QR code phishing

Breaking down a new tactic for phishing attempts: getting users to scan a QR code on their phone to bypass corporate security

I’ve been seeing a lot of QR code phishing attempts lately. If you’ve not seen the tactic in your environments, the recipient receives an email, and it asks them to scan a QR code on their phone to authenticate and open the link. Here’s a sample email I received from a colleague in my environment:

The image is the email, except I’ve blurred the QR code and censored out personal information in the email. And, honestly, this is quite a clever mechanism. Attackers know that there are most likely security mechanisms on company-owned and -managed computers that would block this going anywhere. But those security tools aren’t on our colleagues’ phones.

Being curious, I decided to check out where this QR code led. Now before you throw your computers across the room and scream at me for needlessly compromising my own environment, I uploaded the QR code image to a QR code web service and got the plain text version of that code. Nobody was hurt in the process. If someone scanned the QR code, here’s the initial site they would have gone to (with some elements of the URL changed to anonymize this):

https://doportal.documentmailbox.com/RedirectTarget.aspx?Action=EmailRedirect&BrandingID=ConEdison&IdToken=[guid]&CheckSum=[checksum]&TargetUrl=https://super-firefly-8102.on.fleek.co/#[user email address]

The first URL is to a service called documentmailbox.com. That seems to be a legitimate service, but attackers have compromised their APIs to allow redirects to other URLs. We’ve seen that with services like DocuSign in the past. DocuSign’s going to be a valid URL to make it through web filtering in a corporate environment, but super-spammy-site.biz is probably not going to make it through.

After a bit of other stuff, the target URL is hosted by a service called Fleek. Fleek is a service that claims to host websites using “decentralized” and “censorship-free” Web3 protocols, so of course it’s going to be used by bad actors. (Ed. note: we know you don’t like Web3, so save that for later.)

There have been some great write-ups on this exact service being used for phishing attacks similar to this. Over on SystemWeakness.com, Lena has done a fantastic analysis of where these URLs go. And of course, because Web3 is about resisting censorship, there’s no way to report to this hosting company that their site is being used for bad. I’m not going to speculate that this is by design… (Eds.: …)

Anyway, what are some things we can do to manage this style of threat? Obviously, the first thing is to tell anyone in your environment that scanning a QR code in an email to access something is not standard practice. If it is standard practice in your environment, then stop! There’s no legitimate reason why you need to authenticate in this way to share information to your users.

As for technical and administrative blocks, this one’s hard to assess. According to the summary email headers, the email was sent on behalf of someone. That’s not really a reason to block an email. The original email is from a .co.jp domain, so perhaps you could create a mail transport rule to send emails from some TLDs you don’t often see to send them to your users’ junk email folders. But that’s a policy decision that IT administrators would have to make with their respective risk management teams.

Coming on Friday: a new Friday Five talking about some security tools IT administrators can implement to help users make smart security choices.

PaperCut MF badge scanning

A little-known PaperCut feature on translating and transforming card formats. Perfect if you’ve just built or rebuilt your PaperCut infrastructure

As part of a recent IT upgrade, I rebuilt our entire printing infrastructure. There were some issues with how it was previously built, so this was a good time to start from scratch. One of the issues was our PaperCut MF installation, of which I’ve documented our challenges on this blog this year.

We use the badge scanning feature of PaperCut on our two copiers for secure print release and accounting purposes. (It also helps me make the case to those who want a personal printer that they don’t need one!) But I found that the badge format might produce a different format than what you’re expecting.

The setting is buried in the Config Editor (Options > Config Editor) as ext-device.card-no-converter. Here are the various values:

  • ascii-enc: Unpacks an ASCII-encoded card value
  • hex2dec: Converts hexadecimal (base-16) to decimal (base-10)
  • dec2hex: Converts decimal to hexadecimal
  • javascript:[path] – At the path provided, uses a selected JavaScript code to convert a card’s read value into something else.

