Source: Abnormal Security
Attackers have been impersonating notifications from Microsoft Teams in order to steal the credentials of employees. Recently, Microsoft Teams has seen one of the largest increases in users as a result of the shift to remote work given the ongoing COVID-19 pandemic.
Since the onset of the COVID-19 outbreak and the shift to remote work, there has been a remarkable increase in the usage of collaboration software. This particular attack impersonates Microsoft Teams, one of the leading collaboration software tools in widespread use.
These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams. The landing pages that host both attacks look identical to the real webpages, and the imagery used is copied from actual notifications and emails from this provider. In one of the attacks, the sender email originates from a recently registered domain, “sharepointonline-irs.com”, which is not associated to either Microsoft or the IRS.
Attackers utilise numerous URL redirects in order to conceal the real URL used that hosts the attacks. This tactic is employed in an attempt to bypass malicious link detection used by email protection services:
In one attack, the email contains a link to a document on a domain used by an established email marketing provider to host static material used for campaigns. Within this document there is an image urging the recipient to log in to Microsoft Teams. Once the user clicks this image, the URL takes the recipient to a compromised page which impersonates the Microsoft Office login page.
In the other attack, the URL redirect is hosted on YouTube, then redirected twice to the final webpage which hosts another Microsoft login phishing credentials site.
Should the recipient fall victim to this attack, this user’s credentials would be compromised. Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on.
Why is this attack effective?
- Convincing e-mail and landing page – the email and landing page the attackers created were convincing. The webpages and the links the email direct to are visually identical to legitimate Microsoft Teams and Microsoft login pages. Recipients would be hard-pressed to understand that these sites were set up to misdirect and deceive them to steal their credentials.
- Timing – given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message.
- Urgency – a recipient may feel more compelled to quickly login to access the page because of the urgency felt when contacted by a coworker.
FNB recently announced a new online banking policy which prevented users from saving their passwords to their browsers.
However, the bank received a backlash from techsavvy users, who pointed out that using software to bypass this feature would create more vulnerability.
FNB head of digital banking Giuseppe Virgillito told MyBroadband that the bank had taken note of social media feedback.
“FNB recognises the valuable feedback from our customers regarding the measures to prevent auto-filling of banking passwords,” Virgillito said.
“We have found that a number of our customers save their banking passwords to their browsers. This places customers with stolen or unattended devices at considerable risk.
“As a consequence, we strongly discourage customers from storing their banking passwords in their browsers.
“The use of this type of software for your banking is strongly discouraged as it places the user at a high risk of introducing malicious software onto their device.
“Alternatively, it also places users at an increased risk of phishing. As a consequence, hereof, we have decided to revisit the decision to prevent auto-filling of passwords at this time,” Virgillito said.
FNB users should now be able to log in to their online banking as normal, using password managers or auto-fill passwords.
By Zack Whittaker for Tech Crunch
Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.
Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.
Google has since removed the feature.
No consumer Gmail accounts were affected by the security lapse, said Frey.
“To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google has more than 5 million enterprise customers using G Suite.
Google said it also discovered a second security lapse earlier this month as it was troubleshooting new G Suite customer sign-ups. The company said since January it was improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. Those systems, Google said, were only accessible to a limited number of authorized Google staff, the company said.
“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey.
Google said it’s notified G Suite administrators to warn of the password security lapse, and will reset account passwords for those who have yet to change.
A spokesperson confirmed Google has informed data protection regulators of the exposure.
Google becomes the latest company to have admitted storing sensitive data in plaintext in the past year. Facebook said in March that “hundreds of millions” of Facebook and Instagram passwords were stored in plaintext. Twitter and GitHub also admitted similar security lapses last year.
By Cheryl Kahla for The South African
The National Cyber Security Centre (NCSC), a UK cyber security watchdog, recently released their list of the most-used passwords on the Internet.
A quick look at the most common passwords is enough to know that a lot of work still needs to be done to educate computer users about cybersecurity.
The most common password was ‘123456’ which was beat out by ‘123456789’, ‘qwerty’, ‘password’ and ‘1111111’.
While these common passwords are incredibly problematic, the most pervasive problem for home internet users was a combination of these easily guessed passwords, and the fact they were being re-used across multiple sites.
