Orenda Security® is an elite information security firm founded on a spirit of integrity and partnership with our team, and most importantly, our clients.
A versatile group of international security professionals came together and forged a partnership to make a positive and lasting impact on the security industry. With a vast array of skills and experience securing global corporations in multiple verticals, a remarkable opportunity arose to deliver a unique value-add to our clients.
Our highly skilled team has performed hundreds of security assessments and penetration tests for corporations, large and small. We have helped our clients obtain a peace of mind with securing their products and services. But most importantly, each team member has been trusted to provide ongoing and reliable security solutions to our client’s evolving security and business needs.
Partner with Orenda Security Now!
With a passion for our work, our staff and our clients, we strive to be much more than just another security vendor. We choose to be distinct among security providers, as we establish a reliable partnership with you to protect your business and customers. As your trusted security advisors, we specialize in identifying threats that may be exploited in your products, services, systems and applications. We work with you to develop a reliable plan for remediation and to ultimately implement an in-depth defense strategy.
CERTIFICATIONS
We proudly hold the following industry information security & penetration testing certifications:Assessing the security of your external network includes multiple steps. Key steps include:
OSCP
Offensive Security Certified Professional
CCSP
Certified Cloud Security Professional
CISM
Certified Information Security Manager
CISSP
Certified Information Systems Security Professional
OSWP
Offensive Security Wireless Professional
CIPP/IT
Certified Information Privacy Professional
GIAC GWAPT
Web Application Penetration Tester
GIAC GPEN
Penetration Tester
We are proud to announce that Orenda Security is CREST-accredited for its high value penetration testing services.
What are the most valuable assets to your business? What if your information is already at high risk and you lose it? What would be the impact on your business, customers, and revenues? Could your organization afford to be down for just 1 day because of cybersecurity incident ? Even more concerning, what if your critical information is already compromised and you don’t know it.
Orenda Security application assessment services are customized to help secure your business-critical applications and ensure compliance with your industry security requirements.
Partner with Orenda Security for your ongoing Dynamic Application Security Testing (DAST) and have access to security professionals guiding you to securing your applications. Empower your development team and maintain the speed of your application delivery.
Partner with Orenda Security for your Static Application Security Testing (SAST) needs. Whether you need SAST testing now or have a tool in mind and a vision for how you would like to implement it or need help getting up and running. Let our professional application security professionals help you build security.
Partner with Orenda Security to get off the ground with Threat Modeling (TM). Threat modeling may be a foreign concept today, but our professionals have proven experience in developing these skills across several environments, industry’s, and delivery models. Our threat modeling professionals walk you through every step to build up the knowledge and practice within your team to meet your delivery models and processes.
Vulnerability Assessments (VA) & Vulnerability Management (VM) Performing a vulnerability assessment can provide an accurate “point-in-time” representation of the organization’s security posture. However, this is not enough. There must be a mechanism incorporated into the procedures to ensure that the VA process is conducted on a continual basis. This is the only way to really minimize the overall risk.
Delivering technical expertise and high-quality assessments
Orenda has been a reliable partner for AMA and has helped us in our journey to develop and deliver secure applications to all of our AMA members. I recommend Orenda Security to other AAA and CAA clubs on the basis of a strong working relationship with AMA and an excellent track record of delivering technical expertise and high-quality assessments.
Collin Moody
Chief Information Officer
Alberta Motor Association
Reliable and robust security penetration testing services
Finding a reliable partner with a high degree of technical expertise is hard to find! Orenda Security was exactly what we were looking for. They help us improve the security posture of our product and application. We recommend Orenda Security to any security leader seeking reliable and robust security penetration testing services.
High level of expertise in performing the application penetration test
Orenda Security demonstrated a high level of expertise in performing the application penetration test. Their findings and recommendations were clear and actionable. We highly recommend Orenda Security to other companies seeking security assessment services.
Colton Toscher
Chief Technology Officer
Revolution Capital
THE STORY AND TEAM BEHIND ORENDA SECURITY ®
Orenda Security ® is an elite information security firm founded on a spirit of integrity and partnership with our staff, and most importantly, our clients.
