PHISHING: Know Your Technology!

I received a call today from a bot reporting itself as Amazon and alerting me that a $1,000+ charge had been made on my Amazon account for a new iPhone 11 and to press “1” for a rep to discuss this charge. Naturally, I pressed “1” to play along and see where this went.  I was transferred to an agent purporting to be an Amazon customer service rep.  He asked me if I wanted to receive the phone and was surprised when I answered “hell yeah” since they’re expecting you to be shocked by this order and to scare you into giving up personal information or remote access to your computer.

When I answered yes, he proceeded with shipping information.  Is this going to “Ken Carmack?”

ME:  “Yes”.

REP:  “ Is the address 167…”

ME:  “No, that should be 167 Main Street”

REP:  “OK, is that going to Raleigh?”

ME:  “No, it should be Wilkesboro”

By then, he knew that he was being played and disconnected.

The bottom line here is that phishers are constantly whipping up new schemes such as this one, to scare you into thinking that you’ve been charged for a TV, iPhone, Norton antivirus or similar. In your panic, they hope that you will divulge personal information or provide access to your computer which they can then exploit.

A common tactic that I’m seeing lately are emails with an invoice or payment confirmation stating that your account has been debited $389.99 for McAfee or Norton renewals and to call their 800 number if you need assistance or have questions. One client of mine was scared into action by this, dialed the 800 number and provided remote access to his computer to an “agent”. BOOM! A win for the attacker!

Another common tactic is an email from “Microsoft” warning that the password to your Microsoft account is expiring in short order. The goal here is for you to click on the link, proceed to a page that looks like Microsoft where you enter user credentials which they can then use to login in to your actual Microsoft account. These emails sometimes look like they originated from Microsoft but are often sent from an email account or domain that bears no resemblance to Microsoft, such as billy@wescammedyou.com.

So how to spot/avoid phishing  tactics? There are several red flags or rules of thumb to keep in mind:

  1. KNOW YOUR TECHNOLOGY! Are you using McAfee or Norton, such that a renewal is in order? If not, don’t take the bait.  Most of my clients use BitDefender so be aware of your security suite.  I never use McAfee or Norton unless a client has purchased that on their own. Nevertheless, you should be aware of what is protecting your computer, not only to ensure you’re protected, but also as a defense against phishing.
  2. Does the sender’s email address resemble the soliciting company? For example, one McAfee renewal that I reviewed came from an @gmail.com account which raised a red flag. If the sender’s address is hidden, hover over the sender name/address to see the underlying sender’s account. If the sender presents as Microsoft, see if the underlying email address is actually @microsoft.com.  While this is not foolproof, you can quickly rule out many bogus emails that arrive in your inbox.
  3. Does the invoice address you by name or company name? If the renewal is addressed to “Dear Customer”, then they probably never had the original subscription.
  4. Is your address or last 4 digits of your credit card referenced? Once again, vague invoices/confirmations with scant specific details are a red flag.
  5. When in doubt, send the items to your IT department to verify for legitimacy.
  6. Under no circumstances should you reply to the email or call their 800 number. If you’re legitimately concerned that you’ve been charged, then log in to your banking or credit card account and scan for pending or completed charges. If the caller or email claims that the purchase was made in your Amazon account, log into that account and review your orders. When accessing financial or online accounts NEVER, EVER click a link in an email. Always open your web browser and navigate to your accounts as you normally do. Links in emails can send you to web pages that look like the real website but are designed to collect your user credentials. Also, enable 2 factor/multifactor authentication on accounts that contain financial or sensitive information.

One more phishing story and I will get back to work.  A few months ago a client called and stated that their company’s president’s (let’s call him “Fred”) phone had been hacked. A young employee (call him “Jimmy”) in the company received texts from the president asking him to run an errand and buy 15 @ $100 Apple gift cards to distribute to the staff as performance awards.  Oh, and don’t bother calling Fred because he’s in meetings and using someone else’s mobile phone since his battery is dead. Long story long, Jimmy followed the instructions to the tee, purchased the cards, scratched off the backing, shot photos and texted the images to “Fred’s” phone.  BOOM!

Bottom line, Fred’s phone was never hacked.  It was probably a burner phone that got trashed immediately after the successful caper. Further, my client contacted Apple to deactivate the gift cards.  I suppose that’s possible, but the hacker knew that time was on his side and wasted no time spending them. Jimmy was out $1,500 at the end of the day.

A few key rules of thumb that could have prevented this hack:

  1. Verify the sender using a different communication method. Don’t text Fred back to ask if it’s really him since the attacker will respond affirmatively. Call Fred on his landline or send an email. I have seen successful attacks where the hacker emailed the victim, the victim verified via the same email channel and the attacker confirmed “yeah, this is legit!”
  2. Run a smell test: Does this make sense for the president to reach out to a new employee for an errand like this?  If you don’t have the experience/context to answer that question, check with your peers.  If Fred is really in a meeting, what’s a few minutes to ask around to confirm that. Remember, these hackers use fear to kick you into quick action, which always works in their favor.
  3. Avoid mobile numbers on your company website. If you want to post phone numbers, add landlines that cannot receive texts. You can config most landlines to forward to a mobile phone so that you don’t miss calls. Many phishing attacks are via text message, so posting your mobile number on the web provides a very easy target.
  4. When in doubt: DON’T!

