Skip to content

Category: cyberattacks

Published on

If you think your social media or email account has been hacked, wrestle it away from the bad guys by acting fast.

Hackers use a bunch of different tactics to try to compromise people’s email, banking, social media, device, and other online accounts. Sometimes they do this to spam your friends with coupons, but other times they want to steal your money or identity. By alerting authorities and following a few steps, you can often retake control of your hacked account.

However, fast action is crucial. If you suspect that your digital account has been hacked, do something about it as soon as you can. Here’s what you need to know right now!

How does an account get hacked?

Security breaches happen in many ways – sometimes you might click on a bad link, or the company in charge of the account could be attacked. This is why cybersecurity is so important to us all, and why we at the National Cybersecurity Alliance are so hyped up about it!

Commonly, an account is hacked through phishing. This is when cybercriminals use misleading emails, social media posts, phone calls, texts, or DMs that lure you to click on a bad link or download a malicious attachment. If you take the bait, the hackers can get access to your device or account.

Another common way your account could be hacked is if there is a data breach that reveals your username and password. The company controlling the account in question could be hacked, for example. If you reuse passwords, if any platform you use is compromised then cybercriminals might know your password for many accounts. This is why you should have a unique password for each account and change your password ASAP if you find out a platform you use has had a breach.

Signs your account has been hacked

Does something seem off about one or more of your online accounts? Know the common symptoms of a hacked account.

  1. Unusual Social Media Activity: Your social media profile publishes posts that you didn’t create. Ditto for direct messages – hackers might use your account to send phishing DMs or posts to your followers. Often these posts encourage your friends to click on a link, download an app, or buy something through an online store.  
  2. Unexpected Messages to Friends: Friends and followers tell you that they received emails from your email address that you never sent, or DMs through social media that you never authored.   
  3. Unauthorized Login Notification: A company tells you that your information was lost via a data breach. In many places around the world, companies are required by law to tell you if they lost your data in a breach or cyber attack.  

What are 4 things to do when your account is hacked?

If you think an account is hacked, snap into action, and take a few quick steps to staunch the damage. You have the power to give cybercriminals the boot!

  1. Change Your Password: This will likely lock out the hacker. Unfortunately, it can also work the other way around: the hacker might change the password and lock you out. In this case, try using the “forgot my password” function to reset it. If that doesn’t work, contact the platform ASAP. If you used the same password for other accounts, you should change all of them, and start using unique passwords for every account. Use a password manager to generate and store all your passwords.  
  2. Notify your contacts: That your account was hacked. Let them know they may receive spam messages that look like you sent them. Tell your contacts they shouldn’t open these messages or click on any links contained in them. When the situation is cleared up, let everyone know that your accounts are secure again.   
  3. Update Your Security Software: Make sure your security software is up to date. Scan your system for malware, especially if you suspect your computer might be infected with a virus. Antivirus software will scan your device to check for any security issues. 
  4. Seek Assistance: Contact people who can help you. If you suspect someone has stolen money, this might mean calling the police and your bank. If a work account was breached, let your IT department know. If a social media or email account was hacked, alert the platform, and seek their help. If you think someone has stolen your identity, it is worth contacting the FTC. Let trusted friends and family know what you are going through so they can on the lookout for weird messages or posts from your account.  

Resources

Here’s where to turn if you have an account with one of these popular websites and you think its been hacked: 

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Published on

GW Cyber Risk - One Minute Read

The FTC provides information concerning fake text messages you might receive. We have included excerpts of the content below as well as a link to the full article. The article describes the problem, provides examples, as well as offers tips on actions you can take if you receive fraudulent texts. Our bottom-line advice, validate text messages prior to taking actions they request using one or more of the following:

  • Pause and think before replying or following links. Even 'urgent' shipping notices can wait a few minutes.
  • Check you order history on merchants' websites. You have alternative means to check on order shipping status.
  • Review order confirmations and shipping updates in email messages to cross reference order messages.
  • Contact the sender, whether it is your boss or someone else, through a trusted method to verify they were the author and confirm details.

How to Recognize and Report Spam Text Messages - FTC Article

Excerpted from: https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages#what_to_do

If you have a cell phone, you probably use it dozens of times a day to text people you know. But have you ever gotten a text message from an unknown sender? It could be a scammer trying to steal your personal and financial information. Here’s how to handle and report unwanted text messages.

fraudulent SMS text example

Spam Text Messages and Phishing

Scammers send fake text messages to trick you into giving them your personal information — things like your password, account number, or Social Security number. If they get that information, they could gain access to your email, bank, or other accounts. Or they could sell your information to other scammers.