Both static application security testing (SAST) and dynamic application security testing (DAST) are methodologies used to test the security of application environments.
DAST is a black-box security testing method that tests applications from the outside-in.
SAST is a white-box security testing method that tests applications from the inside-out.
So, when cyber analysts are using SAST, they are pouring through the source code to determine any potential vulnerabilities. DAST, on the other hand, tests applications in their running state in an attempt to stress the applications exactly how a real-life attacker would. In short, DAST finds vulnerabilities in run-time, while SAST finds vulnerabilities in source code. These two different methods both have their strengths and weaknesses, which is why it’s best to use both for more thorough and accurate security.
A Clean Sweep for Code
SAST is fantastic at targeting source code, byte code, and binary vulnerabilities in environments across-the-board. It also finds weaknesses one line at a time before you launch the software, giving you the exact location of each vulnerability. Common vulnerabilities consist of:
Numerical errors
Input validation
Race conditions
Path traversals
Pointers and references
SAST thrives in Sequential Design Process environments, real-time systems, mobile applications, and software on embedded devices. Remember: if you want your SAST scanner to be effective, ensure it supports the language for the web application framework; this includes PHP, Java, Python, and more. The scanner also needs support, in turn, from the framework.
A Full Framework Analysis
DAST handles the complicated aspects of app security, discovering weaknesses within the entire application framework, including:
Web proxies
Servers (AWS, Azure, physical, etc.)
Databases (MySQL, Oracle, Microsoft, etc.)
Caches (out-of-process, in-process)
Since DAST takes place in a running environment, all interconnected structures that exist outside of your source code are simultaneously being tested to expose vulnerabilities. Pinpointing misconfigurations between all app environments gives DevOps a deeper understanding of vulnerability particulars while also exposing potential threats outside-the-code. Because SAST doesn’t take an app’s entire external framework into consideration, DAST complements SAST’s work. DAST provides results in an HTTP request that can be replayed for verifiability. This combination of run-time testing and replayable results makes DAST incredibly accurate and dynamic enough to provide vulnerability repeatability.
A Two-Pronged Attack
DAST and SAST should both be implemented on two fronts, automated and manual. Services, like Orenda Security, provide automated and manual assessments for both methods of application security testing. Automated DAST assessments can give good overall coverage of app framework and perform basic attacks and stress patterns. At the same time, manual assessments can dive deep into hyper-specific attack patterns and attempt to leverage expert insights to perform complex attack patterns. This combination can uncover complex and simple vulnerabilities while ensuring that every known attack pattern is replicated thoroughly across app frameworks.
Note: Good SAST providers should also leverage automated solutions while still using SMEs to manually review code vulnerabilities.
Conclusion
SAST and DAST make for a dynamic duo by helping WebOps uncover vulnerabilities in applications. If you’re looking for security experts who provide thorough automatic and manual reviews of applications via SAST, DAST, and penetration testing, contact us now.
Mobile applications find many uses in the retail, finance, and health sectors. They’re always just one tap away, and they can include device-specific functionality, which web applications don’t have. One thing which they have in common with web apps, though, is a need to be very careful about their security. Penetration testing for mobile apps is just as important as penetration testing for web applications.
Comparing Web and Mobile Apps
A web application runs on a server, and users access it through a browser. It can be something as simple as a set of forms that initiate actions, or as complicated as a fast-action game or an ERP system. A mobile application runs as a separate application on the client side, but it’s often built around browser code that accesses a single site. Some mobile apps are effectively just single-page browsers while others add native functionality.
There are also mobile applications—which are entirely native—and they have security issues as well. But they’re more varied, and each one has to be considered based on its own functionality. For this discussion, we’re looking at applications that consist largely of access to a web server, whether they’re standalone or use a normal browser.
The Differences in Risk
Web and mobile applications each have their distinctive risks. A web application coexists in the browser with other sites. It has less control over its environment and what the user can do compared to a mobile application. It may run on an outdated, unpatched browser. It could find itself on an obscure browser with which it was never tested. Trying the application out with enough different environments to be confident about it is a laborious but necessary task.
A mobile application comes with its own browser, so it has full control over the client and server. However, it has enough risks of its own that Open Web Application Security Project (OWASP) has compiled a list of mobile device risks. Some of these are particularly relevant to developers and security testers.
Insecure communication. Applications that send sensitive data ought to send it securely. In a browser, this is just a matter of setting up an HTTPS server and using appropriate URLs in the browser. A mobile application needs to do more work. Some of them do it poorly, ignoring validation errors. Some don’t use it at all, sending passwords and credit card numbers over the air as cleartext.
Inadequate form validation. Forms in mobile applications are vulnerable to malicious data if they don’t check their inputs carefully enough. Mobile developers, sometimes, get careless because they don’t think of their applications as web apps.
Unsafe data storage. A mobile application typically needs to store some data for the user. Some apps store sensitive information without protecting it, in ways that other applications can read.
Hardcoded passwords and keys. It would take a really foolish web developer to put an undisguised password or key into a page’s JavaScript, but mobile app developers have more of an illusion of safety. Extracting such information from a mobile app is harder than pulling it out of a browser, but it’s a dangerous risk all the same.
Access to device functionality. A mobile application can request access to the user’s microphone, camera, email, and address book. Most users will grant it without a thought. If it’s compromised, it will have access to information that a web application can’t easily reach and even spy on the user.
Ironically, security problems in a mobile application often result from an excess of trust. Because it’s self-contained, developers don’t always think about the issues as carefully as they would for a website.
The Importance of Penetration Testing
Any type of application that accesses server-side code and handles private information needs testing to ensure confidence that it’s secure. Penetration testing for mobile apps has some differences from penetration testing for web applications. There’s no address bar in a mobile app, so people can’t enter arbitrary URLs. Different testing tools are needed. Real or simulated attacks may involve simulating the application and replicating its server requests.
When people grant access to their personal financial or health data, they have a right to see it protected. Developers need to earn trust by subjecting their applications to rigorous testing. Orenda Security specializes in penetration testing, DAST, and application assessments. We serve the healthcare, financial, and retail sectors.
Most businesses are aware of the threats posed by external hackers or malicious actors to their business. Thousands—if not millions—of dollars are spent annually by these businesses to safeguard their network against unauthorized external access. However, most businesses do not invest as much effort or resources to guard against insider threats to their business. Insider threats pose as much of a threat and cause as much damage to businesses as threats from external hackers. The following statistics highlight the danger of insider threats to businesses:
In 2018, 53 percent of all businesses reported that they had been victims of insider threats within the previous 12 months.
The total average cost for businesses impacted by insider threats is $8.76 million.
The average time taken to contain an insider threat is 73 days.
TYPES OF INSIDER THREATS
There are two types of insider threats that businesses should be aware of when trying to secure their networks. Neglect of one or the other type of insider threat can leave a business vulnerable to an insider attack. The types of insider threats include:
Malicious/deliberate insiders. These are individuals who willfully look for ways to sabotage a business by compromising their data.
Accidental/unintentional insiders. These individuals unknowingly put the company at risk through negligence and other poor work practices.
EXAMPLES OF INSIDER THREATS
Some instances of businesses that became victims of insider threats for a variety of reasons include:
Anthem: In 2017, the health insurance carrier BlueCross BlueShield sent out notices to about 18,000 of its Medicare customers that their data had been breached. LaunchPoint Ventures, Anthem’s Medicare insurance coordination services vendor, reported that one of its employees was discovered to have been stealing personal customer information, such as Medicare IDs, Social Security numbers, and health plan IDs. Target: Target Supermarket was the victim of a massive data breach in 2013. It reported that the personal information of about 110 million of its customers had been compromised; the compromised data included both personal and credit/debit card information. An employee of one Target’s third-party vendors unintentionally facilitated this data breach by falling victim to a phishing email; hackers were, then, able to install the malware to access the protected data.
Sage: In 2016, software firm Sage reported that a data breach had compromised the data of about 280 of its UK business customers. One of its employees used an internal login to access unauthorized data and was, therefore, able to compromise the network.
INSIDER THREAT RISK FACTORS
Given the damage that can be caused by insider threats, it is essential that potential vulnerabilities are promptly recognized and mitigated. Some factors that can put businesses at an increased risk of insider threats include:
Unrestricted access: Employees whose access is not regulated or is poorly controlled often pose severe threats to an organization. Willful or unintentional data breaches caused by these individuals can often be devastating. Ideally, the principle of least privilege should be used when granting access; an employee should have only the minimum access necessary to fulfill job duties.
Poor security practices: The use of poor security practices by employees, such as using weak passwords, reusing passwords, clicking on links from suspicious emails or leaving computers unlocked, can put businesses at risk of insider threats. Regular training should be done to educate users about the importance of good security practices.
Bring Your Own Device (BYOD): Employees who use their personal devices to carry out work-related activities can put their businesses at risk. The personal devices may not be secured adequately and as such, be at risk.
At Orenda Security, we know all about the risks of both internal and external threats to business networks. We offer cloud security, penetration testing, and dynamic testing to protect your network.
Everyone claims to have network security in place. This doesn’t mean that everyone has network security that works. Unverified, untested cybersecurity is better than none at all, but it isn’t enough.
Many businesses are stuck in a system of protection that no longer works, if it ever did. Verizon’s 2018 Data Breach Investigations Report suggests that the Internet faces “an information security dystopia.” According to the report, “cybercriminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes.”
Poor security puts the personal information of individuals at risk. Industries, such as healthcare, have seen repeated failures. HIPAA Journal reported in March 2018 that data breaches had subjected more than 41 percent of the people in the United States to exposure of their personal information.
Common Mistakes in Security
The mistakes most commonly found in security systems include using ineffective solutions, expending too much effort in the wrong places, or working from a good idea but not following through consistently.
Here are some examples:
An inadequate or non-existent patch management program. Simply urging employees to keep their software up to date isn’t a patch management program. Without a systematic approach, people will overlook critically outdated software components. Sometimes, people avoid updating software because they’re afraid it will break. Sometimes, a component goes unnoticed because no one has been assigned the responsibility for it. A systematic approach is necessary to make sure nothing is left behind.
Lack of vulnerability scans. Prioritizing software updates requires knowing where the critical weaknesses are. A vulnerability scan identifies software that has known weaknesses and ranks the problems by severity. Without vulnerability checking, serious security holes will go unnoticed.
Inadequate account protection. Many organizations don’t have a policy defining and requiring strong passwords, or they don’t enforce it. They don’t purge expired accounts. They grant privileges too freely. They don’t limit login attempts. There’s no move to multi-factor authentication. Without these protections, life is easy for people trying to break into accounts.
Insufficient application-level protection. Protection only at the network level overlooks threats, which are tailored to applications. Web servers and other public-facing applications need their own filtering and threat detection.
Incomplete network coverage. An inadequate security system doesn’t cover all devices. Common mistakes include letting mobile and Wi-Fi devices in without restrictions and allowing telecommuting without setting up a VPN or equivalent protection. Getting into the network may be as easy as using a laptop in the parking lot.
Lack of testing and monitoring. A security system may sound strong when its authors talk about it, but without independent verification, there’s no way to be sure. No protection is perfect, and intrusion detection is as important as prevention. The Verizon report states that two-thirds of system compromises go unnoticed for months or even longer.
An effective cybersecurity system takes a multilayered approach. It protects the entire network perimeter, including user-owned and cloud connections. It limits the ports and services, which are available by direct Internet access. It monitors all systems for signs of intrusions and malware. There’s no single point of failure; an attacker has to jump through multiple hoops to do any damage.
