rss.livelink.threads-in-node

Security Alert - Phishing Messages via PEXA Community

DavidWillett — Mon, 22 Feb 2021 02:22:05 GMT

Hi Community,

In recent days, you may have seen spam messages posted on our Community forum. These have since been removed and the user accounts subsequently banned.

Additionally, we have been advised that some members have received private messages containing spam content. An example that has been reported is a member receiving a message with an offer to make money via cryptocurrency.

As always, if you receive a communication you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the message/email
Report it to your relevant security administrator or email PEXA’s security team at security@pexa.com.au.

If you have any questions, please reach out to us.

David Willett

PEXA General Manager for Information Security

Security Alert | WeTransfer Email Phishing

Jarrod_McAleese — Wed, 10 Feb 2021 01:50:57 GMT

Hi Community,

PEXA would like to advise that a previously identified scam, involving fraudulent WeTransfer emails, has resurfaced in the market.

In these cases, emails are sent to a practitioner, purporting to be from PEXA via WeTransfer, asking the recipient to open/download files.

Malicious emails being sent via WeTransfer is an ongoing cyber-threat affecting Australian organisations. Please note PEXA does not use WeTransfer for any email correspondence or service.

What to do

If you receive an email appearing to be sent from PEXA via WeTransfer, do not click any links and delete immediately.

As always, if you receive a similar phishing email or another communication you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the e-mail
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au.

PEXA will never send you an email advising you to click a link to access the PEXA Exchange, and will always direct you to login to access your account via pexa.com.au.

Learn more about phishing e-mails here.

Security alert | Scam calls being made to members

Jarrod_McAleese — Fri, 29 Jan 2021 04:54:49 GMT

PEXA would like to advise it has identified multiple instances of scam phone calls targeting members at this time.

In the reported cases, callers using international phone numbers have falsely presented themselves as being from PEXA or a survey company, seeking information on “PEXA from a user’s perspective”.

There is no such survey being conducted by PEXA or a third party with members and we will never contact you from international phone numbers.

As always, it’s vital to be certain that the communication you have received is from a legitimate source and if suspicious, please exercise caution.

What PEXA will never do

We’d like to remind you that PEXA will never:

Call you from unverified phone numbers.
Ask for your multi-factor authentication code.
Request files or information from you via a third-party service.
Email you from unofficial addresses (emails that don’t end in @pexa.com.au).
Send you an email advising you to click a link to log in to the platform.

Please reach out to us if you have any questions or would like any assistance: security@pexa.com.au.

Phone and email scammers impersonating the Australian Cyber Security Centre (ACSC)

IndikaWimalasiri — Thu, 07 Jan 2021 00:36:02 GMT

Dear Members,

We have been notified scammers are purporting to be from the Australian Cyber Security Centre (ACSC) are calling and emailing the Australian public attempting to trick them into installing malicious software on your computer devices. ACSC is attached to the Australian Government Cyber Security Division.

ACSC does not approach the Australian public for such activities hence any calls, emails, or text messages pretending to be coming from ACSC requesting to click on links should not be actioned. The recommendation is to delete them immediately and notify ACSC on 1300 292 371 (1330 CYBER)

More on this can be found out on the ACSC website or through the URL below.

https://www.cyber.gov.au/acsc/view-all-content/alerts/phone-and-email-scammers-impersonating-acsc

As always verify the source before actioning on any information received via digital channels to make sure you are getting it from a verified reputed entity.

Thank you.

PEXA Security Team.

Stay safe during the holiday period with our best-practice guide

Jarrod_McAleese — Thu, 17 Dec 2020 03:11:29 GMT

Cyber-security is a key priority at PEXA. In support of our members and the broader property industry, we continue to invest heavily in our infrastructure and educational resources.

As we approach the busy end of year period, with a heightened volume of transactions to finalise, it's more important than ever to remain vigilant.

Keeping settlements safe is a collaborative effort and our expert team is committed to supporting the network.

In line with this, we're pleased to share our Security 101 resource with you.

This contains an overview of the current industry security climate, how to navigate phishing scams, common scenarios identified by the community and general tips and tricks.

Download this resource via the attachment below or view here: https://www.pexa.com.au/images/uploads/page_parts/Pdfs/PEXA_Security_update_December_2020.pdf

As ever, please reach out to your PEXA representative or our friendly Security team if you require further assistance.

Security alert | Automated or "robo" calls to clients

Jarrod_McAleese — Fri, 06 Nov 2020 05:47:10 GMT

PEXA would like to advise members that it has identified phishing attacks directly targeting buyers and sellers.In these instances, automated or “robo” calls are being made to consumers, with the aim of extracting information relating to settlement.

In some cases, these parties are falsely presenting as PEXA.Scammers can often obtain client information through publicly available sources or intercepted/compromised email accounts.

PEXA will never contact your clients directly – and we recommend you reinforce this message at this time.

We suggest that members take steps to ensure communication with your clients is secure.

We encourage you to make use of PEXA Key for the exchange of account details.Additionally, please refrain from using email to distribute sensitive information.

Please reach out to us if you have any questions or would like any assistance: security@pexa.com.au.

Data and data breaches | What you need to know

Jarrod_McAleese — Tue, 13 Oct 2020 01:41:54 GMT

A data breach is a security incident in which information, such as usernames, email addresses and passwords, is accessed by unauthorised parties.

The average cost of a data breach to an Australian business is estimated at $3 million, as of 2018-19, per research sponsored by IBM Security and conducted by the Ponemon Institute.

Australia’s leading agency on national cyber security, the Australian Cyber Security Centre (ACSC), says credentials (usernames and passwords) are typically stolen when:

A user is tricked into entering their credentials into a page that mimics the legitimate site
A brute-force (automated trial-and-error) attack on username and password combinations is performed against a service, if it doesn’t prevent such activity
A service is compromised, and credentials are stolen and used to access the system or tested against other sites such as social media and email
A user’s system is compromised by malware designed to steal credentials

Steps to take

It’s important to remain vigilant of potential threats to your data, namely email phishing attempts.

Additionally, we recommend you conduct routine maintenance of your credentials. This includes:

Keeping your passwords and pin codes safe – use a password manager e.g. LastPass and 1Password to ensure you have unique passwords for all your different accounts. This ensures that if one of your accounts is compromised, the others are protected, and the impact is minimised.
Periodically changing your passwords.
Checking the security and privacy settings of all your essential services and make sure they have 2FA/MFA available. This provides an additional layer of security when accessing accounts.
Being aware of the ongoing scams so you know when something is not right (Scam Watch has a great list of ongoing scams in Australia and regularly updated).

How to check your data

https://haveibeenpwned.com/ is an excellent free resource which enables you to check if you have an email account that has been compromised in a data breach of an external party.

The tool will provide background on the details of any previous incident implicating your details. If a case is identified, considering reviewing your various login credentials and updating where possible

As always, if you have any questions, please reach out to myself or one of the PEXA Security team. Additionally, you can now subscribe to updates from PEXA Security. Visit https://community.pexa.com.au/t5/Security/ct-p/Security and click the options button in the top right corner.

Security webinar | recording and FAQs

DavidWillett — Fri, 09 Oct 2020 01:05:39 GMT

Hi Community,

Thank you to everyone who attended our security webinar on Wednesday.

For those who couldn’t attend or would like to re-watch the webinar, you can view the recording below.

