Category: IT Security

Spammers Corner: Frank from the UK

I think this Spammer appreciated the humor behind my replies. God bless you Frank Mercer and good luck with your $12,500,000 USD.

1

2

3-1

3-2

4-1

4-2

5

6

Evernote EXB File Puts Your Notes At Risk!

Evernote has been a well respected, popular note taking application used my millions of people worldwide for quite some time now. I myself have been a promoter of Evernote and even a paid customer at one time. Keeping this much data from prying eyes can definitely be a  challenge for many companies. In 2013 Evernote’s systems were breached and 50 Million users were forced to change their passwords for precautionary reasons.

evernote-all-the-things

I wanted to share a security issue I have discovered with Evernote, not to throw stones at the company, but to spread awareness to help secure the confidentiality of your notes in Evernote.

A few weeks ago, I switched over to a new laptop at work. I was poking around in my Evernote database folder on my system and was particularly interested in my EXB file. The EXB file is stored in the C:\Users\%USERNAME%\Appdata\Loca\Evernote\Evernote\Databases folder and acts as a local replica of your Evernote database. All of your notes are stored in this database. When you update or create a note, that data gets stored in the EXB file and gets synchronized back to the cloud under your account.

So what’s the risk?

Evernote EXB files are stored in plain text. The file is named with your user name with the extension .EXB. For example, if your Evernote user name was JohnDoe1999 then your EXB file would be JohnDoe1999.EXB. What I discovered was that if someone was to get a hold of your EXB file, it’s actually quite simple to access all the notes for that user without even knowing that users Evernote password.

Proof of Concept:
For this example, let’s pretend my Evernote user name is CtrlAltDel, my laptop that has Evernote installed on was stolen, and the person who found it removed my hard drive, connected it to their system and now has full access to the file system.

How does the bad actor get access to my notes?

  1. Install the Evernote client on his computer, register an account and login. Once logged in, Evernote will create a new EXB file for his account name under C:\Users\BadActor\Appdata\Loca\Evernote\Evernote\Databases. Let’s say his account is badguy101.
  2. The bad actor kills the Evernote client and terminates all Evernote processes.
  3. The bad actor renames his EXB file (badguy101.exb) to something else, and copies my EXB file to his database folder.
  4. The bad actor renames my EXB file, to his account name.
  5. The bad actor unplugs or disables his network connection so that when he logs in Evernote will use cached credentials to login.
  6. The bad actor logs in to his account with cached credentials. The Evernote application starts and opens the EXB file which he has renamed to his account which is actually my EXB file.
  7. Once opened, the bad actor can access all of my notes. Of course, encrypted notes will stay encrypted.

 

I reached out to Evernote to report this issue, but it appears they are already aware of the limitations of the EXB file. The response I got is that your database is stored unencrypted locally and on their server. The connection between your system and their servers is encrypted with a TLS connection and that it’s up to the end user to take precautionary steps to secure their systems to prevent unauthorized access.

So what precautionary steps can you take?

  1. Well for one, don’t install the Evernote client on untrusted or shared systems.
  2. Encrypt confidential notes using the encryption method built in to Evernote.
  3. Move your Evernote database out of the default location, and store it somewhere only you have access to it.
  4. If you’re an advanced user, consider creating an encrypted volume using a tool such as VeraCrypt and move your database to the encrypted volume.
  5. Use the Evernote Web Client only!

Written By: Amardeep Juneja

Spammers Corner: Mrs Flora Patrick

I was presented with the opportunity to help many charities recently. As always, I took advantage!

flora 1

floralorafloralora2

florta2

flora3

flora 4

flora6

floralora9

floralora7

 

floralora10

Spammers Corner: Liberal Party Mail SPAM

What do you do when the Canadian Liberal Party sends you junk mail with a postage paid return envelope?

Send it back to them with some SPAM of your own! #FightSPAMWithSPAM

LiberalParty

Spammers Corner: FedEx Delivery

I cannot believe FedEx could not deliver my package! I really needed that treasure map!

fedex

Spammers Corner!

Welcome to Spammers Corner. Where the senders don’t matter, and the replies are hilarious!

After watching James Veitch’s Ted Talks video titled “This is what happens when you reply to SPAM email” I’ve been inspired to have some fun of my own.

I’m starting a new section on this blog titled “Spammers Corner” where I respond to SPAM and see what fun I can have.

It’s time to take a stance, and #FightSPAMWithSPAM!

Wire Fraud Phishing Scam Targeting Executives

2faOver the last few months, I’ve noticed a huge jump in Wire fraud phishing campaigns. Be on high alert for phished emails that look similar to your companies domain from known Executives asking for wire transfers! In almost all cases, hackers are moving away from spoofing email addresses and actually registering domain names similar to yours. From my recent investigations, the findings have all been the same. Here’s a break down of what is happening, and how you can protect yourself from wire fraud.

Let’s pretend the CEO of our company Contoso is named Alex Black. The real Alex Black’s email address is Alex.Black@contoso.com.

The bad actor starts off the phish by registering a domain similar to ours such as “contoso.co”. In almost all cases I have seen, the bad actors are registering domains through VistaPrint because of a free website promo they offer. Details of this can be found on PhishMe.

Once the domain is registered, they then create a legitimate email account similar to an executive at the company, in this example the CEO Alex Black. Okay so now we have our email address Alex.Black@contoso.co.

It’s time to go phishing! The bad actor then sends an email to an unsuspecting employee as Alex.Black@contoso.co. The message looks something similar to this:

Hi,

Are you busy? I need you to process a wire transfer for me today. Let me know when you are free so that I can send you the beneficiary details.

Thanks,
Sent from my iPhone.

In some cases, employees will respond back to the email, not realizing that the domain name is off. If the bad actor is asked for clarification or confirmation, they usually reply back with urgency saying they are in meetings or travelling and unavailable to talk on the phone. By creating this sense of urgency, employees can sometimes fail to think with basic common sense and fall victim to the phish.

So what can you do to avoid this type of phish?

  1. Create a standard procedure for wire transfers across your entire organization. At minimum, anyone requesting a wire transfer must validate the transfer over the phone, or create a tiered approach where there is more than 1 person involved in issuing a wire transfer and have set procedures to follow at each tier.
  2. Create rules in your message filtering system that can look out for this for your executives (Pseudo rule: Any messages where the sender contains Alex.Black, but does not contain .contoso.com, flag as suspicious).
  3. Educate your users to be more vigilant when asked for a wire transfer!

Written By: Amardeep Juneja

Loading...
X