The consequences of inadequate security are expensive. System downtime and data loss have direct costs. Beyond that, failure to take adequate precautions can be evidence of negligence. Regulatory fines, such as those under HIPAA, can be huge if a breach is due to lack of care. People whose information was compromised can take legal action.
If your network’s security system hasn’t had a thorough review recently, it needs one to make sure it can face today’s many threats. Orenda Security can help with risk assessment, penetration testing, and DAST.
2018 was a more expensive year for businesses that were victims of cyber-attacks compared to the previous years. Hackers and other malicious actors adopted innovative strategies for penetrating business networks and remaining undetected for longer periods. The 2018 cost of a data breach study conducted by the Ponemon Institute showed that there was a 2.2 percent increase in the average size of data breaches compared to 2017. Also, the average total cost of a data breach increased in 2018 from $3.62 million to $3.86 million, which is a 6.4 percent increase. In addition, the average price of each lost record increased from $141 to $148—an increase of 4.8 percent.
Let us review some of the strategies that were used by hackers to successfully penetrate the networks of their victims in 2018. By reviewing, you can strengthen your business, whether you were a victim or not.
1) FILELESS ATTACKS
Fileless attacks—also known as zero-footprint attacks, macro attacks, or non-malware attacks—are cyber-attacks that occur without the need to install new software on the end user’s device. As a result, fileless attacks can evade traditional security and forensic tools. With fileless attacks, hackers use approved applications already installed on the end user’s device. When the end user clicks on a malicious link or document, the code opens pre-installed programs, such as Windows PowerShell or Windows Management Instrumentation, which the code uses to locate and transfer the user’s data to the hacker.
Between January and June of 2018, there was a 94 percent increase in the use of fileless attacks by hackers. At present, fileless attacks comprise 42 out of every 1,000 attacks. The Equifax breach, which resulted in the compromise of 148 million records, was executed using fileless malware. Equifax downloaded vulnerable versions of the Apache Struts open software package that were exploited by hackers.
2) CRYPTOJACKING
Cryptojacking is the illegal use of an end user’s device to mine cryptocurrency. Most times, the end user is unaware that the device has been commandeered, letting the hacker root around in the work unseen in the background. Affected devices or networks can experience several adverse effects including, performance degradation, increased power consumption, and hardware degradation.
In 2018, there was an increase in the incidence of cryptojacking as hackers shifted away from using ransomware as their preferred cyber-attack strategy; between January and June, cryptojacking increased by nearly 1,000% and 47 new cryptocurrency miner families were detected. Examples of some applications that were used by hackers for cryptojacking in 2018 include Google DoubleClick and adware ICLoader; users clicking on these applications had their devices hijacked and used for illicit crypto-mining.
3) EMAIL PHISHING
Despite the increase in public awareness, email phishing increased by 46% in the first quarter of 2018. Users clicked on attachments or links within emails they received or on websites, allowing hackers to install malware that compromised their devices and, in some instances, entire networks. Traditionally, phishing attacks were made on websites that used HTTP instead of HTTPS, as well as SSL certificates. Due to increased awareness, however, phishing attacks are increasingly being carried out on websites with HTTPS; unsuspecting users click on links on these websites because they are fooled into thinking that the links are legitimate. More than one-third of phishing attacks were conducted using websites with HTTPS and SSL certificates in the second quarter of 2018. The sectors most targeted by these phishing attacks in 2018 were:
Payment (39.4 percent)
Software-as-a-Service (18.7 percent)
Financial institutions (14.2 percent)
Cloud storage/file hosting (11.3 percent)
As we begin 2019, cyber-attacks are poised to become an even greater threat to businesses as hackers develop more innovative ways to compromise business networks for malicious purposes. As such, you should seek out the experts at Orenda Security to keep your network protected. With our expertise in cloud security, dynamic testing, and penetration testing, we ensure that all access points to your network are continuously monitored and fully protected.
Many companies regard API security issues as events that only happen to large businesses (250+ employees) like T-Mobile, and McDonalds. It’s true: cyberattacks are most frequently targeted toward companies that possess expansive quantities of data that can be stolen by using the least amount of effort.