Re-using passwords on multiple platforms
Password re-use is problematic as a security breach on one site could compromise a users security on every other site the password is in use.
NCSC technical director Ian Levy explains:
“We understand that cybersecurity can feel daunting to a lot of people, but the National Cyber Security Centre has published lots of easily applicable advice to make you much less vulnerable.
He added that re-using a password is a major risk which can be avoided because “nobody should protect sensitive data with something that can be guessed”.
Sports teams and first names are another common choices for passwords with ‘Ashley’ the most common name used as a password and ‘Liverpool’ the most common premier league football team name used as a password. ‘Blink182’ was the most common band.
“Using hard-to-guess passwords is a strong first step, and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password,” added Levy.
There are several password management tools available that can generate unique passwords and store them in a central place for users who want to take their online security to the next level.
By Tom McKay for Gizmodo
Facebook has been prompting some users registering for the first time to hand over the passwords to their email accounts, the Daily Beast reported on Tuesday—a practice that blares right past questionable and into “beyond sketchy” territory, security consultant Jake Williams told the Beast.
A Twitter account using the handle @originalesushi first posted an image of the screen several days ago, in which new users are told they can confirm their third-party email addresses “automatically” by giving Facebook their login credentials. The Beast wrote that the prompt appeared to trigger under circumstances where Facebook might think a sign-up attempt is “suspicious,” and confirmed it on their end by “using a disposable webmail address and connecting through a VPN in Romania.”
It is never, ever advisable for a user to give out their email password to anyone, except possibly to a 100 percent verified account administrator when no other option exists (which there should be). Email accounts tend to be primary gateways into the rest of the web, because a valid one is usually necessary to register accounts on everything from banks and financial institutions to social media accounts and porn sites. They obviously also contain copies of every un-deleted message ever sent to or from that address, as well as additional information like contact lists. It is for this reason that email password requests are one of the most obvious hallmarks of a phishing scam.
“That’s beyond sketchy,” Williams told the Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”
“This is basically indistinguishable to a phishing attack,” Electronic Frontier Foundation security researcher Bennett Cyphers told Business Insider. “This is bad on so many levels. It’s an absurd overreach by Facebook and a sleazy attempt to trick people to upload data about their contacts to Facebook as the price of signing up … No company should ever be asking people for credentials like this, and you shouldn’t trust anyone that does.”
A Facebook spokesperson confirmed in a statement to Gizmodo that this screen appears for some users signing up for the first time, though the company wrote, “These passwords are not stored by Facebook.” It additionally characterized the number of users it asks for email passwords as “very small.” Those presented with the screen were signing up on desktop while using email addresses that did not support OAuth—an open standard for allowing third parties authenticated access to assets (such as for the purpose of verifying identities) without sharing login credentials. OAuth is typically a standard feature of major email providers.
Facebook noted in the statement that those users presented with this screen could opt out of sharing passwords and use another verification method such as email or phone. The company also said it would be ending the practice of asking for email passwords.
“People can always choose instead to confirm their account with a code sent to their phone or a link sent to their email,” the spokesperson wrote. “That said, we understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.”
However, those other options could only be reached by clicking the “Need help?” button seen in the above screenshot, which is not an obvious manner of communicating that there are other options.
Business Insider found that signing up for an account using this method additionally prompts users that Facebook is “importing contacts” without asking for permission, though it was not “immediately clear if this tool actually imports these contacts”:
Business Insider has also found that if a new user chooses to enter their e-mail account password into Facebook, a pop-up appears saying that Facebook is “importing contacts” — despite not asking the user for permission to do so. It is not immediately clear if this tool actually imports these contacts, as it apparently didn’t pull in contact list entries we made for the purposes of testing, though these contacts were only minutes-old.
Reached over phone, a Facebook spokesperson confirmed that handing over email login credentials has been “offered for years” and that the “The intent of this option was simply to confirm the account.” The spokesperson said they did not know whether Facebook had accessed any data in accounts it obtained passwords to—such as contact lists, which it uses to fuel features like its People You May Know system—but would follow up with an answer. (We’ll update this article if we hear back.)
