As if the devastating effects of Hurricane Harvey are not bad enough, the United States Computer Emergency Readiness Team (US-CERT) of the Department of Homeland Security is warning of a different threat:  falling victim (or exposing your entire company) to Harvey-related phishing schemes.

Fraudulent emails carrying malware payloads or directing users to phishing or malware-infected websites have been identified and US-CERT is issuing cautions.  Emails requesting donations or appearing as “breaking news” alerts often appear during and after major natural disasters.

The warning continues:

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

Make sure to take a minute and remind your network users about this scam so that we don’t create a new set of Harvey-related victims out of those who were just trying to help.


Another day, another data incident.  If you use DocuSign, you’ll want to pay attention.

The provider of e-signature technology has acknowledged a data breach incident in which an unauthorized third party gained access to the email addresses of DocuSign users.   Those email addresses have now been used to launch a massive spam campaign.   By using the stolen email address database and sending “official” looking emails, cyber criminals are hoping that recipients will be more likely to click on and open the malicious links and attachments.

DocuSign’s alert to users says in part:

[A]s part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

A portion of the phish in the malicious campaign looks like this:


Two phishing campaigns already detected and more likely

The DocuSign Trust Center has posted alerts notifying users of two large phishing campaigns launched on May 9 and again on May 15.

The company is now advising customers NOT TO OPEN emails with the following subject lines, used in the two spam campaigns.

  • Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature
  • Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature

We recommend that you change your DocuSign password in light of this incident as an extra measure of caution.    Also, DocuSign (and other similar services) offer two-factor authentication, and we strongly recommend that you take advantage of this extra security measure.

As always, think before you click.

Last week the clothing retailer Eddie Bauer LLC issued a press release to announce that its point of sale (“POS”) system at retail stores was compromised by malware for more than six months earlier this year.  The communication provided few details but did specify that the malware allowed attackers to access payment card information related to purchases at Eddie Bauer’s more than 350 locations in the United States, Canada and other international markets from January 2 until July 17, 2016.  According to the company, its e-commerce website was not affected.

In an open letter posted online, Eddie Bauer’s CEO Mike Egeck explained that the company had conducted an investigation, involved third party experts and the FBI, and now is in the process of notifying customers and reviewing its IT systems to bolster security.  These are customary and important steps following a security breach to mitigate harm to customers, protect against future threats, and comply with state data breach notification laws.    Read on to find out more ….. Continue Reading Eddie Bauer Latest Victim of POS Malware Attack

The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.

Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.

Register here.

CLE credit available in NY and CA

Written by Jake Romero, CIPP

The phrase “back off” is an implied threat typically reserved for bumper stickers and mud flaps, but if you are a retailer that permits the use of remote desktop applications in your business, the name Backoff should be considered much more intimidating.   According to a report released by the U.S. Department of Homeland Security, technology that is widely used to allow employees to work from home or permit IT and administrative personnel to remotely maintain systems is being exploited by hackers to deploy point-of-sale (PoS) malware that is designed to steal credit card data.  Of particular concern is the fact that Backoff malware, which Homeland Security estimates has been around since October 2013, had a “low to zero percent anti-virus detection rate” at the time it was discovered, meaning that even systems with fully-updated and patched anti-virus software would not be able to identify Backoff as malicious malware.  According to the security experts at Kroll, hundreds of retailers may have already been affected without their knowledge.

How Backoff Works

At the onset, hackers scan corporate networks for remote access software, such as Microsoft’s Remote Desktop, Apple Remote Desktop or LogMEIn Join.Me, just to name a few.  These programs operate by constantly listening for communications from remote desktop users seeking access.  Many remote desktop applications listen over standardized ports, so finding the remote desktop signal is not as difficult as one would expect.  When a signal is detected, the hackers use brute force attacks to obtain login credentials and deploy the malware.  The variations of Backoff reviewed by Homeland Security were enabled with a variation of four functions: (i) scraping memory for track data, (ii) logging keystrokes, (iii) Command & Control (C2) communication (this uploads discovered data and updates the malware) and (iv) injecting malicious stub into explorer.exe (this maintains the malware in the event that it crashes or is forcefully stopped).

Once Backoff has been deployed, the malware begins exfiltrating consumer payment data using encrypted POST requests.  Many remote desktop applications are pre-configured to provide high levels of access to privileged users, so hackers are able to use that trusted status to compromise the network without being detected.  For example, in the Target breach that exposed payment card data for millions of individuals, hackers were able to obtain access through accounts intended to remotely maintain refrigeration, heating and air conditioning.

What You Can Do To Mitigate Risk

The Homeland Security report includes a detailed list of actions that can be taken to keep your data safe and mitigate risk to PoS systems from Backoff malware.  Although the full list is worth reviewing, here we have included a list of crucial steps that you should consider taking immediately:

  • Require Strong Passwords and Lock Out Repeated Unsuccessful Login Attempts.  The unfortunate reality is that most users, when given broad deference to craft and select passwords, select passwords that are not just bad, they’re “really, really bad”.  Mandating levels of password length and complexity, as well as configuring expiration times for passwords, can help ward off or minimize the effect of a brute force attack.  In addition, systems should be configured to lock out repeated unsuccessful attempts.
  • Use Multi-Factor Authentication.  In addition, consider implementing a two-factor authentication procedure.  Multi-factor authentication procedures add an extra layer of protection by combining two or more types of credentials; typically a password along with a security token or biometric verification.
  • Limit Users and Access.  Consider limiting the number of users who can access desktops remotely and workstations with access.  Homeland Security also recommends reviewing the levels of access granted to remote users to the number of users who receive administrative privileges to only those individuals who truly need it.  In addition, consider limiting the functions of PoS terminals to ensure that those terminals are not used for secondary functions like email or web browsing that can open the terminal up to attack.
  • Change the Default Remote Desktop Listening Port.  As noted above, the default port used by many remote desktop applications can make it easy for hackers to locate the signal and exploit it.  Changing the default listening port can make your remote desktop application more difficult to locate.

Finally, periodically review systems for unknown users.  Although Homeland Security is working with a number of other parties to make Backoff malware detectable, perhaps the most important takeaway is that hackers are constantly looking for new ways to compromise technology.  Ultimately there is no substitute for an organized mitigation strategy and constant vigilance.