Even though corporations of that size manage to glide through these situations without experiencing a large loss from their customer base, it is disruptive and possibly dangerous. When small-to-medium companies are attacked they have even more to lose. With data ransom, financial theft and a myriad of new attacks on the loose, it is no longer safe to assume security is tight.
The downtime required to reverse the damage should be enough to make CIOs, CISOs, CSOs and other members of the security team take action. There is an inordinate amount of downtime required to:
Find the API flaws and security breakdowns
Secure the data with (encryption, tokenization,de-identification)
Centralize control of data users
Contact customers who may be affected
Strengthen the weak links (automated and human)
By the time these measures are taken, sales momentum is lost and customers may lose confidence and interest in the brand, which brings in another layer of turmoil.
According to the Canadian Survey of Cyber Security and Cybercrime, companies worldwide have seen a 57.5 percent increase in cyberattacks during the holiday season in 2017 which is more than double the amount in 2016. According to Statistics Canada, more than one in five Canadian companies experienced a cyberattack in 2018.
A StatCan spokesperson reminds us, “Canadian businesses continue to rapidly embrace the Internet and digital technologies, which expose them to greater cybersecurity risks and threats. However, the impact of these risks and threats on the investment and day-to-day decisions of businesses are not easily understood as cybersecurity incidents often go unreported.”
API Flaws are Attractive to Cybercriminals
APIs provide the digital integration between apps, cloud resources, data, and application services, which provides a high level of motivation for cyberhackers.
Think about it… APIs provide access to customers’ data and often their entire digital environment. Additionally, many APIs have gaping flaws that are not easily detected without proper testing and periodic retesting. API flaws provide easy opportunities for security theft therefore it is crucial to verify iron-clad integration of the various components. In 2018 alone, there have been an increased number of high-profile data breaches and exposures due to poor API security. Salesforce, Instagram, and Venmo were all victims of API insecurity, to name a few.
Since APIs are provided to developers and public users in an effort to increase software usage, there are tremendous opportunities for cybercriminals. According to a study by Imperva, the average company manages an average of 363 APIs due to the increased use of micro-services.
Testing APIs – Now Critical to Security Maintenance
API testing can be accomplished during development; however when APIs are added, changed or updated repeat API testing is recommended. In the past UI testing seemed to be enough, yet API testing is much faster and more efficient than waiting for users to discover bugs over a longer period of time. API testing allows communication between integrated software systems and can discover vulnerabilities that can be fixed and marked as cyber safe.
In the case of the year-long API flaw the United States Postal Service experienced (November 2018), mass confidential customer information was prominently available to be accessed without special authority. That means just about anyone could access over 60 million corporate users’ email addresses, street addresses, phone numbers, et al. This defect could have been responsible for an epic incidence of phishing, social-deception and fraud in multiple directions. At this time, the USPS claims the vulnerability has not been leveraged. Yet after nearly a year of exposure, it may be only a matter of time before the ramifications surface.
Other prominent examples include Air Canada, the Bank of Montreal, the Canadian Imperial Bank of Commerce, and Equifax. API testing would have prevented each and every incidence.
Mark Your APIs as Safe
According to all sources, API cyber abuses will be the most prominent cause of data breaches by 2022. Even though internet security has become one of the most important aspects of retail and E-commerce companies, API integration is often overlooked. In order to overcome these odds systems must be tested to allow chinks in the armor to be corrected. As technology advances, testing must remain a priority for all companies that want to maintain the highest standards in cybersecurity. Gain confidence in your API integrations by staying ahead of the looming threats that could temporarily (or permanently) cripple your business.
Our highly trained and experienced Orenda Security team specializes in application assessment and API testing, among all types of internet security. We can test your software to determine if it meets expectations for functionality, reliability, performance, and security. Gain peace of mind by preventing situations that can negatively affect your growing business.
Contact us today at info@orendasecurity.com for a complimentary consultation and quote.