While Facebook said that it did not store the passwords, it has also used ostensible security features such as two-factor authentication as a pretext to spam users’ phones with text messages and wrangle up phone numbers for targeted advertising. Facebook has also in the past issued contradictory statements about what kind of data it collects (such as call data and app usage on its Portal video phones), launched pseudo-VPN apps that vacuumed up user data, and seemingly obfuscated how users could control whether it obtains call and text data. Late last month, news leaked it stored hundreds of millions of users’ passwords in plaintext.
By Eric Limer for Popular Mechanics
Twitter is suggesting all users change their passwords as a precaution after a reported glitch caused some passwords to be stored in plain text. If you’ve ever used your Twitter password for another service, you’d be wise to change it in both places.
Twitter says there is no evidence of a breach, but the error would have allowed any snoopers inside the system to scoop up unprotected passwords with ease. Typically, passwords are “hashed” before they are stored, a process which transforms them password into a unique series of numbers and letters that can’t be translated back into the actually sequence of numbers and letters you type in. This prevents hackers from snagging a phrase they can try on your other accounts.
Even with no evidence of an actual breach, this bug serves as a good reminder for some basic security hygiene. Use unique passwords for every service you use; a password manager can help you keep track of them all. Turn on two-factor authentication where available (it is available on Twitter). And while you’re at it, go look at the apps that have access to your account. These apps, if they’re insecure themselves, can offer hackers a limited way into your account without ever having to figure out your password.
2018 will be the year where we see the death of the password. This according to the latest tech predictions from virtualisation company Citrix.
Citrix says that a wide variety of authentication methods will be introduced that will replace passwords including biometrics, behaviour analytics and the like.
“The amount of security breaches will accelerate to record heights which will force companies to abandon traditional passwords as a way to protect accounts,” says Brendan McAravey, country manager at Citrix South Africa.
He says that access to web pages and apps will become much more controlled next year to protect end users which will limit the viral nature of the web as we know it today. Dark web concepts will also be adopted by web apps to limit exposure.
Artificial intelligence & machine learning
Citrix’s second prediction for 2018 is that machine learning and artificial intelligence (AI) will have a huge impact on the future of work and security. The company says that machine learning and AI tools and platforms are getting easier to use and “are thus becoming more pervasive”.
“Machines will be able to learn what’s normal and what’s not normal to predict and enable future automations or shutdown bad-actors in security use cases.”
McAravey believes AI will however not replace the need for human employees, but rather will give an opportunity to learn new skills and apply more strategic and meaningful actions to new roles.
“Nothing will ever replace the importance of human creativity, empathy and innovation,” he says.
Age of voice
“The impact of voice as the next generation human-computer interface will absolutely be a key innovation moving forward in 2018. This will be more impactful than virtual, augmented, or mixed reality,” adds McAravey.
Citrix believes that being able to use voice, combined with machine learning, to interact with complex data will be a huge benefit to everybody. It also says that analytics tools are going to allow people to work more productively in 2018.
“Imagine a scenario where AI helps contextualise what it is you do every day and from where. Meaning that people will in future spend less time looking for data and more time acting on the information.”
Internet of things
Citrix sees the rise of the Internet of things (IOT) continuing over the next two years and says there are already smart companies which are using a design thinking approach to innovate and deliver products that are making the most of the potential for IOT.
“2018 may not see these types of innovations at scale but there is a potential that we all take a customer-centric approach and think about how IOT can make us more efficient in our day. 2019 is when we will really see these innovations take off,” explains McAravey.
He says that IOT has huge potential for the workplace. In future the ability to cost effectively leverage IOT to improve the quality of the workplace will become real, thereby improving efficiency and effectiveness of employees.
“IOT will move from being seen as a security risk in the enterprise, to becoming a critical part of an enterprise’s security posture. Concepts, such as Bluetooth beacon technologies, GPS, biometrics, facial recognition and pervasive analytics on user behaviour, resulting in people getting access to the right things at the right time,” he concludes.
Source: IT Web
In a piece of advice that seemingly contradicts everything else we’ve ever heard, GCHQ has recommended you should change your password less often.
According to the spy agency’s cybersecurity arm, forcing people to change their passwords regularly is ineffectual, because they are likely to choose a new password that is very similar to the old one.
They are also more likely to write the new password down, for fear of forgetting it. This increases the risk of the password falling into the wrong hands.
“Attackers can exploit this weakness,” says the Communications-Electronics Security Group (CESG). “The new password may have been used elsewhere, and attackers can exploit this too.”
