Technology

Municipal Government Microsoft 365 Emails Getting "Hacked"

Oklahoma municipalities and municipal partners are actively getting “hacked” within the past 24 hours. You might receive an email with a suspicious link.

An email, often purporting to be from someone you trust, will arrive in your inbox with the following:

Phishing.PNG

Clicking on the “View Doc” image will take you to the following web page (don’t do it, but just for your own edification):

Phishing2.PNG

Trying to “login” to any of those links will simply give your username and password to a hacker. Don’t do it.

What’s insidious about these emails are the complete lack of other tells, like poor grammar, unrecognized from addresses, and other easy to identify phishing hints. In fact, these are clever. They often have the user’s recognizable email signature. The email address is legitimate and is often trusted. We’ve seen a variety of cities, towns, and municipal partners sending out the same or similar emails. And, what’s more, all of these are utilizing Microsoft Office 365. The sample image above doesn’t do it justice. These are designed to be sneaky and fool you. The hackers are clever this time. Don’t fall for it.

Every one of these is most likely coming from a hacked user account. Someone, somewhere, is logging into city email accounts with compromised usernames and passwords and sending from Microsoft, which of course will always show as legitimate, these phishing emails to trusted partners and colleagues across the State of Oklahoma. This is a clever, coordinated attack and is reminiscent of other, similar attacks in other States over the past couple of years.

In cybersecurity we talk about the cyber “kill-chain”, the tools we can use to stop the progression of these attacks. Part of this is user education, in other words, this loss bulletin right here. But there are other steps your city or town needs to take. Simply using Microsoft’s Office 365 solution is not enough. If you re-use your password across multiple sites (and let’s be honest, most people do since dozens or hundreds of passwords are hard to remember), you must turn on multi-factor authentication. Sometimes this is something you can do for your own account within Microsoft.

Multi-factor authentication is when a system sends you a 6-digit code or requires that you “authorize” your login from an app. You probably already use this for your bank, and maybe even Facebook or Twitter. If you can you should always turn on multi-factor authentication, as it is one of the easiest ways to stop someone from using your password.

Watch the following video on how to activate Multi-factor authentication for your account. If you’re confused on the link to use, visit:

https://aka.ms/mfasetup

Here’s a link (which includes a helpful video!) to send to your IT staff or consultant that will instruct them on how to turn it on for all Microsoft staff:

https://docs.microsoft.com/en-us/microsoft-365/business-video/turn-on-mfa?view=o365-worldwide

Print Friendly and PDF

Advisory: Increased targeted phishing of OK municipalities

Recently, we have had a sudden rise in reports of phishing and scams from OMAG member cities and towns.

These have been more sophisticated than the attacks that we are typically used to seeing. These attacks have used spoofing techniques that make them more difficult to detect, and language that only gives off subtle hints that it might be a scam.

We are worried that this uptick in attacks may be organized, though we are still investigating.

OMAG wants our members to be especially vigilant during this time, since a disruption in municipal services due to malware or extortion could be especially difficult during an election cycle and when preparing for the upcoming holidays.

Key points of advice are:

  1. always to be extremely careful when dealing with links in emails

  2. check carefully for misspellings or “typos” in domain names or email addresses that you are familiar with.

  3. if you aren’t expecting a file from someone, don’t open an attachment

  4. if someone you know has sent you an email that you aren’t sure about, please contact them through a known phone number to ask them if the email is legitimate before opening the link or clicking the attachment.

This is by no means an exhaustive list of precautions.  As stated above, the attacks we have seen this week are more sophisticated, and I wanted to give an example of the pattern we saw.

Below I have excerpted a short template from an email that was maliciously sent out by an attacker who was able to spoof one of our cities this week:

Hello,

[CITY NAME] invites your firm to submit a proposal for the above-referenced services in accordance with this RFP package. 

See the attached document for detailed information : [MALICIOUS LINK GOING TO CANVA.COM ]

[…]Due to the size of some of the electronic RFP documents, Owner has uploaded them to the SharePoint” website.

Bidder can access the electronic RFP documents via this weblink: [SAME MALICIOUS LINK GOING TO CANVA.COM ]

(Please advise if there are any technical issues accessing these files)

The email this came from did not have any OBVIOUS signs of a spoofed email address, so we have to look carefully at the language used.  The email uses “above referenced” when there was nothing above that line, other than “Hello,”.  If this was received as a reply to an already existing email chain, it might be more convincing.  But it’s presence in a brand new email should be a dead giveaway that something is off.  The use of “Owner” as if it were a proper name is also a clue that a template may have been used to create this phishing email, and they didn’t know who to put as the boss. This phishing email was polite, which is unfortunate for us because usually, an urgent or threatening tone is an important clue that an email is phishing.  There are other things, like referring to an attachment when the email only has links.  That could be picked up as a clue that it came from a phishing template, yet it could also be written off as an honest mistake by someone writing a legitimate email to a large group. As we all learn the patterns better, the attackers are learning too.

So please be especially cautious as the calendar leads up to the end of this year.  Try to recognize the patterns and use your best judgment.

When in doubt, getting in touch with someone on the phone through a known main number is still a very good way to try to confirm the legitimacy of an email.

Print Friendly and PDF

Introducing the OMAG All Access Podcast

Introducing the OMAG All Access Podcast

Check out the new OMAG All Access podcast on all major podcast apps and services. Timely, relevant help on municipal government from your friendly experts at OMAG. Learn more by visiting www.omag.org/allaccess.