Hopefully this will help someone working through a new PaperCut MF installation. I’ll write more later about some of the things I’ve learned from rebuilding out PaperCut.

Friday Five: Email Security Improvements

In today’s Friday Five: Some thoughts for IT administrators on giving tools to their users to make security-conscious decisions

Earlier this week, I wrote about a new email phishing tactic I’ve been seeing in my environment – bad actors are trying to get users to scan a QR code on their phones in an attempt to defeat any filtering or security measures that might be on a corporate computer. That got me thinking about what are some things that we can do as IT practitioners to help our users make informed decisions?

This isn’t going to be a typical security-related essay. I’m not going to focus on five things IT administrators can do or five things for our users to do to bolster security. While implementing technical blocks and controls are certainly important, in this world where working remotely is almost expected, educating our users and giving them tools to make security-conscious decisions is going to be way more important.

One last thing: This is going to be heavily geared toward Microsoft 365. If you use other platforms for email, some of these tools may be available, but your mileage may vary.

1. Be skeptical of any communications you weren’t expecting. I can’t remember how many times I have said to people something like this: “Don’t click links, download attachments, [and now scan QR codes] or do anything with emails you weren’t expecting to receive.” It’s probably way overdue to have a zero-trust mentality with email (assume nothing is, by default, deserving of trust), but I guess here we are.

2. Email admins should enable some sort of external email flag. And while you’re at it: Enable the First Contact Safety Tip as well. In the Exchange Admin Center, you can modify emails such that a bit of custom HTML can be put at the top. When coupled with a rule to apply to messages sent from outside the organization, this can be a useful banner to alert senders that an email is from outside of their organization. While I used to be somewhat skeptical about that, just seeing it as a bit of safety theater, with the rise in these different phishing attempts, I see it as a useful tool. Coupled with Defender’s First Contact Safety Tip, these two tools can work in concert to give users information to assess for themselves if an email is truly valid. “Why would an email from our CEO be coming from an external user and an email I’ve not seen before? Hmm… that must be a fraudulent email.”

3. Have users report spam and phishing emails using Outlook’s spam and phishing reporting tools. My biggest gripe about Microsoft Outlook on Windows is that it’s not easy to report spam or phishing emails as it is on Outlook for mobile, on the web, or for macOS. But do make your users report bad emails as such, because that helps everyone.

4. Enable Microsoft 365’s safe links and safe attachments features of Microsoft Defender. While also not a perfect catch-all, enabling Microsoft 365 Safe Links and Safe Attachments can help mitigate some attacks. If a user clicks on a link they shouldn’t have, that attack may be stopped in its tracks. But that’s also why these QR code attacks are so devilishly clever: it removes that defense mechanism from the chain. Now do you know why IT security people can’t really sleep at night?

5. Educate all users to use their company email for anything company-related – leave the personal email for personal matters. This might be the biggest one. It’s just a good idea to do this, because you’re now able to put better mechanisms in place to deflect possible spoofing attacks or worry about your colleagues storing information on things you don’t have control over. Plus, it’s helpful for data retention policies.

The last thing, and this is an essay in its own right, is that as IT professionals, especially in the nonprofit context, we have to be serious about security. But in being serious about security, we have to understand that our users need to do things for the mission, and IT can’t be what stops that. I’m not saying that we need to abandon our core principles as IT practitioners, especially when it comes to security, but we need to find a way to get from no to yes.

Aren’t our jobs fun?

Autumn in Saint Paul

The last days before the first snow mean it’s time for photography

With the first snow of the 2023-2024 winter upon us, I took the opportunity last weekend to get some autumn photos around downtown Saint Paul, Summit Avenue, and Cathedral Hill.

Every Saint Paulite probably knows where this photo was taken on the south side of the Mississippi River:

The Cathedral of Saint Paul, the Minnesota State Capitol, and part of the downtown Saint Paul skyline emerge through a tapestry of red and orange leaves

This whole “fall” thing is new for this almost-lifelong Phoenician. But that means the first snow of the winter’s upon us. Oh well.