We received a lot of fantastic questions on the day, and unfortunately couldn’t answer all of them before the end of the webinar. Instead, we’ve posted the questions and answers below - underneath the webinar recording.

Attached, you’ll also find some additional resources provided by our fantastic panellist, Laura Hartley, Head of Public/Private Partnerships, Enterprise Security, NAB:

Top tips for business customers; and
NAB security toolkit.

Ryan Janosevic, COO & Co-founder of RetrospectLabs, has also shared this interesting read about password complexity after some great questions from attendees about password protection.

If you have any further questions, please don’t hesitate to ask PEXA’s security team here or contact us at security@pexa.com.au.

And don’t forget the five things PEXA will never do, regarding you and your security:

PEXA will never:

Call you from unverified phone numbers
Ask for your MFA code
Request files or information from you via a third-party service
Email you from unofficial addresses
Send you an email advising you to click a link to log in to the platform

Do you have a security question? Ask the experts

Q&A

How safe are pin passwords?

PINs (Personal Identification Numbers) usually consist of a series of randomly generated numbers, via an app or sent via SMS. They are very secure and commonly used as a second factor of authentication.

Is Google password saver secure?

We always recommend using a reputable password manager when selecting a service. Remember to read the terms and conditions to make sure it meets your requirements before making your decision.

Is PEXA looking at extending its residential settlement guarantee (PRSG) to cover the same risk that is associated with commercial property transactions as well?

The PRSG does not apply where the seller is a commercial vendor, such as a developer. The reason for this is that a commercial vendor would not be made homeless as a result of a fraud which the PRSG is intended to cover. For more information, visit our PRSG FAQs.

When we send a form to a client to complete via email, the client completes and sends it back, can we trust that information?

Email phishing or business email compromise (BEC) is one of the most common ways for cybercriminals to procure sensitive information.

Where possible, don’t use email and avoid this channel for the exchange of sensitive material. Instead, use apps like PEXA Key that is purposely built to protect the communication of bank and trust account information.

If you have no other option than to communicate information via email, always validate the details verbally before taking any action.

When you get "oops try again" when trying to log into PEXA, is it okay to press try again?

Yes, it is. Always check the URL after you refresh and make sure a green padlock sign is in place before inserting confidential information.

Can password managers be hacked and in that case are all passwords at risk?

Password managers are a great way of keeping all of your passwords safe. Make sure to use a reputable service which has robust security measures built into the application and read the terms and conditions before proceeding.

There are no reports of data breaches attributed to well-known password managers in market.

In Cybersecurity we often say that there are no 100% risk free applications. There is always a portion of unknown. The important thing is to make sure these risks are minimised by following the instructions.

PEXA checklists require us to confirm a DocuSign ID and unique number. What are some concerns PEXA has regarding electronic signing such as DocuSign?

Digital signing should be approached with the same protective measures and rigour as physically applying your wet signature on paper documents. As with any method of signing, to mitigate risk, make sure to:

Verify the request, any information exchanged, the involved parties and documentation being signed; and
Ensure the appropriate, authorised person signs.

Can you please advise why I keep getting asked if I want to update my password when I enter a payment in PEXA?

This prompt occurs if you have selected to save your password on the web browser. We do not recommend saving passwords to browsers. Instead, remember your password or use a password manager, and only save your user ID if required.

Are apps safer than websites?

For both, it’s important to always validate the source. For a website, always type the address instead of clicking on links from emails and other websites.

For apps, make sure to download them from the Google Play Store or Apple App Store. Check the ratings and the developer information before you download.

What is the best "internet cyber security" firm?

Cybersecurity needs are different from one firm to another. These needs and requirements must be assessed before selecting a provider. The Australian Cyber Security Centre (ACSC) website has great recommendations for individuals and businesses to gain more information.

https://www.cyber.gov.au/acsc/small-and-medium-businesses

https://www.cyber.gov.au/acsc/individuals-and-families

What is the best anti-virus software on the market?

The PEXA Subscriber Security Policy, section 4.2.3, refers to some leading providers of anti-virus software.

Does PEXA have a firewall integrated within its software to prevent cyber fraudsters gaining access?

PEXA is protected with multiple layers of security. We maintain the highest standard of security measures to safeguard our members and their clients’ property transactions.

Our security portfolio is aligned with international standards and we continue to operate by complying with the requirements set by the e-Conveyancing regulator, Australian Registrars National Electronic Conveyancing Council (ARNECC).

Today, more than six million transactions, with a total value of more than $1 trillion, have safely been processed by PEXA.

When will Secure-messages and E-signable documents be able to be sent via PEXA-secure portal maybe even build into PEXA Key app?

We are always working with our members and industry to evolve our services. All enhancements will be communicated with our members before they are launched, and we’ll continue to keep you up-to-date with our security developments.

What is your strategy for a zero-day vulnerability?

A zero-day vulnerability refers to a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix it yet. PEXA works with the best cyber security organisations in the industry to mitigate this sort of a risk by taking proactive and advanced measurements.

Does PEXA retain the information given by clients on PEXA KEY?

Yes, personal information is collected when clients use PEXA Key.

PEXA will not disclose your client’s personal information to any third party without their express consent. To read the Terms and Conditions in full, click here.

Can PEXA help small businesses to look at their computer system to see if they are fully equipped, at a small fee?

This type of service is currently not available through PEXA. However, the ACSC has some great resources to assist small-to-medium sized businesses.

Will you use blockchain technology for its immutable nature and security? What would be some of the disadvantages?

Blockchain is transformational, but not always the only solution. In Australia, we benefit from mature technology systems, with property transactions clearly supported by sound regulation. Therefore, blockchain may not necessarily create additional value.

How soon will you let your customers know if a security breach occurred?

PEXA will promptly notify subscribers upon being made aware of any security breach that PEXA considers material to the security and integrity of the PEXA system or relates to unauthorised disclosure, use, access or loss of PEXA System Data.

PEXA Security Awareness Week – webinar, daily tips and five things PEXA will never do

DavidWillett — Fri, 02 Oct 2020 02:57:48 GMT

Hi Community,

At PEXA, safeguarding Australia’s property transactions is our highest priority. With cybercrime costing Australian businesses $29 billion each year and email phishing attempts increasing exponentially since the onset of COVID-19, we are dedicated to supporting our members however we can to combat this threat.

Join our security webinar

On 7 October 2020 at 12pm AEDT, as part of PEXA’s Security Awareness Week, I’ll be hosting a security webinar with Security Advisory and Awareness Manager at NAB, Laura Hartley and COO and Co-founder, Retrospect Labs, Ryan Janosevic.

Together, we will share our insights into the cyber-security landscape, tips on how to protect your business and finally, answer your questions. Click here to RSVP.

Our socials will also be live with daily security tips and, for everyone who can’t wait, our new resource ‘Five things PEXA won’t do” is now live.

See you at the webinar!

David Willett

PEXA, GM IT Security

Five things PEXA will never do | Cyber-security

Jarrod_McAleese — Wed, 30 Sep 2020 10:24:20 GMT

Hi Community,

At PEXA, we endeavour to provide you with the latest cyber-security updates and guidance. PEXA’s Security team is home to industry experts with more than 50 years of combined experience, committed to the security of property transactions facilitated by our members.

Generally, our advice is focused on what you should or shouldn’t do in certain scenarios, such as when encountering attempted email phishing, maintaining your technology and more.