Print Friendly and PDF

Hackers Finding New Targets Thanks to COVID-19

Hackers Finding New Targets Thanks to COVID-19

With COVID-19 Outbreak changing the situation so drastically for everyone, it is likely to create opportunities for cybercriminals to exploit as well, with so many people working from home.

Print Friendly and PDF

PowerPoint Tips & Tricks

Have you ever been asked to create a presentation but didn’t know where to start? Do you feel like your presentations are a little lackluster?

OMAG has developed a short guideline of best practices to help in making your presentations the best they can be. Look for more in the future, but for now this should help to get you started. If you have any questions or would like to learn more, please contact Matthew Burleson.


Print Friendly and PDF

Understanding Your OMAG Cyber Liability Coverage

As personnel in municipal offices change, replacing the knowledge and experience of the person that served your municipality can be difficult.  Understanding insurance coverage when so many other things seem to demand our attention may not be a priority. Please let the following serve to provide a basic description of the cyber liability coverage OMAG provides.  Please refer to your cyber liability and data breach response supplemental declarations page to review applicable limits. 

Information Security and Privacy Liability - Covers damages and claims expenses because of a claim for:

CyberSecurity.jpg
  • theft, loss, or unauthorized disclosure of personally identifiable non-public information or third-party information that is in the care, custody, or control of the insured organization

  • one or more of the following acts or incidents that directly result from a failure of computer security to prevent a security breach

    • the alteration, corruption, destruction, deletion, or damage to data stored on computer systems

    • the failure to prevent transmission of malicious code from computer systems to computer or network systems that are not owned, operated or controlled by an insured; or

    • the participation by the insured organization’s computer systems in a denial of service attack directed against a computer or network systems that are not owned, operated or controlled by an insured

  • failure to timely disclose an incident described above in violation of any breach notice law
    failure to comply with that part of a privacy policy that specifically:

  • prohibits or restricts the disclosure, sharing or selling of a person’s personally identifiable non-public information;

    • requires the insured organization to provide access to personally identifiable non-public information or to correct incomplete or inaccurate personally identifiable non-public information after a request is made by a person

    • mandates procedures and requirements to prevent the loss of personally identifiable non-public information

    • failure to administer (a) an identity theft prevention program or (b) an information disposal program required by regulations and guidelines

Privacy Breach Response Services - Provides privacy breach response services because of:

  • theft, loss, or unauthorized disclosure of personally identifiable non-public information or third-party information that is in the care, custody, or control of the insured organization; or

  • one or more of the following acts or incidents that directly result from a failure of computer security to prevent a security breach

    • the alteration, corruption, destruction, deletion, or damage to data stored on computer systems

    • the failure to prevent transmission of malicious code from computer systems to computer or network systems that are not owned, operated or controlled by an insured; or

    • the participation by the insured organization’s computer systems in a denial of service attack directed against a computer or network systems that are not owned, operated or controlled by an insured.

  • Privacy breach response services include the following:
    forensic and legal assistance from a panel of experts to help determine the extent of the

  • breach and the steps needed to comply with applicable laws

  • notification to persons who must be notified under applicable law
    credit and identity monitoring services to affected individuals
    public relations and crisis management expenses

Regulatory Defense and Penalties - Covers claims expenses and penalties resulting from a claim in the form of a regulatory proceeding resulting from a violation of privacy law and caused by any of the following incidents:

  • theft, loss, or unauthorized disclosure of personally identifiable non-public information or third-party information that is in the care, custody, or control of the insured organization

  • one or more of the following acts or incidents that directly result from a failure of computer security to prevent a security breach

    • the alteration, corruption, destruction, deletion, or damage to data stored on computer systems

    • the failure to prevent transmission of malicious code from computer systems to computer or network systems that are not owned, operated or controlled by an insured; or

    • the participation by the insured organization’s computer systems in a denial of service attack directed against a computer or network systems that are not owned, operated or controlled by an insured

    • failure to timely disclose an incident described above in violation of any breach notice law

Website Media Content Liability - Covers damages and claims expenses for one or more of the following acts committed during the course of the insured organization’s display of media material on its website or on social media web pages created or maintained by or on behalf of the insured organization:

  • Defamation, libel, slander, infliction of emotional distress, outrage, or other tort related to disparagement or harm to the reputation or character of any person or organization

  • Violation of the rights of privacy of an individual

  • Invasion or interference with an individual’s right of publicity

  • Plagiarism, piracy, misappropriation of ideas

  • Infringement of copyright, domain name, trademark, trade name, trade dress, logo etc

  • Improper deep-linking or framing within electronic content

top-ten-cyber-security-companies.jpg

PCI Fines, Expenses and Costs - Indemnifies insured for PCI Fines, expenses and costs insured becomes legally obligated to pay because of a claim

Cyber Extortion - Indemnifies the insured for certain cyber extortion loss, subject to policy conditions, as a direct result of an extortion threat 

First Party Data Protection - Indemnifies the insured for certain data protection loss incurred as a direct result of: 

  • Alteration, corruption, destruction, deletion, or damage to a data asset

  • Inability to access a data asset that is directly caused by a failure of computer security to prevent a security breach

First Party Network Business Interruption - Indemnifies the insured for certain business interruption loss sustained during the period of restoration as a direct result of the actual and necessary interruption of computer systems caused directly by a failure of computer security to prevent a security breach

The descriptions contained in this communication are for informational purposes only. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. 

Print Friendly and PDF