Sousa in Minneapolis

A Minneapolis connection for the composer of the Independence Day soundtrack: John Philip Sousa

As we settle in to the Independence Day holiday, one of the things that happens is that we hear all of the John Philip Sousa marches on the playlist. While his most popular marches like The Stars and Stripes Forever, Semper Fidelis, or The Washington Post get played a lot, there’s an obscure march of his that has a uniquely Minneapolis connection.

In 1929, at the opening of his eponymous tower in downtown Minneapolis, the businessman Wilbur Burton Foshay (1881-1957) commissioned a march from Sousa, called the “Foshay Tower-Washington Memorial March.” At 447 or 607 feet tall, depending if you count an antenna on top of the building, the Foshay Tower was the tallest building in Minneapolis from its 1929 opening until the nearby IDS Center surpassed it 43 years later. The building was built not only because Foshay had money, but it was to pronounce to the world that Foshay had money. (Most things built in this time did that.)

The run of good luck for Foshay was short-lived: Six weeks after the opening of the building, Foshay’s company was thrown into receivership. The $20,000 check to Sousa bounced, and Sousa ordered that the march penned for this occasion was never to be played until the debt was settled up. In 1932, Foshay was convicted of running a pyramid scheme with shares of his own stock, and sentenced to 15 years in prison. Even in marching band circles, few knew of this mysterious 135th Sousa march.

It wasn’t until 1988 when a group of Minnesotans paid Foshay’s debt to the Sousa estate, allowing the Foshay Tower-Washington Memorial March to be played again.

The A in AI stands for anchovies?

In which we merge two controversial topics: Generative AI and…anchovies on pizza??

I’m about to write probably the most controversial sentence I think on this blog in its decade-plus long history:

I like anchovies on pizza.

No, seriously, I do! But according to a 2023 YouGov survey, nearly 3 in 10 Americans definitively say that anchovies are their least favorite pizza topping. (The same survey said that only 2% of Americans preferred New Haven style apizza, which is clearly another conversation for another time!)

Lest you think I’ve departed from writing on tech matters and going full foodie on you, there is an actual tech angle to this. Presumably because anchovies on pizza is such a controversial thing, the number of pizzerias in the Twin Cities that offer this is not a lot. I’ve found a couple of places, but I’m still searching. I found a pizzeria in a grocery store – Pizzeria Pezzo in Kowalski’s Market in suburban Woodbury (and before you send me your letters, I wasn’t compensated for this pizza or paid to say this) – that had anchovies on their toppings list. Of course, a field trip had to be on the menu.

(To my readers back in Phoenix: Actual restaurants in grocery stores is quite a thing up here. And they aren’t fast-food burgers or sandwich shops — they’re proper standalone restaurants that happen to share a building with a grocery store! Also, Kowalski’s Market would be similar to AJ’s Fine Foods.)

My usual thought process is to have capers on this pizza, but those weren’t on the toppings list at this place. That led to a spot of inspiration: See what ChatGPT recommends. Maybe it might be spot-on; maybe it could be way out of its depth. But it was worth a go at least for some ideas, right?

I scanned the toppings list to my iPhone and copied the text into ChatGPT. I gave it the prompt: “Propose a pizza with 3-4 toppings from this list below. Anchovies have to be one of the toppings.” The toppings list was below my prompt sentence. Almost immediately, it responded:

I would recommend a pizza with the following toppings:

  1. Anchovies (required)
  2. Roasted red pepper
  3. Caramelized onion
  4. Fresh mozzarella

This combination of toppings will give your pizza a delicious blend of flavors, with the unique taste of anchovies complemented by the sweetness of caramelized onions and the smokiness of roasted red peppers. The creamy fresh mozzarella will provide a delightful contrast in texture. Enjoy your pizza!