But what about PEXA and what we do and don’t do? Cyber-criminals are using sophisticated means to target members and clients – sometimes falsely presenting as PEXA to extract information or facilitate malicious activity.

To help you combat this threat, re five things PEXA will never do, regarding you and your security.

PEXA will never email you from unofficial addresses

Whether it’s a message from our Support Centre, a PEXA Direct Specialist/Partner or another member of our team, our official correspondence will only ever be delivered from email addresses ending in “@pexa.com.au”.

If you receive an email you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the email
Report it to your relevant security administrator or reach out to PEXA’s Security team.

PEXA will never send you an email advising you to click a link to log in to the platform

If you receive an email with a link prompting you to login to PEXA, please disregard. After your initial PEXA account creation, we will never directly email you with a link to our login page or request your login credentials.

PEXA will never request files or information from you via a third-party service

Recently, we’ve observed malicious emails being sent to practitioners, purporting to be from PEXA via third-party file services, asking the recipient to open/download files.

Such scams are an ongoing cyber-threat affecting Australian organisations. Please note, PEXA does not use third parties to source files or information from you.

PEXA will never ask for your MFA code

If you receive a text message, phone call or email requesting your MFA code, please ignore this. Never share your MFA code with anyone – and we’ll never ask for it.

PEXA will never call you from unverified phone numbers

Please be mindful of taking phone calls related to Workspaces from unknown sources.

For those with an account manager, their contact should be saved in your records.

Security Alert | Fraudulent calls related to PEXA Key

IndikaWimalasiri — Mon, 21 Sep 2020 05:06:32 GMT

Dear members,

PEXA would like to advise that we have reported instances of malicious parties, purporting to be from PEXA, reaching out to members and their clients via telephone.

In these cases, the caller requests that the member and/or client “opt in” for financial services related to PEXA Key. Please note that PEXA does not have any such opt in or opt out functionality built into PEXA Key. PEXA Key provides three core services:

A secure channel for communicating bank account details
Notifications providing your clients with a countdown to their property settlement
Settlement tracking and ‘what to expect’ information

Any requests for account details are securely completed within the app or actioned by the practitioner within the PEXA Exchange.

Additionally, PEXA does not use or authorise any third party to contact members or their clients regarding PEXA Key or any other PEXA service.

Legitimate communications from our team will be delivered from email addresses ending in “@pexa.com.au” or via our PEXA Support Centre: 1300 084 515.

As always, do not act on any unknown phone calls, emails, text messages. If you are unsure of the caller ID, hang up and redial the number. Further, do not click on links or open attachments in any email unless you are sure of the sender’s authenticity.

If you encounter suspicious activity, email PEXA’s security team at security@pexa.com.au and we’ll kindly assist.

Thank you.

PEXA Security.

Reduce your cyber-security risk significantly by implementing these simple steps

IndikaWimalasiri — Thu, 03 Sep 2020 00:13:35 GMT

Reduce your cyber-security risk significantly by implementing these simple steps

2020 has been one we never thought it would be. The ongoing global COVID-19 pandemic is forcing us to change our ways of work. Today’s technology provides great flexibility, enabling us to work from anywhere, with many of us presently using our homes as our primary places of work. Let’s refer to this as “remote working”.

Remote working has been part of our lives for some time, but never previously in the capacity it is today. There are reports that people are spending more time on work than they were doing pre-COVID in the office. Employees tend to use multiple devices to get work done while managing other personal aspects of their daily lives during these times. As we increase our use of mobile devices to continue to work and connect, there’s never been a more important time to be diligent in securing our devices. With the convenience of remote working comes the challenge of protecting against parties with malicious intentions to steal your information or cause damage to your professional/personal lives.

The Australian Cyber Security Centre (ACSC) is the Government agency that provides guidance to the Australian public on cyber-security and increases awareness of cyber related matters. PEXA is a proud partner of the ACSC.

There’s lots of information in the public domain covering the what and why of cyber-security but not so much clarity on the how. To address this, the ACSC has put together some very simple, but very important step by step guides on 12 cyber security controls to immediately assist with reducing the cyber-security risk to you and your organisation. These are explained in an easy-to-understand format – focusing on actions such as updating your devices across multiple device/operating system types to backing up your data and enabling two-factor authentication on your applications.

Please use the safe link below to access this information and also take the time to share it with your family and friends. Together we can create a cyber-safe environment for everyone.

https://www.cyber.gov.au/acsc/individuals-and-families/step-by-step-guides

Here are some key recommendations for you to stay secure:

Keep your devices/apps up to date at all times
Keep a backup of your data (it is very easy to backup data now with cloud storage services)
Be aware of the website and the apps you use. Delete the apps you no longer use or require
Remain vigilant on emails asking to take your actions and seeing a level of urgency (do not solely rely on the email appears on the email as they can be easily spoofed)
Be aware of the ongoing scams so you know when something is not right (Scam Watch has a great list of ongoing scams in Australia and regularly updated)
Do not use the same password across all your apps/services – use a password manager
Use websites like HaveIbeenPwned to check your email addresses are part of the previous breaches periodically

Join the discussion on the PEXA Community below and follow us on social media for more tips and articles like this.

PEXA Security Team

Security alert | Email phishing communication

Jarrod_McAleese — Thu, 03 Sep 2020 05:04:36 GMT

PEXA is aware of a phishing email, purporting to be sent by a member of our team.

The email copied the contents of a previous legitimate communication but was sent from a fraudulent email address and contained a malicious attachment.

Please note that legitimate communications from our team or PEXA will be delivered from email addresses ending in “@pexa.com.au”.

Additionally, PEXA will never send you an email advising you to click a link to access the PEXA Exchange and will always direct you to login to access your account via pexa.com.au.

As always, if you receive a similar phishing email or another communication you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the email
Report it to your relevant security administrator or email PEXA’s security team at security@pexa.com.au.

We’d like to remind members to remain vigilant at this time and please reach out to us if you have any questions or would like any assistance.

Kind regards

Security Alert - WeTransfer Email Phishing

DavidWillett — Fri, 21 Aug 2020 05:25:03 GMT

Hi Community,

I’d like to advise members of an email phishing scam targeting PEXA Exchange users. In this instance, an email was sent to a practitioner, purporting to be from PEXA via WeTransfer, asking the recipient to open/download files.

Malicious emails being sent via WeTransfer is an ongoing cyber-threat affecting Australian organisations. Please note PEXA does not use WeTransfer for any email correspondence or service.

What to do

If you receive an email appearing to be sent from PEXA via WeTransfer, do not click any links and delete immediately.

As always, if you receive a similar phishing email or another communication you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the e-mail
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au.

PEXA will never send you an email advising you to click a link to access the PEXA Exchange, and will always direct you to login to access your account via pexa.com.au.

Learn more about phishing e-mails here.

Kind Regards,

David Willett

General Manager, IT Security

Security Update - High Profile Twitter Accounts Hacked

DavidWillett — Thu, 16 Jul 2020 01:36:16 GMT

Hi Community,

As you may be aware, this morning several high-profile Twitter accounts were targeted by cyber-criminals. You can read about this here.

While this incident has no impact on PEXA or the broader network, it’s a timely reminder to be cyber-aware when working or browsing online – particularly on social media.

As always, only seek information from known, trusted sources and remember that PEXA will never send you links requesting your sensitive login or financial details. If you have any questions or would like to flag suspicious material, please get in touch with our friendly team at security@pexa.com.au.

