TechByter Worldwide

Speak softly and carry a large microphone

 

29 Jan 2017

Crooks Want Your Google Credentials

A listener sent me a link that he had recently received. It claimed to be a link to a file that he needed, but when he hovered the mouse cursor over the link, he saw that it went to a site in Greece. It was an attempt to trick him into revealing his login credentials so the crook could use them.

I used a process by which I can safely view the target page. It consisted of a single automatic redirect using Javascript to another site in Greece. Investigating that site, I found that the page greets the user with "Welcome to Google Docs. Upload and Share Your Documents Securely".

An embedded form pretends to be a login screen for Google Docs and provides options to log in with credentials from other services. Potentially, it could collect the user's credentials for Google, Yahoo, Hotmail, and AOL. Based on what I saw in the code, the fake page would be a fairly good representation of Google.

Press ESC to close.It's the Google credentials that are most useful because they provide access to all of Google's services. This is an uncommonly good bit of work and it can fool even experienced users.

Phishing scams are usually easy to spot because of spelling errors, bad grammar, fraudulent URLs, or attachments that are obviously dangerous. This time, not so much.

If you use Gmail, you are at risk.

The crooks start with a Gmail account that they've already gained access to using a method such as the one I just described. They start sending messages from the Gmail account to people in the user's Google contacts.

Next, the receiver finds a message from a known person. All of that has been done before, but here's where the thieves display their creativity. Because they have access to a real Gmail account, they have access to messages sent from that account.

Their phony messages use a subject line, text, and attachments from emails already sent by that account. As a result, the message is from somebody the recipient knows and the topic seems legitimate.

The message has an attachment that's an image of an attachment sent previously. The user who clicks the image will be taken to what looks like a Google login page. Sound familiar? The thieves are about to gain access to another account.

Thinking that the login page is legitimate, the victim enters a user name and password. Their account has been compromised and the crooks can start sending more fake messages to the new victim's correspondents.

The URL looks legitimate (accounts.google.com), but there's a bit of text in front of the URL: "data:text/html" and that makes all the difference in the world. The prefix tells your browser to consider the document at the phishing site as HTML. Once the crooks have your credentials, they start sending fake messages within seconds.

Avoidance requires uncommon diligence. Take a look at the URL and if it looks like this, it's phony:
data:text/html,https://accounts.google.com/ServiceLogin?/service=mail.....

Gmail can be secure. Google offers two-factor authentication and while it's cumbersome to have to receive an authorization code every time you long on from a new device (or clear the cookies on an existing device), it can eliminate a great deal of trouble.

We'll take a look at that next.

Enabling Google's Two-Factor Authentication

Using Google's two-factor authentication makes using the service slightly more cumbersome, but it can stop crooks dead in their tracks. Google accounts have a user name and a password. As described in the previous article, thieves have clever ways to get you to reveal your password to them.

At its most basic, 2-factor authentication (also known as 2FA) is a method of confirming a user's claimed identity by requiring more than one identity token.

Multi-factor authentication components can use something you know (a password or PIN, for example), something you have (a USB device, token, or key), or some physical characteristic (fingerprint, iris scan, or voice pattern).

Passwords are virtually universal and often are the only items used. Single-factor authentication is relatively easy to break, though. The second factor, whether it's a physical characteristic or a physical device, makes defeating the security system much harder.

An article in Wikipedia discusses the use of RSA SecureID tokens that have a built-in screen to display the generated authentication number that is then typed in by the user.

The major drawback of authentication performed including something that the user possesses is that the physical token must be carried by the user at all times. Loss and theft are risks. Mobile phone 2-factor authentication is an alternative method that avoids these issues. A dynamic pass-code is sent to the user's mobile device by SMS or via a special app, so there's no need for an additional, dedicated token.

The Wikipedia article notes that security of the mobile-delivered tokens depends on the mobile operator's operational security and can be easily breached by wiretapping or SIM-cloning by national security agencies.

Press ESC to close.To establish 2-factor authentication, start on the sign-in options page.

You'll need to enter your password even if you're already logged on to a Google account. Click Get Started and you'll be asked to provide a phone number. The phone can be a cell phone or a land-line. Cell phone users have the option of receiving a text message or a phone call; land-line users will not have the option of receiving a text message.

Click Try It and you'll receive a 1-time code. Type the number in and continue to a page of options.

The first option is Backup Codes. If you might need to log on to Google from a new device and you might not have your phone with you, creating a list of 1-time codes is useful.

Press ESC to close.The second option is called Google Prompt. Select this if you want to replace the security code that you need to enter at login time with a pop-up message on your phone. You'll need either an Android or IOS phone. Start in the appropriate store for your phone and download Google Authenticator and install it. Continue on the PC until you see a bar code to scan.

