Netizen Cybersecurity Bulletin (December 2nd, 2021)


  • Phish Tale of the Week
  • Ubiquiti Developer Charged With Extortion
  • IKEA Fights Ongoing Phishing Campaign
  • How can Netizen help?

Phish Tale of the Week

Phishing attempts can often target specific groups that can be exploited by malicious actors. In this instance, we see a phishing scam targeting unsuspecting Amazon customers or just someone who doesn’t check their email rigorously. This email appears to be a notification alerting us that our email is missing from Amazon and a package was supposed to be delivered today. This email contains Amazon’s branding and a convincing message saying to reply with the correct shipping address, so why not click the link and update details? Unfortunately, there’s plenty of reasons not to click that email right away.

Take a look below:

  1. The first red flag on this email is the sender address. Always thoroughly inspect the sender address to ensure its from a trusted sender. In the future, check all suspicious emails from companies against previous correspondences you’ve received and make sure the sender address is the same.
  2. The second warning sign in this email was the lack of authentication. The message says a delivery was scheduled for today, but normally Amazon fulfills their shipping orders using UPS, FedEX or USPS. While Amazon will normally alert you of a missed delivery, the lack of an additonal email from the shipping company is cause for suspicion.
  3. The final warning sign for this email is the callouts at the bottom. This message says to “update detals”. Brief messaging is normally used in scams like this to attract people to just read what they say and click as fast as possible. One easy way to spot a scam email is to reference previous emails you’ve received from the company. When compared to other correspondences from Amazon, this email immediately looks different.

General Recommendations:

A phishing email will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via email. 

  • Scrutinize your emails before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  • Do not give out personal or company information over the internet.
  • Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

For Venmo-specific recommendations and tips check out this link to their fraud detection center here.

Cybersecurity Brief

In this week’s Cybersecurity Brief:

Ubiquiti Developer Charged With Extortion

Following a January 2021 data breach, technology vendor Ubiquiti Inc. has uncovered the source behind the incident. On Wednesday in Oregon, federal prosecutors arrested Nickolas Sharp, a former senior developer at Ubiquiti. Sharp stands accused of stealing gigabytes of confidential, proprietary data from his former employer and then trying to extort Ubiquiti for $1.9 million to return the files. Sharp worked at the New York-based company from August 2018 to April 2021, acting as an unidentified whistle-blower claiming that a hacker was responsible for the January data breach.

Prosecutors claim Nickolas Sharp applied for a different job at another tech company in December of 2020. He then abused his access privileges to steal Ubiquiti data via Uqibuti’s AWS server and the company’s GitHub accounts. Employees inside of Ubiquiti uncovered unusual download traffic on December 28, noting a user had leveraged internal company credentials and a VPN connection to mask their actual location. This prompted the tech company to investigate the suspicious activity further.

On January 7, a senior Ubiquiti employee received a ransom email sent to them through an IP address with the same VPN used to download the stolen data. The email explained that internal and external Ubiquiti data had been stolen, and the ransomer demanded 25 bitcoin in exchange for the return of the data. The assailant then offered to identify a “backdoor” they had left in the Ubuqiti environment for an additional 25 bitcoin. Prosecutors believe Nickolas Sharp sent this ransom while working on the remedial team tasked with investigating the breach, bringing him closer to the crime and giving him a chance to stifle any efforts to uncover the breach’s source.

Federal investigators claim that while attempting to download the data, Sharp’s internet connection briefly failed, disrupting his VPN connection and exposing his internet address. Sharp maintains his innocence and claims the VPN subscription tying him to the crime must have been purchased by someone else using his PayPal account.

Prosecutors are charging Nickolas Shark with intentionally damaging protected computers, making false statements to the FBI, transmitting interstate communications with the intent to extort, and wire fraud. If found guilty Sharp faces a maximum sentence of 37 years in prison.

Following the announcement of this data breach in a March disclosure, Ubiquiti’s stock tumbled 20%, erasing $4 billion in market cap.

To read more about this article, click here.

IKEA Fights Ongoing Phishing Campaign

While many Americans were out shopping on Black Friday, Swedish design company IKEA was busy fighting an ongoing internal phishing campaign rather than hoards of shoppers. Reports from inside IKEA show that a reply-chain email attack is being utilized to install malware on unsuspecting employee devices through malicious download links hidden in documents. This attack differs from most phishing campaigns by using legitimate company email accounts to hijack email chains and distribute ransomware and malware.

After detecting this attack, IKEA has been on high alert and has urged all employees to use caution when opening or replying to any emails in their inboxes. At this time, official IKEA accounts, distributors, suppliers, and other organizations with ties to IKEA are considered compromised. IKEA’s internal security team has detected numerous malicious emails sent to their employees from most of their business partners.

IIKEA security teams have warned employees that the reply-chain emails have seven-digit codes and an example email attached to all emails. Employees have also been advised not to open any suspicious emails, regardless of the sender, and immediately report them to the IT department.

On Tuesday, an IKEA spokesperson was pressed on this matter, asking if the phishing attack had been contained. He responded by saying, “IKEA takes this matter very seriously. We continue to monitor to ensure that our internal defense mechanisms are sufficient. Actions have been taken to prevent damages, and a full-scale investigation is ongoing”. 

For more information check out the rest of the article here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Copyright © Netizen Corporation. All Rights Reserved.