Kind regards,

David Willett
General Manager, IT Security

Security checklists for safe browsing

Jarrod_McAleese — Wed, 08 Jul 2020 05:13:04 GMT

Hi Community,

While businesses are doing their best to adapt to COVID-19, scammers are looking for opportunities to exploit the current climate. As we previously shared, the global COVID-19 pandemic has sparked a surge of phishing attempts on unsuspecting individuals. One such attack used the logo of the CDC Health Alert Network claiming to provide a list of local active infections, before stealing confidential information from the unprepared victims.

It's important we remain vigilant at this time and our Head of IT Security, has put together the below quick checklists to ensure you're browsing safely while working and at your leisure.

How to keep safe while working online:

Ensure the device you are using has security software installed (either work supplied or your own) to protect you from ransomware, malware, and other threats
Use a VPN (either company-provided or your own) when connecting to your work network to keep your data safe
Only use WiFi you trust to reduce the risk of being hacked
Make sure you have a backup solution in place such as a USB or the cloud in case something goes wrong
Watch out for scams and fake news around COVID-19. Only trust reputable sources

How to keep the family safe online:

Keep your operating system and applications (software updates) up to date to protect yourself from being hacked
Make sure all the devices in your home (phones, tablets, PCs) have security software installed to keep you safe from online threats and risks
Schedule screen time for kids and their device. You can do this by drawing up a timetable or using parental controls features of your security software
Set ground rules by having a conversation on what they can do online
Discuss the importance of online safety with your kids. You can read more here: https://www.trendmicro.com/en_au/initiative-education/internet-safety-kids-families.html

Keep an eye out for more security tips and tricks from our team here at PEXA. If you have any questions, please leave them below.

Security Shorts | Confirming a website is secure

Jarrod_McAleese — Fri, 12 Jun 2020 03:48:17 GMT

Hi Community,

In this Security Shorts video, Anish Dharmakkan from our PEXA Security team, provides some valuable advice on how to verify if a website is secure. Keep an eye out for more tips and tricks from our team and if you'd like more information on this topic, you can access helpful links below.

How to identify duplicate or unsafe websites

Cyber-Criminals, the Modern-Day Con Artists

Remote working | Advice on how to keep property transactions safe

DavidWillett — Wed, 25 Mar 2020 00:52:10 GMT

Hello Community

With many businesses asking their teams to work remotely, security experts are warning of spikes in cyber-crime attempts.

The global COVID-19 pandemic has sparked a surge of phishing attempts on unsuspecting individuals. One such attack used the logo of the CDC Health Alert Network claiming to provide a list of local active infections, before stealing confidential information from the unprepared victims.

Cyber criminals are looking to take advantage of this period of global uncertainty, reinforcing the urgent need for everyone to be extra vigilant when it comes to cybercrime.

We strongly recommend Australian lawyers and conveyancers utilise the tools and processes available to them to mitigate this risk, including:

Install and update your anti-virus software

Ensuring your anti-virus software is up-to-date is critical. Cyber-criminals can use a number of different methods to try and attack your devices, anti-virus should always be your first line of defence in protecting you and your business.

Keep operating systems (OS) and browsers up-to-date

Updated OS and browsers add protection from security issues that could be used to compromise your information. Restart your devices regularly to make sure updates are fully installed.

Cyber-criminals use weaknesses in outdated software to scam individuals and businesses. The best way to keep you and your business safe is to action software updates the instant they become available.

We also recommend that you shut down and restart your device frequently for automatic updates to proceed.

Do not use public WiFi

If outside of the home or office, we do not recommend the use of free WiFi. Instead, use your mobile as a hotspot (or purchase a 4G mobile router). This will provide you with a safer connection online.

Public WiFi is easily compromised by hackers and your personal information easily obtained.

Virtual Private Network (VPN)

When you’re working from home for an extending period of time, use your company’s VPN to make sure that you maintain a secure connection to all your corporate services and applications, away from the prying eyes of cyber-criminals.

Phishing – protect you and your clients’ information

With reported email phishing attacks on the rise and the risk becoming more tangible across the world, it has never been more important for us and the broader e-Conveyancing network to use the tools available to us to protect against this threat.

While you’re working remotely and limiting face-to-face client meetings, bank and trust account details can be communicated safely via the free PEXA Key app between you and the homebuyer or seller. The app removes the need to use email, mitigating any risk of succumbing to email phishing attacks in the sharing of critical transaction information.

Lawyers and Conveyancers who use InfoTrack can also use Securexhange to communicate sensitive information with real estate agents.

Multi-factor Authentication (2FA/MFA)

Check the security and privacy settings of all your essential services and make sure they have 2FA/MFA available.

When logging into PEXA, members must use MFA to access their accounts. Although users have the option of receiving their MFA code via SMS or the smartphone app, we find the most reliable option to be the latter – via the PINGID application.

The code is generated immediately in the smartphone app for users to transcribe into PEXA. The SMS option can experience latency issues with some telecommunication providers, meaning the code is not received by the user for some time. If you’d like assistance moving from SMS to the smartphone app, please contact PEXA’s Support Centre on 1300 084 515.

Protect your passwords

Keep your passwords and pin codes safe. Now might be a good time to change your passwords and use a password manager e.g. LastPass and 1Password to ensure you have unique passwords for all your different accounts. This ensures that if one of your accounts is compromised, the others are protected, and the impact is minimised.

Kind regards
David Willett
Head of IT Security, PEXA

Scam Alert - Scammers using COVID-19 to steal information

DavidWillett — Wed, 11 Mar 2020 01:10:54 GMT

Hi Community,

Whilst businesses around the country and indeed the globe are making important preparations to respond to COVID-19 (Coronavirus), it is important to understand that cyber criminals can use a situation like this to their advantage.

Targetted phishing attacks, with malicious content disguised as Coronavirus notices, may be launched to capitalise on the public's desire to learn more about the outbreak. There have already been reports in the media about scams attempting to steal personal information or infect people's devices with malware that distributes false information or scam products.

In one example, a phishing email that used the logo of the CDC Health Alert Network claimed to provide a list of local active infections. Recipients were instructed to click on a link in the email to access the list. Next, recipients were asked to enter their email login credentials, which were then stolen by scammers.

What to do to protect yourself

If you want to educate yourself further on COVID-19, only look at reputable sources like the World Health Organisation, Centre for Disease Control or the the Australian Governments Department of Health websites.
Always be on the lookout for tell-tale signs of email phishing from emails that appear to come from reputable sources. Remember, you can look at the sender’s details – specifically the part of the email address after the ‘@’ symbol – in the ‘From’ line to see if it looks legitimate.
Be weary of social media posts that attempt to bait you to click on links to gain more information. Social media is notorious for being used to spread misinformation despite the review processes that have been implemented by these sites in recent times. As per point number 1, go direct to reputable or government sources to get information on COVID-19.
You can check out our link on phishing emails here to get more general information on how to spot scams.
Finally make sure you have good anti-virus protection installed on your device, whether it be a laptop or mobile.

Kind regards
David Willett
Head of IT Security

File Sharing Email Scam - Multi Factor Authentication will help to protect you

IndikaWimalasiri — Fri, 28 Feb 2020 05:14:33 GMT

Dear Members,

Legal Practitioners Liability Committee (LPLC) recently published an article about an ongoing fraudulent document sharing email circulating among the legal community. They are essentially looking to steal your credentials to login to your email accounts by tricking you to click on a link. Highly recommend you are taking time to read the publication to increase your awareness and your staff on this matter.