Over the years, we’ve all learned to ignore and delete emails from Egyptian pharaohs, lottery winnings, and all the other too-good-to-be-true trickery.  However, scammers are getting more clever, so it pays to be cautious and dial up your BS detector.

Be careful out there!

Additional resources on phishing methods, prevention and remediation:

Federal Trade Commission:  How to Recognize and Avoid Phishing Scams

PC Mag:  How to Avoid Phishing Scams

NC Department of Justice:  Phishing

For Whom the Bell Tolls: Microsoft Ending Support for XP in 2014

Microsoft announced in April 2012 that it will end support for Windows XP and Office 2003 in April 2014. This is certainly no surprise since the operating system will celebrate its eleventh birthday this October. By the time Microsoft ends support, it will have been on the market for almost 12.5 years — 2.5 years longer than the company typically supports an operating system (“OS”).

So what’s the big deal?  No one really uses XP anymore, do they?  As a matter of fact, XP has maintained strong market share despite the popularity and stability of Windows 7. According to StatCounter.com, Windows 7 finally overtook XP in the fall of 2011 – a full 2 years after Windows 7’s October, 2009 release. This is a pretty remarkable stat for a ten year old operating system that is 2 generations removed from Windows 7.  Windows 7 now holds a firm lead at 49% of the OS market with XP now trailing at about 31%, Vista at 8%, and Mac OSX at 7.5% .

Is it time to run out and spend $100+ for Windows 7?  Probably not, unless you have other compelling reasons (like Vista) to upgrade. You still have some time and there’s a good chance that you will decide to replace your aging computer between now and XP’s scheduled sunset in April, 2014.  After all, XP has not sold on retail shelves since late 2010, so your PC will be at least 4 years old by then.

For most people, migrating to a new operating system is a big hassle, but can be done over the course of a weekend.  An enterprise, however, can take 18 months or more to migrate to a new OS. About six months ago, an international law firm replaced all of their laptops and desktops across the firm.  Surprisingly, the IT staff decided to wipe Windows 7 from all of these new machines and replace it with Windows XP – quite a surprising move in light of XP’s advanced age.

In a world where online threats are constantly plaguing systems, and where hackers have successfully defeated Windows Updates digital certificates, it is critical to run an operating system that still receives updates – especially when that software company has a history of releasing operating systems with gaping security holes. You know those Windows Update notifications you receive several times a month?  Some of those make the system run a little better or tweak instability issues.  Most of the updates, though, patch security vulnerabilities that Microsoft has identified or that hackers have already exploited.  Thus, it’s pretty critical to abandon an operating system that is no longer supported.

If you decide to upgrade, should you wait for Windows 8, or choose Windows 7?  As much as Microsoft wants Win8 to set the new standard the way Windows 95 did, their track record is not so great. Most in the IT field will agree that every other major Microsoft OS release has been junk (Windows 95 [sure, it turned out to be decent after a challenging start], Windows ME, and Windows Vista were all stinkers).  Will Windows 8 break Microsoft’s trend of substandard operating systems?  I have a theory that they release bad operating systems to build demand for subsequent releases.  Plus, they buy time for hardware manufacturers to develop drivers for the new release and software developers to build compatible apps.

Think about Vista: I have seen plenty of Vista machines that became so corrupt or slow that it made more sense to simply erase the OS and reload.  In the likely event that the user lost their system installation disks or simply decided to pull the plug on a bad OS, they shelled out $100+ to purchase Windows 7.  Thus, Microsoft got paid when Dell, HP, and others sold the new computer, and MS got paid again when users became fed up with [insert crappy Windows release] and purchased a new retail copy.

Back to Windows 8, one major factor in Microsoft’s corner is their push to make a consistent user interface (UI) for desktop/laptop computers, tablets and phones the way that Apple has done.  One of Apple’s strengths is that the UI is consistent from their desktops/laptops to iPhones to iPads to iPods. No one else has mastered this yet:  Android’s UI on phones and tablets is consistent, but they don’t have significant market share in their ChromeBook category.  I don’t know if Microsoft’s UI is consistent from PCs to mobile devices because no one is buying them yet...  MS has only grabbed up about 2% of the U.S. smartphone market. They’re not winning any fans either, following recent announcements that the new Windows Phone 8 OS cannot be installed on existing Windows 7 phones… GASP!

If you listen to the Apple fanboys, the desktop/laptop era is dead and PCs will give way to tablets and handheld devices.  While reports on the death of the PC are greatly exaggerated, most industry experts believe that mobility is where the biggest innovations (and profitability) will be for the foreseeable future. Thus, Windows needs to get it right NOW with their mobile platform or cut bait. But I digress.

The bottom line on XP is that it’s time to start thinking about upgrading your business systems, especially if you have a large number of users still on XP.  It’s probably safe to hang on another year or two with your personal XP system(s) since you will likely replace those systems anyway. I certainly will!  To avoid major security issues, though, it’s critical to jump the XP ship when Microsoft pulls the plug in 2014.

I have no intentions of rushing out and upgrading to Windows 8 when it is released in late 2012.  If history teaches us anything, Windows 8 will be buggy out of the box and will emerge as yet another problematic OS that will ultimately be fixed by its successor, presumably Windows 9.  Windows 7 will become the new XP in that its solid performance, security and stability will make it a market leader for the next decade.

Share your thoughts and stories on XP or other Windows releases.  I would also like to know your predictions for Windows 8.

As always, if PartnerTechs can help you with your small business technology needs, please contact Ken Carmack.