Okay, okay. This article isn’t about Flash Gordon. I just couldn’t resist using the picture. It’s about Adobe Flash Vers. 220.127.116.11, a Zero-Day exploit, and a Phishing campaign recently discovered by the South Korean Computer Emergency Response Team (KR-CERT).
The exploit’s leverages corrupted Adobe Flash files that are embedded in Microsoft Office documents and solicited by email. It allows hackers to take over the victims’ end-point remotely.
There are two different ways to handle this attack:
- Educate yourself regarding Phishing Attacks so that you don’t fall into this trap
– and/or –
- Completely uninstall Adobe Flash from your end-points and avoid using it all together
How to avoid Phishing Attacks:
We spoke with Kowsik Guruswamy, the Chief Technology Officer at Menlo Security a few months ago for another article get a better idea of what exactly Phishing or Spear phishing is and how you can avoid it.
“Phishing is a way (mostly via email) to entice/lure users to click on a link that typically results in one of three things happening,” Guruswamy said. “1. A drive-by-download resulting in a malware dropper. 2 A download of a weaponized document that’s a Ransomware. 3. Credential theft from a website pretending to be a legitimate site.
“The results of Spear Phishing is the same, but the email is much more contextualized to that specific user. For example, it might be related to something that user recently posted on social media, it could be masquerading as an email from a “trusted” partner that the user recently transacted with. The contextual nature of the email makes it that much easier to fool users.”
The good people over at Phishing.org have put together a list of things you can do to avoid swimming into an attacker’s net.
I’ve cherry picked the best items and included them below:
1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization.
2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when you come across these emails. When in doubt, go directly to the source rather than clicking a potentially dangerous link.
4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar.
Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low-cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.
5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too.
To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check every entry carefully to ensure no fraudulent transactions have been made without your knowledge.
6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online when users had to be constantly warned due to the success of early phishing scams.
When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required.
An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https.”
10. Use Next Generation Antivirus Software* – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time.
Anti-spyware and firewall settings should be used to prevent phishing attacks, and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to avoid damage to your system.
Adobe Flash is archaic technology, and you should avoid using it if you can:
Originally introduced in 1996 by Macromedia, Flash quickly became one of the most popular digital authoring/publishing tools of all time.
But since its inception over 22 years ago, the tool’s been leveraged multiple times as an avenue of attack. It’s practically impossible to list all of them. Wikipedia’s Adobe Flash article has an expanded section on security that’s probably worth reading (https://en.wikipedia.org/wiki/Adobe_Flash_Player#Security).
Many in the tech community have lobbied against the continued use of Adobe Flash for years. The late Steve Jobs led the charge with an impassioned article in 2010 that painted an unambiguous picture regarding how unstable and unsecured the platform was and why Apple wouldn’t be using it on their mobile devices (https://www.apple.com/hotnews/thoughts-on-flash/)
The takeaway from Jobs letter (which have been proven time and again to be accurate) is that Flash just isn’t safe.
“Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods, and iPads by adding Flash.”
Since a majority of media is now consumed on mobile devices (especially iOS devices), Adobe Flash has become increasingly less popular as time goes marches on. There just aren’t as many instances of the software out in the wild as there used to be. New technology like HTML5 has replaced it.
So, will this Flash exploit be the straw that breaks the camel’s back and pave the way for North Korean cyber supremacy?
Pardon the parlance but “Lol!”
No. No, it won’t. It’s a Flash exploit. It only impacts the goobers out in the wild that still actively use the outdated and unsafe software. And the number of people who use Flash get smaller and smaller every day.
So, what’s the solution? How can you prevent the end of digital civilization as we know it? That’s easy: uninstall Flash from your machine. Wash your hands of it entirely and never look back.
If you do need to use Flash and your business uses it regularly at your business, at least download Google Chrome and use the version of Flash embedded in there.
No version of Flash is safe from this exploit (including the instance embedded in Chrome directly) so take that into account before moving forward.
Adobe promises to adress the issue in an upcoming release. To be perfectly honest though, it’s only a matter of time before another security hole is uncovered in the software.
And as a special reward for getting all the way to the bottom: