Posts Tagged

email security

Can a PDF Attachment Really Compromise my Network?

Elizabeth Technology September 27, 2022

Yes!

Basic Email and Anti-Phishing Safety

It’s a message that bears repeating – you shouldn’t click on links or attachments in emails you weren’t expecting, didn’t sign up for, or otherwise don’t entirely trust. For example, say you get an email from Target, but there are several typos in the header. That’s a really easy tell that the email is likely a fake! A real business the size of Target has several sets of eyes on their marketing materials.

A harder tell is checking the email sender each time. Say you open an email from ‘Tagret’, and it’s not loading right. If you don’t normally have that issue, it might be a fake trying to get you to click a ‘view in browser’ link that actually leads to a download page set up for a virus. You might have missed the fraudulent sender if you didn’t double check!

But what about attachments? You should approach attachments with a zero-trust philosophy. Verify the sender, verify the email itself isn’t riddled with typos and easy-to-fix mistakes, and verify that the attachment itself is titled appropriately for what it says it is. While you could easily accidentally open a phishing email, realize it’s a phishing email, and then close it before you click any links or type anything in (you should still report that incident to your IT Department), clicking on an attachment that’s malicious is harder to recover from! PDF attachments, which are normally pretty inert, are a possible highway into your network or computer. Keep these following things in mind when you open attachments.

It Might Not Be A PDF

Not all that glitters is gold! That attachment from someone you don’t remember hiring might be something like an executable file (a .exe file) that’s just named Invoice307.pdf. When you name a file, only certain characters are excluded from possible names, including characters like the percent sign (%) and question marks (?) because they’d interfere with the way the file is stored. Periods are not, and that makes it easy to fake a name! It won’t get everyone (invoice.pdf.exe looks pretty strange, right?) but it might get the kind of person who doesn’t spend that much time on computers, or doesn’t get this kind of scam regularly. If that sounds like you, it only takes a second to double-check the extension name before you download it, and that second can prevent a lot of pain! Most desktops will also show you a file’s full name if you hover your mouse cursor over said file – to hover, you just move your mouse cursor over the file without clicking it, and wait a second or two for your email program to show the full name. This is nice if the name is too long for the thumbnail and you’re not sure if you trust the sender or not.

A similar tactic is hyperlinking some text to open a website which will begin downloading malware instantly. The scammer puts in some ordinary-looking links, like a Shop Now! or Click Here! Button, and then uses the hyperlink feature available in most email applications to hide a viral link inside. If it successfully tricks you into clicking it, you’re in for a bad time. The hover trick from before works here too, and it should show you where the address actually goes in the bottom left corner. Remember – don’t click if you’re using the hover trick! At least until you’re sure it’s safe.

However, there are ways to mess up your computer without overtly malicious software. Consider the ‘.zip bomb’, for example! A .zip bomb is a huge amount of junk files packed into a .zip file, which compresses it. When you, the receiver, download and open the .zip, it slows or even crashes your computer with the huge amount of information it’s trying to decompress. Since the files themselves don’t have to be malicious to achieve this (they can be, but they don’t have to be), many consumer antiviruses will just ask you if you trust the source – and if they’ve done a really good job social engineering by making the sender sound plausible and writing without typos, you might click yes without thinking twice. To recap – if it doesn’t end in .pdf, and someone you don’t know sent it to you, it might cause problems for your computer.

Even If It Is, It Might Have Something Nasty

If you’ve ever struggled to get Word to allow you to open a document and edit it, that’s because some malware can be hidden inside otherwise innocuous-looking documents. It’s rare, but it happens – it’s usually something called a macro virus, or a virus that uses ‘macros’ to download itself. A macro in Microsoft properties is a command that groups several keystrokes into one, and they have many legitimate uses, but can be used maliciously to lead you somewhere you don’t necessarily want to go, or download/unzip another file contained within the file you’re working with. A much simpler version is just using macros combined with the hyperlink trick from before to get you to bring the document out of safe mode by disguising said hyperlink as something innocuous, but other, more complicated ways to get your PC to download something nasty can be hidden too.

Once again, double-checking the file extension might help you determine whether or not you really want to click something. Microsoft Office products save differently if they contain macros or ‘active content’ – for example, instead of a .docx file, a Word document with macros in it will save as a .docm file. If you download one, most recent versions of Office products will ask you to verify you trust the place you downloaded from, adding further security.

Don’t Forward Emails You’re Suspicious of to Anyone but Your IT

If you send this mail to your manager, and your manager is in a rush and doesn’t read what you wrote about the message and clicks the attachment… you’ve just moved the problem! Don’t forward something suspicious to another member of your organization – if the scammer had their info, they’d likely be a target too! Instead, if you get an email you’re not sure about, forwarding it to your IT department is a safe bet. If it’s nothing? Then you sent your IT guys an email with a legit attachment, and you know for sure it’s safe to open. If it’s malicious? IT should be able to handle it in a quarantined computer. They may even be able to tell if it’s malicious without opening it! This could potentially save you and your organization from ransomware or other malware that can completely halt your business.

Sources: https://support.microsoft.com/en-au/office/protect-yourself-from-macro-viruses-a3f3576a-bfef-4d25-84dc-70d18bde5903

Don’t Make Shared Email Accounts

Elizabeth Technology September 15, 2022

A shared email box has plenty of utility, but it has to be set up right to reach its full potential. A shared mailbox should allow all it’s members to see the content, and can usually be set up so that members can send emails under the mailbox’s address. Essentially, the box is just a box that they have permission to access. Microsoft Outlook allows you to add your users to specific shared mailboxes, but only you, the admin, can decide who gets to see it, who gets to be part, who has the ability to send as the box, where forwards go automatically, if that’s even desired etc. etc. And they don’t have to have a Microsoft license to function!

A shared account, on the other hand, is an easy path to disaster! A shared box shouldn’t be a fully-fledged account that your users can log into using a password and username that you gave them, generally speaking. If your box is set up so that users are in the account instead of in the box only, they have way too many permissions!

For example – a user decides they want full control of the shared email account and simply logs in, changes the password, and doesn’t share it. Now what? You can do a lot of things to the user, up to and including firing them, but that might not be enough to get the email account back, especially if they left on bad terms. Or, an employee mistakenly believes that everyone in the company is meant to have access to a shared account, and gives the login credentials to an unauthorized employee when they ask. Or, an employee writes down the shared credentials somewhere, loses that, and then the company’s support or information mailbox is hacked and totally out of their control. If the account is set up as part of a security group, everything in that group is then put in jeopardy, because accounts can access shared drives. Accounts also take a license to keep functional, so that’s an added expense over a simple shared email box. The issues go on and on!

While some of this can be mitigated with steps such as two-factor authentication, the vast majority of it can only be stopped by making a box that has layers of separation between the account controlling it and the accounts allowed to use it. Microsoft’s system allows users to be added to a shared mailbox without giving them total control over it – that’s the ideal, as user permissions can be revoked without having to go through the song and dance of giving the login info back out to everyone still authorized to use it. As shared mailboxes can’t be signed in to, they’re also much less likely to be ‘hacked’ via a stolen password (although someone could still access it via someone else’s account).

Group Accounts – Social Media

On the other hand, there are social media accounts for the company. Almost no website allows multiple people to run an account with separation from said account the same way that Microsoft does – LinkedIn is a rare exception, and Facebook pages allow people to post to them, but the page can’t post to itself – the company account has to post to it. In cases like that, a shared account is still not ideal, but it becomes easier to manage if only a handful of people have the password, and only one person has the 2FA number. In a pinch, that makes it slightly easier to reclaim the account if the person in control decides to go rogue, but even then, some sites will allow you to change the 2FA number without verifying it to the current 2FA contact first, thus making all of the issues above also issues here. That makes it extraordinarily difficult to truly, properly, bombproof a social media account! Limiting the total number of people who have access to it as well as monitoring when it’s being used is the best solution. Instead of a group shared account, make it a two-person account – or less!

Alternatively, websites like Buffer and Hootsuite can provide some barriers, but for a fee. They may not stop an employee going rogue, but they can at least identify when and which one was responsible if something happens to the company Instagram.