Open the application on the phone, which will require logging in again as a security measure, and allow it to scan the barcode.

Press ESC to close.You'll then need to type the security code from the phone into the browser. This may seem like a lot of work, but you need to do most of it only once to set up the prompt option.

Press ESC to close.Once you've done that, your phone will be connected to your Gmail account and when you log in from an unknown computer (or when the person who has stolen your credentials tries to log in), you'll receive a message on your phone.

If you're not currently trying to sign in, click No and the thief who's trying to use your account will be disappointed.

Authenticator App is the third option and it can be used to obtain verification codes even when your phone is off-line. This is available for Android and IOS phones. This is the option I just described. It's required for Google Prompt, but can also be used independently.

The fourth option adds a Backup Phone, that of a spouse or close friend so that you can use it to receive codes if your phone is lost or otherwise unavailable.

The final option allows you to use a Security Key, a hardware device that would plug in to a USB port on your computer.

Security is increasingly important and Google's 2-factor authentication is worth looking into.

Short Circuits

New World Record for Data Breaches

It should be a surprise to nobody that 2016 was another record year for data theft. More than 4000 breeches were reported during the year and 4.2 billion records were exposed. The previous high was 1 billion in 2013.

The 2016 Data Breach QuickView report by Risk Based Security says the number of data breaches increased only slightly in 2016, but the impact per incident increased dramatically. Attacks that exposed more than 1 million records increased by more than 60% and attacks that exposed more than 10 million records more than doubled.

RBS says businesses accounted for about half of the breaches and that more than 80% of the exposed records came from attacks on businesses.

The Online Trust Alliance's 2017 Cyber Incident & Breach Response Guide takes a slightly different approach by reporting "cyber incidents", which include corporate data loss, ransomware, unreported breaches, and other incidents.

The OTA report lists 82,000 such incidents that affected organizations around the world -- more than 200 every day. Most such incidents are not reported, though, so the OTA estimates that the true number for the year could exceed a quarter million.

A report by Experian, the 2016-2017 Data Breach Response Guide, says the average cost of a data breach is also on the rise. Quoting the Ponemon Institute, the Experian report says that the average total cost of a data breach increased from $3.79 to $4 million in 2016. The average cost to a business per lost or stolen record with sensitive or confidential information increased from $154 in 2015 to $158 in this year’s study.

Besides being a high-cost single event, data breaches have long-term implications. The OTA report notes that the Internet Society found that nearly 6 in 10 customers would stop doing business with a company that had a data breach. Nearly all cyber incidents (about 90%) could have been avoided according to the OTA, but some will always be inevitable.

Reports are available here:

Possibly the Least Exciting Computer Application Ever

Shopping for tires? Well, now there's an app for that. Sears Auto Center is piloting a "Digital Tire Journey" web app that relies on IBM Watson Natural Language Classifier service to help customers identify the appropriate tires to fit their driving preferences.

A tire is a tire is a tire, or so you may think. But the Sears application will allow users to place themselves in one of these categories: Comfort Warrior, Value Seeker, Off-Roader, High Performer, Safety Seeker, or Winter Warrior. (And people who are old enough to remember when Chickenman was on the radio will understand why I keep wanting to type "Winged Warrior" here. "Winged" is pronounced "WING-ed", by the way.)

But to return to the main topic, choosing the right tire can be difficult because thousands of different tire brands, makes, and models exist. Of course, your selection will be automatically limited to tires that are the right size for your vehicle.

Websites that sell tires often limit users to a drop-down menu of pre-selected tires that don't take into account the driving and lifestyle preferences of shoppers. To find the best tire, consumers may want to consider their everyday routines and hobbies in addition to their vehicle's make, model, and tire size.

A parent who's primarily concerned about safely driving children to band practice would see tires with higher safety ratings and it recommends tires that are most consistent with the buyer's needs.

Brian Kaner, president of Sears Auto Centers, says that the Digital Tire Journey helps customers cut through the clutter by integrating digital, mobile, and on-line experiences with in-store shopping.

The user can start by entering a license plate number or the make and model of the vehicle. That's right: If Sears knows your license plate number, they also know the make and model of the car it's on. Well, sometimes. I have a ham radio license plate and when I enter that number, the service tells me that it's too short. So I described the car with year, make, model, and trim information. The service recommended 5 tire choices, which is better than what I've seen from the dealer or from most other tire stores.

If you'd like to give it a test drive, visit the Digital Tire Experience.

Sears Auto Center has more than 600 locations nationwide.