Scammers often try to get you to click on links in text messages by promising you something. Scammers might

  • promise free prizesgift cards, or coupons — but they’re not real
  • offer you a low or no interest credit card — but there’s no deal and probably no card
  • promise to help you pay off your student loans — but they won’t

Scammers also send fake messages that say they have information about your account or a transaction. Scammers might

  • say they’ve noticed some suspicious activity on your account — but they haven’t
  • claim there’s a problem with your payment information — but there isn’t
  • send you a fake invoice and tell you to contact them if you didn’t authorize the purchase — but it’s a scam
  • send you a package delivery notification— but it’s fake

The messages might ask you to give some personal information — like how much money you make, how much you owe, or your bank account, credit card, or Social Security number — to claim your gift or pursue the offer. Or they might tell you to click on a link to learn more about the issue. Some links might take you to a spoofed website that looks real but isn’t. If you log in, the scammers then might steal your username and password.

For more information and the full article please visit the FTC website https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages.

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Cybersecurity is a shared responsibility for everyone. You can help #secureoutworld through direct action. Account compromises impacts individuals, families, organizations, and employers. The following tips can assist you in keeping your information and GW data safe.

The Core 4

As with most things in life, an ounce of cybersecurity prevention is worth a pound of cure. Follow our "Core 4" to show hackers you mean business.

1. Passwords / Password Managers

Use long, complex, and unique passwords. Every password should be at least 12 characters long and include letters, numbers, and symbols (like % or $). Ideally, your passwords should be random strings of characters, not recognizable words. Very importantly, each account should be protected by its own unique password. To create and store all these passwords, use a password manager!

2. Multi Factor Authentication

Switch on multi-factor authentication. Multi-factor authentication (MFA), sometimes called 2-factor authentication, adds a whole other level of security beyond your password. MFA will use biometrics, security keys, text messages, or an app to make sure you are you, even if a hacker gets access to your password. Enable MFA for any account that allows it!

3. Recognize and Report Phishing

Think before you click. Learn how to identity phishing messages, which will often try to inspire panic or urgency. Take a few seconds to read through the message and who sent it. With a little knowledge, you can spot most phishing attempts within moments.

4. Automatic Updates

Turn on automatic updates. The best way to get the latest, strongest security is to install software updates as soon as they are available - and the best way to know when they are available is to turn on automatic updates! Set it, forget it, and you won't regret it!

Checkout the Events Calendar for details on webinars related to the Core 4 and other cybersecurity topics.

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

This blogpost is offered to you by the GW Information Security and Risk Services team. 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Published on

Written by Patrick Hansen

Grinch Taking Money Image


Keeping an eye out for scams is a year-round job for anyone who uses the internet. But for scammers, the holiday season is the time to strike, while everyone is distracted by time off, gifts, and plans with family. From fake websites, gift cards, to even fake charities, it is important to stay on guard during the last part of the year.

Holiday Phishing

(If you need a refresher on phishing read this piece.)

Criminals love the amount of shopping and shipping that goes on during the last quarter of the year. They pretend to be Amazon, UPS, FedEx, Apple, and almost every other household brand name there is. A lot of phishing attacks come by email, declaring a problem with your order, shipping, payment, etc. In the past few years, SMS phishing has also shot up with intent just as malicious.

Always remember, the real companies you interact with, won’t email or text you asking for personal information, and DON’T CLICK LINKS. If you are ever unsure about an email or text, look up the number for customer support and call.

Gift Cards

A gift card is a very sought after item for criminals because of the anonymous nature of purchases once it is gifted. Once it’s gone, it’s gone, and you won’t be able to get it back. Online, criminals will always try to get you to pay for a gift card and send them the information.

Another thing to look out for is gift cards that have been tampered with. When buying a gift card from the store, make sure that the credit card number on the gift card is still covered. Criminals have ways to monitor when the card with that specific serial number is loaded with money so they can try to spend it before you can.

Fake This, Fake That

Online shopping can be extremely convenient, but there are things to watch out for. Some scammers will put up websites and buy domains that look very similar to real brand websites in appearance and URL. Always try to verify the website you are on in some way. If you are ever paying for something online, the “s” in “https” is a must.

Sadly criminals will also set up fake charities designed to pull at your heartstrings. A quick Google search of the charity should provide enough information and others to verify it is real.

Conclusion

The holiday season is prime time for cyber thieves to attempt scams and steal your money and information. Always remember to double-check the random Amazon email, the random UPS text, gift cards, and everything else that is common for this time of year.

Never give out your information and if there is any doubt, just contact the company itself. It is important to be aware of these attacks and be on guard year-round, but especially around the holidays, so you can enjoy them with cheer.

