Tag: phishing

Internet Explorer users urged to watch out for phishing attacks

Cyber Security

Posted on January 22, 2020

2 min read

Microsoft is warning Internet Explorer users to be hyper-vigilant to phishing attacks after it discovered a major flaw in the web browser was being actively exploited by hackers. 

The company is yet to issue a patch for the remote code execution vulnerability, which affects all supported Windows desktop and server versions, as well as the out-of-support Windows 7 and Server 2008. 

The flaw exists in the way Internet Explorer’s scripting engine (the browser component that handles JavaScript code) deals with objects in memory, Microsoft says.

An attacker who successfully exploits the flaw could gain the same user rights as the current user and run code of their choice on the victim’s system. 

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said. 

One way a hacker could exploit the flaw is by sending a phishing email or other message that drives the user to a specially crafted malicious website in IE.

Microsoft said it was working on a fix for the vulnerability, expected for its next Patch Tuesday update in early February. In the meantime it has suggested several workarounds and mitigations, including restricting access to the JavaScript component JScript.dll, to safeguard against attack. 

While Microsoft said it was aware of hackers actively exploiting the flaw, it described these instances as “limited targeted attacks”, believed to be part of a wider hacking campaign also targeting Firefox users. 

Internet Explorer is no longer the default browser in the latest versions of Windows, but still comes installed with the operating system and remains the browser of choice for many legacy applications. 

How to identify, avoid and recover from a phishing attack

Cyber Security

Posted on January 16, 2020

5 min read

Getting snagged by a phishing scam is never pleasant. It usually involves a cybercriminal using emails, texts, social media or phone calls to lure someone into handing over sensitive information. And as we become more and more dependent on technology and digital alerts, this scam builds up its confidence. Thankfully, there are ways to identify, avoid and recover from a phishing attack if it happens to you.

Cyber attacks in Australia are more common and pervasive than ever before. The Telstra Security Report 2019 reported that 65% of Australian businesses have been affected by some kind of cyber security breach. What’s more shocking is that close to 90% of them went undetected.

At the heart of Australia’s cyber security problem is phishing (pronounced ‘fishing’): frauds devised to steal confidential information – such as passwords, credit card details and banking details – from unsuspecting recipients. In 2018, the Australian Competition and Consumer Commission (ACCC) received over 24,000 reports of phishing. And the numbers are getting worse. In 2016, around $370,000 was lost to phishing scams in Australia, while in the first nine months of 2019, that number exceeded $1 million.

Be aware of the bait

You’re probably familiar with classic 419 ‘Nigerian Prince’ scams – emails with fanciful promises to get you rich quick if you just help transfer some money. Amazingly, this hustle is still working long after it first appeared: in Australia in 2018, close to $1.4 million was stolen through this type of scam. For the most part, though, these are fairly easy to sniff out if you know to be wary of anyone pleading for help in exchange for some kind of financial reward.

Phishing, on the other hand, is far harder to detectAccording to the Australian Cyber Security Centre (ACSC), the poorly written, unofficial-looking phishing scams that first appeared in Australia in 2003 are a thing of the past. Today, these scams are far more sophisticated. They come in the form of emails, text messages and even social media direct messages that masquerade as correspondence from legitimate organisations or institutions, like banks or government departments, and request personal information or prompt you to click on a pernicious link.

Phishing scams are designed to look legitimate, and predominantly go after people via phone (in 2018, 41.2% of phishing scams were phone-based), email (29%) and SMS (24.6%).

5 common phishing scams

  • Spear phishing: individualised messages from a seemingly trustworthy sender, such as a bank or employer, and usually targeted at employees in an organisation
  • Whaling: targeted spear phishing, where a senior person in an organisation is phished by a cybercriminal masquerading as someone trusted, like a colleague
  • Pop-up phishing: deceptive pop-up ads that contain malware
  • Clone phishing: messages that closely resemble previously received legitimate ones – for instance, a phisher might send a fake promotional email from a brand to a known customer of that brand
  • Voice fishing: also known as ‘vishing’, where a phisher will attempt to solicit sensitive information over the phone

Identify, avoid and recover

Fortunately, while phishing scams can be well disguised, there are red flags you can watch out for. Grammar errors, misspelt names and incorrect facts are common giveaways. You might receive an email from ‘@combank.com’; a strange ‘competition winner’ alert SMS from JB Hi-Fi, when you haven’t entered a competition; or a cold call from a foreign or private number.

An organisation or institution will generally never ask a customer to share sensitive information through unsolicited correspondence. So as a rule, never give out personal details unless you are 100 per cent sure you know who you’re dealing with – in other words, you called them or have verified their identity. Likewise, never click on a link or open an attachment from an unsolicited message unless you are confident it’s legitimate – for example, you know you’ve safely received correspondence from this brand or person in the past.

According to ACSC, the best way to prevent phishing scams in the workplace is to “educate employees at all levels”. This includes instructing people to not click on links or open attachments on their work phone or computer, or through their work email, that have come from unknown parties.

If you’re unclear about how legitimate an email, text or phone call is, play it safe and simply delete or ignore it. You can always offer to call the institution back – after a thorough vetting.

If you have become the victim of a phishing scam, it’s important to act quickly. Change any compromised passwords across all your accounts, contact relevant parties (like your bank), and report the incident to the ACCC or ACSC.

Further protection tips

Do you know how secure your digital workspace is? Take our cyber-security quiz to see where you stand.

Looking to secure your digital workspace? Check out our range of business security apps.