’t go on shady web sites, you shouldn’t open shady emails, as the risk of this type of thing is higher.
However, the probability of this fancy hacking happening is significantly lower than just being asked to provide banking account and some people complying, as this is so much easier to pull off even if you are not a hacker and it already works well in practice: just fake a bank home page and gather the data people willingly give you. Anyway, the kind of higher level infection you could get by exploitation of a vulnerability would compromise more than just your email account information, it could give access to your computer to a hacker, install anything, etc. The idea is if you want to lower your risk, don’t show emails in preview windows when it is unrequested emails from people you don’t know.
But even then, how often does someone you know got infected and sent infected emails automatically to all the people in their address book? It happened a few times to me for sure to receive infected emails from people in my contacts list, so in theory not using the preview feature of your local email program even for people you know would be safer, but how are you going to know for sure the email is ok? It is not very practical with people you know because an email received might be a good email and you don’t want to call people saying did you sent me an email each time you get one before looking at it. You could lower the risk by setting your local email program to display emails as text only and activate the rest only when you think the email is legit. But is is still a pain. For me, I disable javascript, flash and all plugins from Thunderbird and I feel this is enough for home use, as I mitigate the risk of infection by using other tools like EMET to reduce the likelihood a vulnerability will be successfully exploited. Thunderbird is also likely not the most targeted email program for that kind of possible specific attack (the attack needs to target a specific vulnerability), plus it also offers some basic bad email detection.
At work, I also have seen worse: hackers using compromised account to target us with specific emails looking legit from real potential consumers companies and containing code to exploit vulnerabilities, but it is probably less common for home users. And those fancy emails still asked to go to a web site or click on a link to try to infect the browser instead of the local mail program, so my local email program wasn’t targeted.
I understand this might be too much for the home user.I would say don’t worry too much about those, as although the theoretical risk is there, it is so easy to do lazy harvesting that probably every email account that I have seen infected was by the company not protecting the data (like Yahoo) or probably people giving their credentials or logging into their webmail on any public computer. The point is all of these could have been protected by two-factor authentication, so let’s get back to two-factor authentication.
What is two-factor authentication? For example, you have a Gmail webmail. You want that every time you try to access it, not only you need your password, but you will need a special one time code so anybody that would have your password but not that code could not access your email. You could set it in a way that Google sends you a text message with the code to your mobile phone each time you try to log in on any device. Then, you would have the added bonus of knowing if someone is trying to access your account because you would receive a text message when that happens while it would also prevent access.
Another way this can work is to download the Google Authenticator app which works like those bank tokens and not just with Gmail but other services that would support it. The difference is when you log in, you need your password + the number shown at that moment (it constantly changes) in Google Authenticator instead of a code received by text message. The great thing is if you use a quite secure phone like an Iphone and you use your desktop to access email, the hacker that would have infected your desktop would also need the code on your phone. I think MrBrian pointed out that SMS was maybe not the most secure way to send codes so you could maybe have even less risk using the Authenticator instead of text messages, but we’re talking very fancy targeted hacking here, so probably out of the scope of this discussion.
Of course, having to always enter a code from SMS or an app is annoying when you compulsively check your mail. So, you can have the option to register your device as validated so it doesn’t ask your code on this device again. This means a hacker could still not log in your email account from his remote computer, but if he had a command and control installed on your poor desktop, then he could by using your desktop, but he also would already be in your things, right? Since I don’t use my gmail account a lot, I don’t register any device. An alternative way would be to register only the Iphone and Ipad (maybe more secure devices) and not register the Windows devices. Then you compulsively check your mail on your phone all day, but look at it much less often on the computer. Two-factor authentication has this superb idea that if you split your authentication mechanism between two devices that are unrelated enough, the risk of a hacker having access to both at the same time is much lower. But even if you register all your devices to not be annoyed with codes all the time, it is still a much better security than nothing and will likely prevent your account from being stolen. I would strongly suggest to everyone to activate two-factor authentication, even if they want to register each of their devices to not sacrifice convenience.
Now, is your normal ISP offering two-factor authentication on your pop account? Probably not. It might not even encrypt your connection and have your password sent in plain text, as well as all your emails. So, yes, treat emails like everyone in the world can see them and don’t use it to send passwords or any sensitive information, but it is especially bad with those ISP email accounts.
Does that mean home users can’t use two-factor authentication? No. Webmails like Gmail et the one from Microsoft do offer it. Of course, you need to use those services. Maybe you could consider using your pop account for most things, but have a more secure webmail for some important things? Google is arguably better at security than many companies, so just by using their service, a bad email might get caught by them before everyone else. Imagine if you are Google and you notice millions of your users get the same email. I would trigger an alarm and probably remove it quickly if I were them… But you might not be comfortable with the whole idea of webmail and having your stuff online. I know the feeling, but it seems we can’t have our cake and eat it.
AlexEiffel,
Thanks for taking the trouble to explain for the benefit, not just mine , but also of others who, by now in this discussion, might not be sure of what this all means in terms of their own safe use of email and etc.
Although I am not sure am ready to agree with your suggestion of using Google Mail, after reading this:
https://gizmodo.com/google-removes-nearly-all-mentions-of-dont-be-evil-from-1826153393
So it looks like, from this time on, no more beating about the bush, they are just going to be evil.
As to MS? Well…
It all started when it was found that Google was working for the DoD on creating Proto- SKYNET, the employees learn about that, there was a tremendous flap…
https://gizmodo.com/google-plans-not-to-renew-its-contract-for-project-mave-1826488620
But I might be starting to go off topic here, so better sign off now.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
I have two-factor authentication for my personal accounts, but at work we use Outlook desktop, so a stupidity can be quickly made.
That’s why I made a rule for attachments and links in emails from unknown/unrelated senders in Outlook: ditch ’em, or open them on your mobile first to check what it’s really doing.
Don’t know if that would stop the harvesting swindle, but it sure will prevent any Windows crippling.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