This is a great reminder to implement two factor authentication on your email accounts (for that matter on all the online services you use where 2 factor authentication is offered) which will significantly reduce the risk of falling in to this type of scams.

Access to the LPLC article below or browsing to the LPC website.

FILE SHARING EMAIL SCAM – MULTI-FACTOR AUTHENTICATION WILL HELP PROTECT YOU

Few quick actions you can take to increase your cybersecurity awareness,

1.Take time to assess your online presence and enable two factor authentication on applications

2. Share the LPLC article with your staff and your colleagues in the industry to increase the awareness

3. Print the PDF in the article and leave them where everyone can see them. Example - on a common wall.

4.Generate and build a cyber risk aware culture by creating space for your staff to learn and stay safe about cyber risks and threats.

Thank you

(LPLC) Beware the risk that your clients email may have been compromised

DavidWillett — Thu, 20 Feb 2020 00:02:43 GMT

Hello

The Legal Practitioners Liability Committee has recently posted an insightful article that details a use case of email compromise leading to funds being transferred to a fraudster.

Be alert and get to know the warning signs that your client may have been compromised. A request to change account details at the last minute? This should always be followed up with a phone call to confirm it is legitimate.

Take a look at the LPLC article here to learn more!

Phishing Email Notification

IndikaWimalasiri — Tue, 18 Feb 2020 22:09:18 GMT

Dear members,

We are aware of an email phishing attempt targeting PEXA members, asking about the "PEXA Residential Seller Guarantee". Please be vigilant for similar emails and take time to validate before taking any action within emails. I have attached a sample email a member received on 12 February 2020 for your reference.

If you come across any or similar email notifications, please don't click on any links, inform your PDS/PEXA Partner and forward it to security@pexa.com.au.

----------------------------------

Phishing email capture below

End of image.

----------------------------------

Thank you.

PEXA Security Team

Microsoft Internet Explorer Critical Zero Day Vulnerability

IndikaWimalasiri — Mon, 20 Jan 2020 22:39:34 GMT

This advisory applies to Microsoft Internet Explorer Web Browser

What is the new software vulnerability?

PEXA Security is aware of a Microsoft Windows Internet Explorer zero day vulnerability which is being attacked by malicious actors and other cyber criminals over the internet. You can be a target of this attack by clicking on a link or opening an attachment sent you by an unknown party or malicious actor.

More information on this can be found on the links below

How do I address/mitigate the vulnerability?

Currently there is no patch available from Microsoft for this vulnerability. However, they have provided a workaround to protect users from being a target of this attack.

Important - Given the use of malicious websites as part of the vulnerability’s exploitation routine, individual users are encouraged to practice caution when it comes to clicking links, especially those embedded in a suspicious email message.

Do I need to take any action?

Reach out to your IT support service team or your regular System Maintenance team about this vulnerability. They may already be aware of this and it would be important to check with them and follow the instructions given.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001

https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html

Thank you.

PEXA Security

Security Advisory – Citrix Zero Day Vulnerability Alert

IndikaWimalasiri — Tue, 14 Jan 2020 03:38:35 GMT

We are aware of a critical zero day vulnerability discovered in the Citrix application. This vulnerability is still without any permanent fixes and patch is yet to be released by the Citrix vendor.

If you are using Citrix applications (example - for digital signing certificate) described in the article below there is a potential you may be vulnerable. Your IT team/ support services may already be aware of this and it would be important to check with them and follow the instructions. We recommend you consider implementing the mitigation strategies explained in the advisories below.

https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/

https://support.citrix.com/article/CTX267027

https://support.citrix.com/article/CTX267679

Thank you

PEXA Security Team

Security Advisory - Critical Vulnerability Alert

IndikaWimalasiri — Tue, 14 Jan 2020 03:04:42 GMT

Dear PEXA Community,

This advisory applies to Firefox Web Browser installed on all device types.

What is the new software vulnerability?

New critical vulnerability in the Firefox web browser has been discovered by security researches which is currently being attacked by malicious parties and criminal groups. Attackers could use this vulnerability to gain access to your devices by exploiting the way Firefox browser works on your devices.

Do I need to take any action?

Yes. Firefox vendor has released an emergency security update which addresses the vulnerability and has advised everyone who uses Firefox to immediately update to the latest version.

How do I update my Firefox Web Browser?

PEXA Security always advise to keep your software, including web browsers, up to date.

Please follow the steps below to update your browser,

Open your Firefox Web Browser and Click on the “Menu” and then Click on the “Help" (As indicated in red colour on the screen capture below)

2. Click on the “About Firefox”. This will start the update automatically

3. Make sure version it displays is as same as below highlighted in red text box

PEXA Security recommends members enable automatic updates to make sure in the future, new browser updates are done automatically.

Go to the top right-hand corner “Menu” and click on “Options” from the dropdown menu

2. Scroll down to the section “Firefox Updates” and tick the “Automatically install updates” check box. This will install updates automatically without any manual intervention in the future.

Thank you.

PEXA Security

Reduce your risk of falling victim to cyber attacks

IndikaWimalasiri — Thu, 20 Feb 2020 03:36:44 GMT

Staying safe online has never been more important for individuals and business’ worldwide. In 2018 alone, Australian businesses lost more than $60 million to e-mail scams. It is also estimated that by the end of 2019, cyber-scam losses will exceed $532 million, surpassing half a billion dollars for the first time.

Understandably, it can be difficult to know where to begin to ensure you’re taking the appropriate steps to avoid falling victim to cybercrime. First, it’s important to get the basics right. Below is a checklist of 12 initial steps that you and your business can take to boost your safety while online.

Anti-Virus — As your first line of defence, ensure you have antivirus protection on all of your devices, including mobile devices.
Two Factor Authentication(2FA) for e-mail — Most email providers, such as Google and Hotmail, provide 2FA to protect user accounts. This significantly reduces the threat of intrusion by a hacker if your password is compromised, as your account is secured by an additional layer of protection (the passcode that you receive through SMS or the mobile app).
PEXA members must use Multi-factor authentication (MFA) to access the platform, providing an extra layer of security when logging into your account.
(Note: It is recommended to use an app-based security PIN generator for 2FA, such as Google Authenticator, rather than SMS).
Phishing — E-mail phishing is the number one avenue used in cybercrime. The typical phishing email will contain a false and/or mimicked story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. Learn how to identify a phishing e-mail with the help of this interactive tool.
Password — Do not use the same passwords on multiple systems. If your password is compromised, then hackers can access all of your other services as well. Use a password manager to maintain your varying passwords or pin codes.
Additionally, instead of passwords, use passphrases. Passphrases can be a minimum of three words combined that are easy to remember with numbers and special characters e.g. UniverseAthletic4!
Use host-based firewalls — Both Windows and Apple OS offer firewall capability. These are not difficult to set up and easy to follow help videos are easily found online.
Update operating systems and applications — Operating systems (OS) and application vendors frequently release security updates to address vulnerabilities. We highly recommend you have automatic updates enabled so it all happens in the background without waiting for your intervention.
Review applications — Spend 5-10 minutes inspecting your system and applications. If there are unwanted applications in your program list, uninstall them. This is because third party apps can contain vulnerabilities that hackers may then exploit.
Email Rules — Email providers offer the capability to create rules. If your email is compromised, there is a possibility that the hacker created rules in your email system to forward mail to a hacker managed email account without you knowing it. Go in to the e-mail rules section of your account and make sure that only the rules you’ve created are present. We recommend you complete this action at least once per month.
If you find that there are rules you have not created, delete these rules before immediately changing your password.
Back-up — Backing up all of your data is paramount. Ensure your back up solution is on a separate device and is accessible if you cannot or are denied access to your files’ original location.
Removable Storage — Do you use removable media such as USB drives? If yes, we recommend using a Cloud file storage instead, as removable media is easily corrupted or infected with malware.
Browser Security — There are a few important tips to remember here, including:
a. Do not save password/passphrases on browsers
b. Frequently update your web browsers
c. Lookout for duplicate or unsecure web pages
Social Media and App Privacy/Security settings – Do you use your social media, such as Facebook, to access third party services? If so, we highly recommend you review the privacy settings on your social media apps to determine what it has access to. Again, 2FA is your friend here. Other privacy tips include:

a. Check settings to ensure you're not providing unnecessary access to your information to apps you've installed.

b. Switch off Bluetooth when it’s not being used.

c. Do not connect to Free Wi-Fi access points no matter how secure it claims to be. If you have no option, then use a VPN service to secure your communications.

d. Don’t let others including family members, use your device without your supervision. They may unknowingly click on links and pop-ups which will expose your device to the hackers. Where possible use parental controls.

Finally, maintain your cyber security awareness. A great place to refer to is the Australian governments’ Staysmartonline resource and, of course, PEXA’s dedicated security page on the e-Conveyancing Community.

Indika Wimalasiri

FAQs | Microsoft to cease Windows 7 support by January 2020

Jarrod_McAleese — Fri, 06 Dec 2019 05:05:08 GMT

Hi Community,

Microsoft has announced that support for Windows 7 will end on 14 January 2020. Its notice to consumers can be accessed here.

Following this milestone, key software updates from Microsoft will no longer be released for Windows 7. Users who continue to use this operating system, or other unsupported operated systems, place their IT security at risk.

Updating your operating system to supported software is important best practice to ensure your business is suitably protected.

In order to comply with the PEXA Subscriber Security Policy, Windows 7 users will need to upgrade to a supported operating system, such as Windows 10, as soon as possible.

To help you navigate this change, we’ve compiled the below FAQ thread.

Why is Windows 7 no longer being supported by Microsoft?: Microsoft’s notice to users can be accessed here.

Why is it important to not use unsupported software?

Unsupported software will not receive updates or security fixes which are vital in maintaining your system’s security. This leaves your system vulnerable to hackers who actively target unsupported systems.

In addition, as per your obligations as stated in the PEXA Subscriber Security Policy: ‘Subscribers are required to maintain the security of their computer systems and keep them up to date, including taking reasonable steps to install patches and operating system updates’.

When using unsupported software, this obligation can no longer be met as these products are not supported. In addition, running unsupported software may impact performance when using the PEXA platform, including your signing capabilities.

What software, other than Windows 7, is no longer supported?

The below software is no longer supported by Windows and Apple:

Windows XP
Windows Vista
Mac OS X (Snow Leopard)
Mac OS X (Mavericks)
Mac OS X (Yosemite)
Mac OS X (El Capitan)

How can I upgrade my software?

It is advised to upgrade directly to a supported operating system, such as Windows 10. Windows 10 can be purchased from the Microsoft Store or from leading technology retailers.

PEXA also recommends reaching out to your IT professional or industry body to assist you with this upgrade.

Other helpful links:

Upgrading FAQs

https://support.microsoft.com/en-au/help/12435/windows-10-upgrade-faq

Windows Vista end of support

https://support.microsoft.com/en-au/help/22882/windows-vista-end-of-support

How to upgrade (macOS)

https://www.apple.com/au/macos/how-to-upgrade/

Member Security Alert

HeatherC — Mon, 04 Nov 2019 06:04:22 GMT

Hi Community,

PEXA has been made aware of a sophisticated phishing incident targeting an Australian conveyancer. In this instance, an email was sent to a client of a practitioner purporting to be from the practitioner. The sender of the email had established a similar email address to that of the practitioner, and subsequently telephoned the client to advise of a change to bank details.

PEXA reminds all members of the importance of having processes in place to obtain or share account details with clients, and to confirm those by a secondary means. We have previously posted about this here.

PEXA also recommends members implement multi-factor authentication for email accounts that are used for business purposes to reduce the risk of compromise.

Members are also encouraged to consider using PEXA Key to securely communicate and receive bank account details with their clients.

Heather

A web browser, the internet, and PEXA walk into a bar...

wesleylacy — Wed, 16 Oct 2019 04:34:36 GMT

While at the bar the web browser asks the internet to talk to PEXA. The internet says, “sure, web browser not a problem, but first you must tell PEXA who you are.”

The web browser responds, “tell PEXA I am

Mozilla/5.02520(Macintosh;2520Intel2520Mac2520OS2520X252010_13_6)2520AppleWebKit/537.362520(KHTML,2520like2520Gecko)2520Chrome/61.0.3163.1002520Safari/537.36”

Not much of a punchline I know, but it’s an important part of how your web browser (such as Google Chrome or Mozilla Firefox) connects to PEXA. The web browser’s description of itself in this case is actually called a ‘user agent’. 

What is a user agent?

The short version is that it’s a line of text that tells PEXA (and other services you access on the internet) which browsers and operating systems are being used to connect to them. E.g. Mozilla Firefox or Google Chrome.

Recently PEXA identified which browsers, and versions of these browsers, were connecting to PEXA for the month of August and we found some interesting results. The majority of our members are connecting to PEXA with up-to-date web browsers however there is a small percentage connecting with outdated browsers, some dating back to 2013.

How do I update my web browser?

Like any software, web browsers are constantly being updated with patches and other updates. They commonly include updates to important security features which are pivotal to staying safe on the internet, especially when using platforms like PEXA to manage your client’s information.

How can you address this?

If you are one of the few that are using an outdated web browser, it’s time to update! By updating your browser, you are one step closer to having a more secure system.

If you are using Google Chrome as your web browser, you can follow this link

https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en

If you are using Mozilla Firefox as your web browser, you can follow this link

https://support.mozilla.org/en-US/kb/update-firefox-latest-release

For users using Microsoft Edge and Internet Explorer, Windows updates will update the browser when the Operating system updates are installed

Security Shorts - Episode 1

Meghan — Thu, 10 Oct 2019 22:39:01 GMT

Securely managing your Digital Certificate

Welcome to the first episode of Security Shorts featuring one of our experts !

This series will focus on providing you with informative and useful information to help you with your PEXA and IT security. In this episode, Jesse will be discussing how to securely manage Digital Certificates. Stay tuned for the next episode!

Tips to protect your mobile device & its data

DavidWillett — Thu, 10 Oct 2019 04:55:44 GMT

We use our mobile device and its installed apps every day. The apps we download make it easy for us to do everyday things like check our mail, tap onto the tram/train/bus, update our Instagram story, pay for coffee, track our calories and now even to track our property settlement (shameless plug of PEXA Key). All conveniently completed on our way in to work.

