Deputy Chief Information Security Officer -
Microsoft is warning Internet Explorer users to be hyper-vigilant to phishing attacks after it discovered a major flaw in the web browser was being actively exploited by hackers.
The company is yet to issue a patch for the remote code execution vulnerability, which affects all supported Windows desktop and server versions, as well as the out-of-support Windows 7 and Server 2008.
An attacker who successfully exploits the
flaw could gain the same user rights as the current user and run code of their
choice on the victim’s system.
“If the current user is logged on
with administrative user rights, an attacker who successfully exploited the
vulnerability could take control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts with
full user rights,” Microsoft said.
One way a hacker could exploit the flaw is by sending a phishing email or other message that drives the user to a specially crafted malicious website in IE.
Microsoft said it was working on a fix for
the vulnerability, expected for its next Patch Tuesday update in early
February. In the meantime it has suggested several workarounds and
JScript.dll, to safeguard against attack.
While Microsoft said it was aware of hackers actively exploiting the flaw, it described these instances as “limited targeted attacks”, believed to be part of a wider hacking campaign also targeting Firefox users.
Internet Explorer is no longer the default
browser in the latest versions of Windows, but still comes installed with the
operating system and remains the browser of choice for many legacy
Deputy Chief Information Security Officer -
Clive is the Deputy Chief Information Security Officer and has over 20 years’ experience in cyber security risk management, engineering and operations.
Clive leads critical customer-facing security capabilities including the Telstra Security Operation Centres and the Defence Engagement Security Team.
Clive was previously the CISO for Telstra’s Defence Engagement Team and also managed a secure ops and incident response centre.
Prior to joining Telstra, Clive worked for the Australian Government and served in the Royal Australian Air Force (RAAF). Clive is an engineering graduate of RMIT and holds an MBA in Technology Management.
How to identify, avoid and recover from a phishing attack
Getting snagged by a phishing scam is never pleasant. It usually involves a cybercriminal using emails, texts, social media or phone calls to lure someone into handing over sensitive information. And as we become more and more dependent on technology and digital alerts, this scam builds up its confidence. Thankfully, there are ways to identify, avoid and recover from a phishing attack if it happens to you.
Cyber attacks in Australia are more common and pervasive than ever before. The Telstra Security Report 2019 reported that 65% of Australian businesses have been affected by some kind of cyber security breach. What’s more shocking is that close to 90% of them went undetected.
At the heart of Australia’s cyber security problem is phishing (pronounced ‘fishing’): frauds devised to steal confidential information – such as passwords, credit card details and banking details – from unsuspecting recipients. In 2018, the Australian Competition and Consumer Commission (ACCC) received over 24,000 reports of phishing. And the numbers are getting worse. In 2016, around $370,000 was lost to phishing scams in Australia, while in the first nine months of 2019, that number exceeded $1 million.
Be aware of the bait
You’re probably familiar with classic 419 ‘Nigerian Prince’ scams – emails with fanciful promises to get you rich quick if you just help transfer some money. Amazingly, this hustle is still working long after it first appeared: in Australia in 2018, close to $1.4 million was stolen through this type of scam. For the most part, though, these are fairly easy to sniff out if you know to be wary of anyone pleading for help in exchange for some kind of financial reward.
An organisation or institution will generally never ask a customer to share sensitive information through unsolicited correspondence. So as a rule, never give out personal details unless you are 100 per cent sure you know who you’re dealing with – in other words, you called them or have verified their identity. Likewise, never click on a link or open an attachment from an unsolicited message unless you are confident it’s legitimate – for example, you know you’ve safely received correspondence from this brand or person in the past.
According to ACSC, the best way to prevent phishing scams in the workplace is to “educate employees at all levels”. This includes instructing people to not click on links or open attachments on their work phone or computer, or through their work email, that have come from unknown parties.
If you’re unclear about how legitimate an email, text or phone call is, play it safe and simply delete or ignore it. You can always offer to call the institution back – after a thorough vetting.
If you have become the victim of a phishing scam, it’s important to act quickly. Change any compromised passwords across all your accounts, contact relevant parties (like your bank), and report the incident to the ACCC or ACSC.
Further protection tips
Do you know how secure your digital workspace is? Take our cyber-security quiz to see where you stand.