So ladies and, in a broader sense, gentlemen: I present to you a pizza whose toppings were suggested by ChatGPT:

A pizza with anchovies on it
An anchovy pizza with other things. Rather tasty!

It was spot-on. And probably one of the 10 best pizzas I’ve had? (And also deserved a visit from the pizzeria manager, who said he appreciates someone who does anchovies on pizza.)

This is what I say when I talk about “doing more with more” – here’s a system that we can use to comb through different combinations and permutations of everything, and recommend something that makes sense. I gave it a baseline, and it went to work. What surprise and delight.

Doing more with more?

IT leaders and practitioners are often compelled to do more with less. But what if we leveraged tools to help us do more…with more?

A couple of weeks ago, I wrote on my LinkedIn about unashamedly using tools like ChatGPT to help out with tasks.

It’s something that I’ve been thinking of a lot lately, if I’m honest. In the IT world–and especially in the nonprofit IT world, the phrase “doing more with less” has become a mantra, as we are all constantly challenged to achieve greater outcomes with limited resources (whether real or artificial).

Seeing tools like ChatGPT come around, and the attendant press that’s come with it, makes me feel like we’re standing at the precipice of a major paradigm shift. These tools aren’t limiting us; rather, they can make us do more. In other words, we can do more with more.

By leveraging these tools, perhaps IT practitioners (nonprofit or otherwise) can focus on the creative aspects of our work, leaving the machines to do the mundane. And let’s be honest: Computers love mundane tasks.

So over the next few weeks, I’ll be writing some thoughts on this matter. Join me, won’t you, as we do more…with more?

Whither Microsoft Planner

Microsoft Planner can be so perfect if it had a few extra things. But for now, there’s PowerShell

I want to love Microsoft Planner. But there are some things it has in it that just confound me. Rather, I should say it has omissions that confound me and make me question its usability.

For the uninitiated, Planner is a user-friendly project management tool designed for teams to collaborate and stay organized. Planner helps users create tasks, assign them to team members, set due dates, and track progress visually on customizable boards. It’s not a full and formal project management software, like its older sibling Microsoft Project, which is way more robust and suitable for complex projects with intricate timelines and resource management. Planner is more accessible; Project is more involved. Still, Planner excels at promoting collaboration, task management, and maintaining an overview of project activities, making it ideal for smaller teams and less complex projects.

Here’s a perfect example for Planner that we’ve rolled out at my company: organizing all of the activities and tasks around what it takes to bring a new employee onboard and for their first few months on the job. It’s a perfect solution for that, because there are different buckets of tasks, a deadline for those tasks to take place, and different people responsible for those tasks (be it IT, HR, or the new employee’s manager). Instead of having these tasks live in a spreadsheet on someone’s desktop, they can now live in a collaborative environment.

Continue reading “Whither Microsoft Planner”

Sometimes we get it wrong

Stories from misadventures in rolling out a new printing system, or: Sometimes we get it wrong

Back in January, we started down the path of migrating from PaperCut’s on-premises solution to their fully cloudy PaperCut Hive. Whilst I was initially skeptical about it at first, it seemed like it had enjoyed success in larger organizations, so certainly it should work for a small nonprofit of ~30 people?

Oops. Also, [expletive deleted].

Sometimes we get it wrong. The rollout went about as well as it could go. I’m still frustrated by the fact I had to manually deploy the print client to our users and that the software wasn’t any sort of identity- or directory-aware. Getting a executable file that’s coded in the installer for each user? That’s not nice. Requiring administrative permissions to install that? Go away or I shall replace you with a very small shell script.

What ultimately doomed the rollout for me was that we had users who had sporadic and random issues. There were no common threads among those who had printing errors (other than, presumably, they were trying to print and the day ended in y), so troubleshooting was next to impossible.

Since printing’s kind of a mission-critical task where I am, we made the decision to abandon Hive and go back to MF. And I’m fortunate that I have supportive management and colleagues who understand that sometimes, you get it wrong.