With all this private information available at the touch of a button, keeping our phones and chosen apps secure has become increasingly important.

Here are some handy tips to assist you in doing so.

1. Download from official stores

Cybercriminals are known to create rogue mobile apps that mimic trusted brands in order to obtain users’ confidential information. To avoid these types of scams, always download new apps from the official app stores, check the publisher is from the official supplier e.g. Property Exchange Australia Ltd) and when the app was last updated. For example, PEXA Key is available exclusively on the Google Play Store and Apple App store.

2. Use device security

All smart phones have multiple methods of authentication available. We advise you to:

Not leave your phone unlocked. Make sure your phone is set to auto lock within 30-60 seconds of inactivity; and
Use at least one of the authentication methods available to unlock your device e.g. facial recognition etc.

If using a pin code to access your phone, do not use the same pin for your apps or write them down on a piece of paper. Try using a password manager app to store, keep track of and generate new passwords and pin codes.

3. Call your provider

If you lose or misplace your phone, call your provider to ensure your SIM is deactivated to protect your phone and the apps on it from potential criminals. This is good advice for your clients who use PEXA Key. It is also important that they remember to notify you in the unlikely event that they lose their phone.

4. Anti-virus on your phone

Your hand-held device is no different to your laptop or PC and is similarly susceptible to scams such as phishing. Consider installing anti-virus software onto your mobile device.

Can you spot the scam? - phishing email

TJ — Fri, 11 Oct 2019 03:09:41 GMT

Can you spot the scam? - phishing email

Below is a seemingly legitimate email from PEXA – but is it?

There are nine red flags in this email that you should always be on the lookout for. Hover your mouse over parts of the email which you believe to be a red flag to reveal them!

Tell us in the comments below how many red flags you found! Answers will be released next week.

Security Advisory - Vulnerability Alert - "Bluekeep"

IndikaWimalasiri — Tue, 13 Aug 2019 23:54:25 GMT

The threat of cyber-attacks are real but there is something you can do about it.

The Australian Government’s Cyber Security Center has released a critical security advisory to individuals and business organizations using older versions of Microsoft Windows operating systems (Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008) to apply security update/upgrade to newer operating system version to avoid being compromised for the vulnerability named as “Bluekeep”.

What is Bluekeep ?

Bluekeep is a vulnerability in the Windows operating system’s Remote Desktop Protocol (RDP – service use to connect to another computer/network remotely) which allows an attacker to execute commands to compromise your computer. BlueKeep exploit has the potential to spread in a virus fashion and self-replicate without requiring any user interaction.

An unpatched system gives criminals a front door to break into your computer or network and steal your corporate and customer information.

The threat of cyber-attacks are real but there is something you can do about it.

How to protect my systems?

It is critical that organisations and individuals operating older versions of Windows systems immediately install Windows BlueKeep vulnerability patch, available at Microsoft website.

Recommendations

Identify the Computer Systems operating older version of Windows Operating Systems. ( Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems)
Confirm you have backup of data available if needed.
Apply the updates through Windows Update or manually by downloading it from Microsoft website.
Reach out to your IT service support team and ask them to address the Bluekeep if not already.

Mitigation activities until patch is applied.

Practice due diligence and be alerted around what happens in your computer. If any unusual activities observed, engage your IT personnel to look in to it.
Avoid using Remote Desktop Services from internet. (If needed use it only over a Virtual Private Network and with multi-factor authentication.)
Always keep operating systems and application up to date.
Backup your data to a secure location. (Cloud storage/offsite volume)

More Info - https://www.cyber.gov.au/news/update-acsc-confirms-potential-exploitation-bluekeep-vulnerability

Are you using unsupported software?

Meghan — Mon, 18 Jan 2021 02:38:54 GMT

The below software is no longer supported by Microsoft and Apple:

Windows Server 2003 and 2008
Windows XP
Windows Vista
Windows 7
Mac OS X (Snow Leopard)
Mac OS X (Mavericks)
Mac OS X (Yosemite)
Mac OS X (El Capitan)
Mac OS X (Sierra)
Mac OS X (High Sierra)

Why you shouldn’t use unsupported software

In addition, as per your obligations outlined in the PEXA Subscriber Security Policy: "Subscribers are required to maintain the security of their computer systems by keeping them up to date. This includes maintaining a currently supported operating system."

When using unsupported software, this obligation can no longer be met as these products are not supported.

What action is required?

In order to ensure your compliance with the PEXA Subscriber Security Policy, you must upgrade as soon as possible to a supported version of Windows or macOS. Please note that for Mac users, you may have to purchase a new machine in order to upgrade to a supported operating system.

PEXA recommends reaching out to your IT professional or industry body to assist you with this upgrade.

PEXA is responsible for maintaining the security of the network and may take steps to prevent user access to the platform from these unsupported operating systems, to ensure this.

Helpful links:

Upgrading FAQs

https://support.microsoft.com/en-au/help/12435/windows-10-upgrade-faq

Windows Vista end of support

https://support.microsoft.com/en-au/help/22882/windows-vista-end-of-support

How to upgrade (macOS)

https://www.apple.com/au/macos/how-to-upgrade/

Phishing.. Is it only emails?

IndikaWimalasiri — Wed, 24 Jul 2019 05:25:47 GMT

What is phishing and different variants attached to it?

An email appears to come from a someone you trust, such as your bank, online store, credit card company or a popular website. At first it all appears normal, but it will try to trick you in to giving away sensitive information, installing malware on your device or open an attachment while indicating an urgency.

Phishing is one of the easiest and very successful avenue for hackers to gain access to your organization's information. Security researchers say more than 90% of the data breaches worldwide are started with a phishing email. For us to defend against this malicious attack type we need to be able to identify the threat as there are multiple variants of methods used by hackers.

Key indicators of a phishing email. What to look for?

Article below showcase what you need to look for in an email to make sure it is not part of a phishing campaign. This will help to increase your awareness both in and out of work place.

Thank you.

- Indika Wimalasiri -

Why does Community need 3rd party trackers to operate full capacity?

DMc — Mon, 22 Jul 2019 04:56:58 GMT

Why is it needed to allow these 3rd party trackers for posting and liking?

merely curious since not really discussed anywhere...

Cyber-Criminals, the Modern-Day Con Artists

IndikaWimalasiri — Thu, 27 Jun 2019 02:44:36 GMT

Con artists have been constant figures throughout our society’s evolution. From ‘short-cons’, like the Three-Card Monte to ‘long-cons’, when Victor Lustig sold the Eiffel Tower as scrap metal back in 1925. They use their smarts and charisma to gain the trust of unexpectant victims, all for financial gain.

Over the past 20-30 years, the world has evolved dramatically, with advances in technology taking precedence. This has given rise to the modern-day con artist; hackers or cyber-criminals. Since the emergence of e-mail, it has been one of the most prominent and successful mediums for fraud world-wide, including the conveyancing industry; as an entry way to more elaborate scams. For us, the every-day person, employee or business owner, it is essential that we are aware of the real risks of cyber-crime.

The following scenario is one example of a hacker at large, trying to ‘con’ their way into the conveyancing industry with a duplicate website.

The Hacker

Elliot has been dabbling in cyber-crime for some time. It’s quite a lucrative career – if you know what you’re doing – which he and his team do. He is involved in penetrating computer systems, collecting passwords and then selling them to other cyber-criminals for profit. However, this time, Elliott decided to do something more elaborate than simply selling these credentials.