Last week, it was revealed that the Starwood guest reservation system had been hacked, affecting 500 million guests. The Starwood chain is a subsidiary of Marriott International, and they are picking up the pieces of the breach, which dates back to 2014. Personal information of the 500 million guests have been compromised, including names, email addresses, passport numbers, and credit card data. It has been deemed by CNN to be “the second biggest corporate data breach in history.”
The Starwood hotels that have been affected include:
W Hotels
St. Regis
Sheraton Hotels & Resorts
Westin Hotels & Resorts
Element Hotels
Aloft Hotels
The Luxury Collection
Tribute Portfolio
Le Meridien Hotels & Resorts
Four Points by Sheraton and Design Hotels
Starwood-branded timeshare properties
So, what’s being done to fix this problem, and what can you do about it?
Mariott is in the process of emailing all of the guests that were affected, and they have set up a website to answer your questions about the data breach. But we have some helpful security measures that you should take to protect your data. These measures should be practiced on a daily basis.
Security Measure #1: Stop Oversharing
Social media is being used frivolously with people sharing too much information, from their bathroom schedule to their home address. Most people doing this would never admit these details to a stranger in front of them, but because they are using a device, they don’t feel the reality of exposure.
What should you do, then?
The smart way to share is to post highlights as opposed to every little detail and do it every few days instead of every day. When it comes to sensitive information, such as family problems, don’t post it. Chances are, the people involved don’t want the situation known by outsiders. If you’re looking for help, talk to the right people instead by phone or in person. You will get better results.
Security Measure #2: Monitor Your Accounts
Businesses push consumers to go paperless and input their personal information into a multitude of websites. Whether it’s banking, shopping, or job hunting, it’s hard to get results without putting your information into a device. Everyone is connected, and we’re trying to reduce the amount of paper used—which is commendable—but it means we must exercise more caution.
Bank accounts—and now Starwood Preferred Guest accounts—are among the most important ones to monitor. Marriott has made several recommendations to protect your data:
Freeze your credit cards.
Consider credit monitoring services.
Sign up for identity theft protection.
Dedicate a credit card to a certain type of transaction, such as online shopping.
If you were a guest of a Starwood hotel or not, you should always check your accounts on a regular basis, keeping an eye out for suspicious activity. A good way to strengthen this practice is to keep all of your receipts; if you forget about products you bought or a store you were at for the first time, your receipts will help you verify what is suspicious and what is not in your account.
Security Measure #3: Think Before You Click
Have you just received an email from a person or business? Whether or not you know this person or have an account at that bank, don’t click any links. Even if you don’t have the slightest doubt that your friend or bank sent you the email, leave the cyber world and verify by phone or in person that it is legitimate.
Our very own vice-president and co-founder received a phishing invite through LinkedIn Messenger. No matter what platform or browser you use, always have a good amount of skepticism before clicking on any links or giving over your personal information.
Security Measure #4: Seek Certified and Professional Help
Through penetration testing, our Orenda Security experts can simulate real-world cyber attacks to find the vulnerabilities hidden within your system. With the results of our cybersecurity risk assessments, we will help you achieve a strong security posture. Contact us today and request a quote!
On October 25th, I was contacted via LinkedIn Messenger by a new connection I had added five days earlier. The message was pertaining to a potential business opportunity.
By reading the text and looking at the compensation offered to sit on a board of directors, I had already noticed something wrong; the compensation didn’t make sense. For reasons you will see below, I thought it might just be a mistake, and the person meant to write 20k as opposed to 20M, which would make more sense :)Nonetheless, I wanted to know more. As an entrepreneur, I am always interested in learning about networking opportunities, like this one.
At first sight, I saw nothing alarming about the profile. My new ‘’LinkedIn friend’’ had over 500 connections, and his professional description was looking pretty good.The profile also showed a very credible career path with multiple job experiences over a long period of time.
Looking deeper into the profile, I also saw that this person was endorsed by multiple LinkedIn users—some of whom were also highly skilled and highly endorsed. Everything seemed to be legit with the profile in question.
