Christmas Round-up

Cyber Round-up for 21st December

Welcome to the Christmas edition of Ironshare’s Cyber Round-up, where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.

Apple ID Phishing Campaign Tricks Users with Fake App Store Receipts

An email phishing campaign has been seen doing the rounds, which is targeting Apple users by pretending to be a receipt for a purchased item on the app store. The email arrives stating confirmation of the purchase and invites you to check the attached PDF document for details.

This type of attack is relying on the user’s shock factor to react and open the attachment on the basis that they haven’t made such a purchase on the app store. Although the initial email is not the most convincing phish seen, the rest of the attack that follows is. The PDF receipt at first glance looks legit but contains a number of shortened links that redirect to the phishing site.

A victim that clicks on a link to report an incorrect purchase, is sent to a site identical to the real Apple web pages and although the web address does not belong to Apple it is marked as Secure, so could trick users into thinking it’s a valid Apple site.

The attackers start by requesting the Apple ID and password, which once entered sends the victim to another page that informs them their account has been locked for security reasons. In fear that their account has been hacked the victim may continue to try and unlock their account, sending them to another Apple looking page, where the actors then look to gain more personal information including full name, address, payment information, security questions etc.

Once all the information has been entered and submitted a new page appears to confirm that the account has been verified and states it will automatically log you out. The really sneaky part then comes when the phishing site redirects to the real Apple login page and displays a warning that the session was timed out for your security. We believe that this is to try and convince the victim that all is now well, when in fact the actors now have enough information to carry out identity theft and fraud against the victim.

To protect yourself from these phishing threats:

  • always look out for suspicious email senders and URLs;
  • never open attachments or click links from untrusted sources;
  • if you are certain you have made no purchase and have concerns about your account, do not open the attachment, go direct to the Apple site and report the issue;
  • remember that Apple will never ask for all your personal information to recover your account.

For more details on this campaign including example screenshots of the email, receipt and phishing site, please see Lawrence Abrams Bleeping Computer post on the topic.

Email Fraud Continues to Rise in 2018

A recent post by Proofpoint has highlighted a significant rise in email fraud and targeted email attacks this year, with stats showing an 80% increase in Q3 based on the previous year. Email fraud is a targeted method of attack that includes techniques such as Business Email Compromise (BEC).

Business Email Compromise (aka a BEC scam) involves the attackers spoofing an email to make it look like it came from a company executive and aims to convince staff at lower levels of the organisation to part with company funds. It is reported that BEC fraud targeting just 9 US companies has resulted in losses of approximately $100 million.

Proofpoint’s analysis of these worldwide attacks shows that companies have been targeted with an increasing frequency each quarter of 2018. Proofpoint state that the proportion of companies that were targeted by more than 50 BEC attacks in a quarter nearly doubled – from 11% to 20% – over the previous year.

Malicious actors use multiple techniques to carry out these types of attacks, including Email Display name spoofing, Domain spoofing and Lookalike domains.

With these types of email threats continuing to pay dividends to attackers, it is important that your organisation ensures they are protected. Strong email defences are required that use Email Security solutions such as Cisco Email Security, and incorporate technologies such as SPF, DKIM and DMARC that can help to prevent spoofing.

As a precaution if you receive an email such as this from one of your executives, always confirm in person that they have sent it and their instruction is legitimate.

8th Annual Worst Password List

SplashData, the makers of password manager software SplashID and TeamsID have recently released their 8th annual worst password list. The list is based on their analysis of over 5 million passwords that have been leaked on the internet, through the constant flurry of data breaches and attacks that continue to plague companies worldwide.

Topping this list as the worst most used password, for the 5th year in a row is ‘123456’, with the following rounding out the top ten.

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou

This makes for depressing news, especially in the light of the continued reports of data, privacy and account information breaches, users are still not learning that better password security is required to protect their personal information.

Users are advised to follow good practice when creating new passwords:

  • Always create strong passwords that are not easy to guess.
  • Never use simple passwords like those above or include names, usernames, family names, date of birth etc.
  • Try to use three completely random words, or combine upper and lower case letters, numbers and special characters (!£$*#).
  • Never use the same password twice, ensure that passwords are unique for each account / site you visit.
  • If you struggle to create unique memorable passwords, then try using a password manager to do this for you.

Microsoft Release Out of band Zero-Day Patch for Exploited Vulnerability

Only a week after the scheduled monthly patch Tuesday release of security updates, Microsoft has been forced to release an unscheduled patch for a zero-day vulnerability in its Internet Explorer browser.

Google were responsible for bringing this vuln to Microsoft’s attention, reporting that this is being actively exploited in targeted attacks.

The vuln exists due to how the browsers scripting engine handles objects in memory. By exploiting the corrupted memory an attacker can remotely execute code on the target machine, as the current logged in user. If the user has administrative rights to the machine, the attacker could take full control of the vulnerable system.

Information on the vulnerability and its associated security update can be found here.

To prevent your computer systems and organisations from compromise, it is recommended that all systems not configured to auto-update have this update applied immediately.

Emotet Sends Unwanted Christmas Greetings

The Windows Defender Security Intelligence team have identified a number of holiday themed greeting emails, reported via their twitter feed. These emails distribute a variant of the destructive Emotet virus family using office documents pretending to be Christmas Greeting cards.

The team has witnessed a campaign from the Emotet gang with emails titled ‘Christmas email greetings’ that contain attached word documents such as ‘Christmas-greeting-card.doc’ and ‘Christmas eCard.doc’. Each attachment includes the Emotet trojan payload, identified by MS as Trojan:Win32/Emotet.AC!.

Emotet started life some time back as a banking trojan but has since evolved to become a distributor of more malicious and destructive threats, such as network worms and wiper malware.

Look out for these malicious emails and ensure you have active anti-virus / anti-malware protection in place on all your computer systems, which is kept up to date at least daily, to protect against this threat. And as always never open any email attachments unless you are certain they are from a trusted source.

Ironshare wish you all a very Merry Christmas and a Happy New Year.

Remember – always stay safe and secure.

And that’s it for this week, please don’t forget to tune in for our next instalment.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe:

You can also follow us using the social media links provided.

If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment:


Ironshare – Security Simplified


Edition #22 – 21st December 2018