Instead of forcing a changed password at regular intervals, it recommends organisations provide users with information on when their account was last activated.
GCHQ says sticking to the same password for a long time – unless it’s something like ABC123 – is a good idea.
The news comes as a new study into online privacy reveals that one in three Brits secretly know their partner’s passwords .
The survey by money-saving website VoucherCodesPro has revealed the UK’s attitude to trusting loved ones with our passwords .
It discovered that almost three quarters of us have looked through social media messages on someone else’s account without their permission.
The team responsible for the study polled 2,211 UK adults between 18 and 45 who have been in their current relationship for at least two years.
Initially respondents were asked if their partner let them access their social media channels when they wanted to; 51% of respondents stated they did. Respondents were then asked if their partner had let them know their password for social media channels, 21% stated they had.
Following straight on from this, all respondents were then asked if they knew their partner’s password without them being aware of this – with 34% stated they did.
Researchers asked these participants how it was they found their partners password out, 59% stated they ‘guessed’ it, 37% said they ‘keyboard watched’ and the remaining 4% asked their partner’s friends.
As to what those sneaky snoopers got up to once they’d accessed their partner’s accounts – the researchers provided a list:
- Looked through social media messages – 74%
- Looked through the photo gallery – 59%
- Looked through emails – 54%
- Looked through browser history – 46%
- Looked through bank statements – 39%
George Charles, spokesperson for www.VoucherCodesPro.co.uk , made the following comments regarding the study:
“Being open with your partner is incredibly important and snooping at their social media channels or any private documentation just isn’t the way to achieve a healthy relationship,” said George Charles, a spokesperson for VoucherCodesPro.
“Knowing your partner’s password without their knowledge will only lead to trouble. It suggests you are looking for something and if you look hard enough, you will always find something to convince you that your fear is real.”
By Jeff Parsons for www.mirror.co.uk
Last year saw millions of people’s data hacked and stolen online, from T-Mobile customers to those signed up on Ashley Madison. While this is obviously bad news for those who have had their details jacked, the data posted online can be used to gain an interesting insight into how people protect themselves on the Internet.
And it turns out that many people are still terrible at picking passwords. In Splash Data’s annual list of the 25 worst passwords little has changed, with “123456” still, for some reason, topping the list.
We all know we shouldn’t do it, but for some inexplicable reason many clearly still do just run their fingers along the top of the keyboard. Those feeling a little more adventurous might manage to type out “password” or, oddly, “dragon”.
Either way, none of the top 25 passwords are particularly surprising, which in itself is a little depressing in the fact that no matter how often people are told to secure their online accounts, plenty still ignore the advice.
The data also gives some interesting insight into the minds of those using the internet. Sport, for example, is a popular choice for passwords, with “football” and “baseball” both still sitting within the top 25. But it also reflects big events happening that year, with the most noticeable being the addition of “starwars” and “solo” to the list, which could also help explain the resurgence of “princess” as a choice of password too.
We probably all know what we should be doing to at least try and make our accounts less hackable, but let’s just take a minute to remind ourselves. Firstly, and I hardly think this really needs saying, but don’t pick one of the ones below. If one of yours has already made the list, then change it.
Choose something that is at least eight characters long, which does not contain your user name, real name, or company name. Make sure it is significantly different from any previous passwords, and include a mixture of upper cases, lower cases, numbers and symbols. And finally, while I know it’s tempting, try not to use the same username and password combination. If you struggle remembering them all, then perhaps you could install a password safe.
Anyway, here is the list in full. Try not to smash your head against the keyboard in frustration:
The 25 most-used passwords (with change from 2014 indicated in brackets):
- 123456 (unchanged)
- password (unchanged)
- 12345678 (up 1)
- qwerty (up 1)
- 12345 (down 2)
- 123456789 (unchanged)
- football (up 3)
- 1234 (down 1)
- 1234567 (up 2)
- baseball (down 2)
- welcome (new)
- 1234567890 (new)
- abc123 (up 1)
- 111111 (up 1)
- 1qaz2wsx (new)
- dragon (down 7)
- master (up 2)
- monkey (down 6)
- letmein (down 6)
- login (new)
- princess (new)
- qwertyuiop (new)
- solo (new)
- passw0rd (new)
- starwars (new)
By Josh L Davis www.iflscience.com