 

Published on

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Published on

Learn Social Engineering
OZKAYA, E. (2018). LEARN SOCIAL ENGINEERING

 

Previously, we discussed Social Engineering in the form of Phishing, a typically untargeted attack type that focuses on quantity over quality. However, not all Social Engineering attacks cast a large net, some get up close and personal. Attacks that involve pretexting are typically more focused and can be well planned and highly targeted; making them a credible threat to information security at any company.

Whether used in person or through other means of communication, pretexting is a dangerous method used by attackers to worm their way into systems and financial profit. Pretexting can be relatively simple and recycled constantly, but can also be well thought out, researched, and specifically tailored to each target. Ultimately, pretexting involves an attacker impersonating someone or having a “legitimate” reason to gain access where they do not belong.  Pretexting relies heavily on an attacker having convincing and effective aliases, stories, identities, and credibility.

The research conducted to carry out a pretexting attack is typically all open source. They might scour an organization’s web pages to understand the size, structure, and relationships, or they might look for company login portals such as HR sites, mail hosting, and VPN portals. Often times, attackers will try to find information on specific employees like email addresses, position within the company, and any other information that can be used to impersonate or manipulate them. Gathering all of this information about an organization helps attackers in understanding how the business operates and what type of attacks might work. If the target is a large company with thousands of employees then an attempt to impersonate someone is more likely to be successful than if the target is a small close knit business that would easily recognize an imposter.

Thorough research enables attacker to determine the best methods to gain unquestioned access to money transfers, systems, and other restricted areas. A tactic that attackers frequently use is to impersonate a target’s boss, an executive, or other important figure, and then urgently request money transfers to specified accounts. The hope is that the targeted individual will panic due to the urgency and fail to verify the transaction with anyone else. Other attack types include impersonating vendors, internal departments, or other entities who might have an already established relationship with the organization. The attacker may try to call the victim and using their false identity and back story, then get them to visit a fake company login page and input their credentials. With those credentials, attackers can now access potentially sensitive systems and data.

Whether a Social Engineer uses a relatively general pretext, or a highly targeted and well planned one, users should be aware of and able to prevent the danger that they pose. Preventing these kinds of attacks is not necessarily difficult, it just takes a bit of time and diligence. If someone asks you to complete a wire transfer, take the time to confirm that they are the ones that sent the email or made the phone call. Reach out with another form of communication to verify. Always confirm any backstory that is offered to you, if you have been asked to log into a portal to accept new compliance documents or policies, contact your compliance office to double check. If someone visits the office and claims to work for a maintenance company but they aren’t on your schedule, call the corporate office and verify that their employee is supposed to be there. Confirm package deliveries from delivery people you have never seen before. Be highly suspicious of anyone who contacts you and asks for login credentials, personal information, or financial details over the phone or through email. Always be wary of strangers trying to access systems, data, and even your office building. Take the time to protect yourself and your organization from attackers who try to manipulate you with convincing and well thought out back-stories and personas.

-

Kennedy, D. (2014, March 05). Pretexting Like a Boss. Retrieved June 20, 2019, from https://www.trustedsec.com/2014/03/pretexting-like-boss/

Nadeem, M. (2019, April 17). Pretexting: Definition and examples | Social engineering. Retrieved June 20, 2019, from https://blog.mailfence.com/pretexting/

Published on

Phishing diagram
From Wombat Security

Phishing

Phishing is a very simple and useful tool in an attacker’s arsenal. Phishing can lead to the exposure of sensitive information such as usernames, passwords, PII (personally identifiable information), and credit card information. So what is Phishing? It is at method used to obtain sensitive information from a victim that leverages social engineering and communications technologies that normal people use every day. There are various methods of phishing, with the most common being email, vishing (voice phishing), and smshing (text phishing). These methods can be blanket attempts that rely on quantity instead of quality (often called campaigns) or they can be very carefully crafted attacks with very specific targets (spear phishing and whaling). Luckily, identifying and defeating these attacks can be simple if you know what to look out for.

Email Phishing

Email is the hacker’s go-to for most phishing attacks; people wouldn’t think twice about receiving an email. Often times phishing emails will contain a malicious link, a malware attachment, or directly ask for sensitive information. In order to trick victims, these emails are crafted to appear from a big company, such as FedEx, Apple, or even from inside your own organization. Attackers use look-a-like or spoof emails to convince the target the email is legitimate. This can lead to compromised systems and/or exposed personal information, which can lead to further exposure of friends, family, and the victim’s organization.