One thing I always like to do is read people’s recommendations before I engage with a new connection. My new ‘’ LinkedIn friend’’ had over 10 recommendations, and that’s more than acceptable for most LinkedIn users. The recommendations he received also seemed to be legit.
At this point—and after verifying all the basics of this profile—I decided to engage in the conversation and see how that would go. A few seconds later, I received a new message from this person with a brief description of the opportunity and a link to access the information.
After reading his message and looking at the nature of the link, I already knew what was going on.
Let’s start by the message itself:
The person is proposing to share some confidential and sensitive information with me, such as: a business plan, organizational goals, key objectives, and more without asking for a non-disclosure agreement (NDA) to be signed or even a phone call.
Now, let’s look at the link:
That link looks phishy!
“Why would someone share a PHP file from within a theme’s directory!?” said one of our security consultants at Orenda Security.
When a WordPress site is compromised, the theme’s directory is usually one of the easiest aspects to modify, so you can incorporate your own PHP code.
This type of link is uncommon for exchanging this type of electronic document or information, especially for a known company, like DocuSign.
Using a free, top-ranked Google website, I scanned the URL for malicious activity. The resultswere surprising, and full of green. If you’ve never used a website like this one before, just know that there are hundreds of them that offer free scanning services. This site utilizes multiple scanning sites and only one indicated that something was suspicious.
I guess it’s fair to say that some people would trust the link based on the scan results.
Just for fun, I tested the link on Mac, and the antivirus (a trusted one) did not pick it up either.
Unfortunately, without proper guidance from a trusted expert or without having completed a security awareness course, it’s safe to say that a click could be the next step for many users.
In fact, the link is delivering a JS.Phishing.5 spear phishing attack:
Now, let’s see what this cybercriminal had in mind.
When opening the link in a secured environment, a fake DocuSign login portal was displayed, requesting me to login with either Office 365, Gmail, Facebook, or other known providers.
On first glance, the page itself is not bad. A lot of people could fall for the scam and I’m sure many already have.
Characteristics of this phishing scenario:
The overall look is of poor quality and does not reflect the corporate image of a serious organization. ·
There are no spelling or grammatical errors, which used to be one of the most common indicators of a fake landing page. However, phishing attacks are getting more and more sophisticated, and of course you cannot rely solely on this aspect.
The logo and the branding don’t correspond to the real DocuSign format.
None of the links on the page are functional.
If you go directly on the official DocuSign website, it’s easy to see what the real login page should be. Even a simple Google search will guide you.
Real DocuSign login pages (from support.docusign.com):
The next morning, I wanted to know more about this hacker, so I asked my new friend if they had a PDF document instead because I wanted to keep the conversation going a little longer.
Below was their answer:
I also asked them for a good phone number to discuss this “opportunity”.
But, of course, I did not get a response from the person.
At this point—and for obvious reasons—it was important to report this account to LinkedIn, so they could protect other LinkedIn members. We have also hid the name of the profile user in this post because it is very possible that this account was compromised and is now controlled by a malicious user without the real account owner knowing it. I also noticed that we had two connections in common and made sure they knew about this situation, so they wouldn’t get phished. Although, they could also be working together…
The reason why I’ve taken the time to share this experience with you is to show you that, when it comes to phishing attacks, most people think that it only happens via personalized or generic emails. However, hackers use all kinds of methods to target their victims, such as social media, text messaging (#smishing), and even LinkedIn Messenger.
I have the chance to work every day with a group of elite cybersecurity experts at Orenda Security. I also had the chance to work in the cybersecurity awareness business for a decade, helping organizations of all sizes with security awareness programs and phishing simulations services. However, that is not the case for most professionals outside of the cybersecurity world, and this direct attack via LinkedIn Messenger can be devastating for any of us.
Just remember to stay alert at all times, and if you have any doubts or find yourself in a similar situation, just reach out to someone that can help you. You can also ignore the message, but don’t open any links. If it’s a real opportunity or something important, that person will find a better way to reach out to you anyway!