Defeating Email Phishing:

  • Is the company logo/banner/design slightly off?
  • Would this person/company normally be sending you an email?
  • Should they already have the information they are asking for?
  • Never open unsolicited attachments
  • Legitimate Companies should never ask sensitive information through email
  • Use other methods to confirm the communication

Vishing

Voice phishing is growing in popularity and just like other types of phishing, vishing can be automated making it a dangerous tool. Attack examples include an “FBI” automated message, “IRS” tax refund/payment notification, or as a call from your local home improvement company. When attackers get on the line with their target they present a well thought out and engaging backstory to hook their victims. Impersonation is used in most vishing calls; attackers will impersonate IT staff, management in your company, and HR to appear official.

Defeating Vishing:

  • Ask the caller to provide information only you and they would know to ensure the caller’s identity
  • Never give sensitive information over the phone
  • If the call is suspicious, contact someone close to the individual, or through other means
  • Offer to call the individual back at the number in your staff/corporate directory, or at the number listed on the legitimate website

       

Smshing

Smishing sends texts to the targets phone in hopes of them clicking a malicious link, downloading malware, or returning sensitive information. Texts follow email phishing outlines and can be identified similarly. Many victims fall for smishing because they are unaware of the tactic and more trusting of texts. Don’t trust it more just because it’s a text message.

Defeating Smshing

  • Never provide sensitive information over text message
  • Avoid following random links
  • If you are unsure, reach out to your security team, or the communicating company
  • Do not call the number that texted you

Spear-phishing, Whaling & Campaigns

Most individuals come into contact with phishing campaigns. The goal of campaigns are to reach as many people as possible and hope for a hit. Whereas, spear phishing and whaling are techniques aimed at selected groups of individuals and executives. These are well planned, crafted, and executed, and shouldn’t be taken lightly. They aim to compromise victims with privileged access to systems, accounts, and resources. Victims typically don’t have the time to review these carefully crafted emails highly specific to the target and fall for the trap.

Defeating Spear-phishing and Whaling

  • Report suspicious emails looking for information to security
  • Verify communication with the contact through other methods
  • Attackers often impersonate colleagues, friends, and family
  • Always assume you’re a target
  • Opt for face to face meetings when possible (online or in person)

Published on
What is Social Engineering?

We frequently hear about cyber-attacks on organizations using highly technical and sophisticated methods, involving malware and vulnerabilities that most people don’t understand. However, what we don’t typically hear about is how the attacker got in. According to Verizon’s Data Breach Investigation Report, in 2019, a third of all data breaches involved social engineering attacks to include phishing, pretexting, and a variety of other social engineering methods.

Social Engineering involves gaining the trust of unsuspecting users via manipulation or trickery, in order to gain unauthorized system access, credentials, or commit fraud. Attackers will attempt to take advantage of a multitude of psychological traits such as carelessness, curiosity, empathy, complacency, and most frequently ignorance.

Why does it Matter?

Social Engineering attacks are more common than you might think and odds are that you will encounter one yourself in some form or another. Failing to recognize a social engineering attack could range from a minor inconvenience to a life changing event. Compromise from such an attack could lead to needing a password reset to having a bank account drained of funds, or could even be the launching point for the next massive data breach that makes headlines worldwide.

For example, the 2020 Twitter hack, which affected numerous high-profile accounts, resulted from a social engineering attack targeting employees. Similarly, the 2020 SolarWinds breach, one of the most significant cyber-espionage campaigns, involved social engineering tactics used against employees to gain access to critical infrastructure.

Social Engineering is a large threat to the safety of not just large organizations, but also the individual.

Social Engineering Life Cycle Image

Social Engineering Life Cycle

Much like software development and risk management, many cyber-attacks follow a lifecycle approach; with a continuing cycle of input and output constantly improving the process. Social engineering is no different and even has a few lifecycle models dedicated to it. In its simplest form however, the Social engineering lifecycle follows four basic phases: Investigation, Hook, Play, and Exit.

The Investigation phase is when an attacker performs their recon. They might choose their targets based on position within an organization, ease of access, or they might choose a wide range of targets just to see what sticks. After choosing a target they will use public information to learn as much as possible. Sources such as social media, company websites, and other profiles provide a wealth of information for attackers to use.

The Hook phase involves the initial interaction with the target; ranging from email to in person contact. During the hook, the attackers focus is on spinning a web of lies to manipulate victims at their will.

During the Play phase an attacker gains a stronger foothold and carries out the attack. Depending on their goals, they will begin disrupting or stealing sensitive and valuable data.

The Exit phase points to the end of the lifecycle. The Social Engineer will attempt to remove all traces of their presence and bring an end to their charade. Everything the attacker has gained or learned during the process is then used during a new attack cycle to more effectively con another victim.

Social Engineering and unaware users provide a vast attack surface that can be easily taken advantage of.  Meaning that you need to do everything you can to be prepared for and protect yourself from the conmen of the internet age.

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.