“One of these usernames and passwords has landed me a gold-mine. I noticed a few ‘PEXA’ e-mails in this person’s inbox. I did my research and figured it could be a big win for the team. The username and password I have doesn’t match his PEXA account, but I have another way in.

The team and I set about duplicating the PEXA login page. In the end it looked almost identical to the original and we placed it on a hosting service based in Belize.

Next step, we sent the link via a duplicate PEXA e-mail and waited for our victim, Barry, to enter his details into the fake website. Once we capture his credentials, we’ll have easy access to his account, and his client’s money!

The Victim

Barry’s firm keeps its staff up-to-date with the latest cyber-security trends. They complete security awareness training to maintain the firm's security posture and the integrity of its service. Barry considers himself to be security-savvy, so he had no worries that morning when he opened his inbox.

“I scrolled through my e-mails and noticed a PEXA workspace notification which I opened straight away. I have a million-dollar settlement today and want it to go smoothly. I clicked on the link in the e-mail and instantly thought twice about my decision – it’s unusual for any company to send you a link to their login page. However, the PEXA login page looks legitimate. Although, before I progress any further, I’d better ensure the web page is secure…

I look up at the address bar to check for a padlock symbol – no joy. Instead there’s a red triangle with a white exclamation mark inside. Next, I check the URL begins with ‘https’. It didn’t - Oh no!

I exit the page immediately and sigh a breath of relief that I hadn’t entered my credentials into the page.

I’d better let PEXA know, other practitioners might not check the website’s security level…”

The Hacker

On the other side of the world, Elliot checks if Barry has fallen for his scam.

“It looks like Barry is more tech-savvy than we expected. He didn’t enter his details into our fake website. But not to worry, we’ve sent it to multiple others in his industry. Someone is bound to fall for it.

Hold on. The website has been removed, Barry must have also informed PEXA. **bleep** it, all that time and money wasted…”

Elliot and his team quickly bounce back from their failed website scam and start planning their next con.

“We didn’t fool them this time, but wait until they see what else we have up our sleeves…”

To learn more about how to identify duplicate websites, please refer to the article " How to identify duplicate or unsafe websites"

How to identify duplicate or unsafe websites

IndikaWimalasiri — Thu, 27 Jun 2019 02:03:01 GMT

It’s important to be aware of how to identify a duplicate or unsafe website. You can easily check the security certificate beside the web address (URL). You’ll see one of the following three symbols.

Tips

If a website does not display the first symbol above (padlock), this confirms that it is not secure and everything you do is susceptible to a cyber-attack. We recommend you close the browser without completing any further actions such as inserting your login credentials etc.
Check if the address begins with "https” (not "http)". This will be another indicator of a website’s security level. If you see "http", this means that there is no encryption in place, and information you provide on that page is at risk of being seen by unauthorized personnel.

If you’d like more information about website safety or other aspects of cyber security, the Australian Government’s Stay Safe Online website provides practical tips to assist everyone in staying secure while online.

Regards,

Indika Wimalasiri

(PEXA Security Team)

Security Advisory - Vulnerability Alert

IndikaWimalasiri — Fri, 21 Jun 2019 05:03:27 GMT

Dear PEXA Community,

This advisory applies to Microsoft Outlook App installed on Android devices.

New vulnerability in the Microsoft Outlook App for Android has been discovered. Attackers could use this vulnerability to gain access to your emails and phone by inviting you to click on a crafted link. Microsoft has released an update to its Outlook app through the Android Google Play Store.

PEXA Security advises its members using Outlook app for emails on Android devices to update the app at your earliest window.

How do I get the update for Outlook for Android?

1. Tap the Google Play icon on your home screen.
2. Swipe in from the left edge of the screen.
3. Tap My apps & games.
4. Tap the Update box next to the Outlook app.

Note - Security always recommends keeping your mobile device OS and Apps up to-date by applying updates as soon as they are available.

PEXA Security Team

Why Me? Peter’s patching pickle

cbrown — Wed, 05 Jun 2019 23:32:09 GMT

Peter: Tuesday

Today is my favorite day of the year, my firm's birthday, marking 12 years since I poured my heart, my soul and my savings into my dream; this company. It’s an incredibly proud and emotional day for me as I have spent my whole career building this business. It’s a small firm, but the key to my success lies in my skill to network and I digitally store a comprehensive list of all my network contacts and clients’ details in a secure computer. Through this, I can tailor my service to each individual client without having to re-ask for information I already know.

My nephew Matt is a good kid, he helps me out with my firm’s IT environment and set up all my networking stuff, including the firewalls which protect web traffic. He will often visit and check my systems whilst he has a coffee and chat, but lately, he has been pretty busy with his studies, so my IT environment has taken a back seat for the meantime.

I vaguely remember my nephew mentioning something about a new Microsoft patch released to fix a vulnerability, but I'm too busy at the moment. Besides, last time I installed a patch my computer restarted, and I don't have the time to go through and save all my working documents; I’ll install it tomorrow.

Little did I know that today is also Elliot's favorite day, Microsoft’s “Patch Tuesday”. The day that Microsoft releases patches for Windows’ users to protect their machines. Elliot is a skilled hacker and is able to analyse the details of the patch and uncover what vulnerabilities it might be trying to solve. This means that on “Exploit Wednesday”, Elliot and his team can deliver codes to exploit systems that haven't installed the patch, and he has just selected me as his victim.

Wednesday

I'm sitting at my desk tending to my daily emails when my mouse cursor starts moving across the screen without me touching it. At first, I think it's my brain playing tricks on me, last night was a big night out celebrating with my colleagues after all, so maybe I’m just tired, but no! There - it moved again!

Confused, I take my mouse and bang it against the desk - but that doesn’t help. I look up and see my cursor opening and closing my client’s files with all their personal information. I frown. I don’t have time for technology to be breaking, especially when I'm so busy. I send a frustrated message to Matt asking him to order me a new mouse.

As I leave the office my receptionist calls out to me, she sounds worried. She tells me that her mouse has been doing strange things lately, even when she disconnects it from her PC. To my dismay, I see her cursor darting around the screen like it did on mine, opening and closing files.

I start to feel concerned - two mouse devices can’t possibly break on the same day! I call Matt again and ask him to come in first thing tomorrow.

As I leave the office Elliot continues his work, he is able to control my screen through his own, a vulnerability that the latest patch would have fixed. Elliot is especially interested in the numerous files I have of client information and is able to seamlessly access and copy them. Elliot loves people who don’t install their patches, it almost makes his job too easy!

Thursday

Matt inspects my computer and I stand behind him, anxiously shifting my weight to each foot. Eventually, he leans back in the chair and closes his eyes, “did you install the Microsoft patch on Tuesday?”.

I stammered, informing him that I hadn't. But surely that wouldn't explain the issue with my mouse? Matt goes on to inform me that both mine and the receptionist’s computer had been remotely accessed and controlled by a third party via remote desktop. And because of this, the hacker was able to access all our sensitive information – including my client’s.

Before I can begin to panic, a notification pops up on my computer, Matt stops mid-sentence and opens the email, but it's an email from me, to me. How could that have happened?

Peter,

I have accessed all your client’s information including photo identification, names, email, addresses and bank information. I have posted them for sale on the dark web. If you transfer 0.72 bitcoin* to XXX XXX XXX I will remove them immediately.

You have until 3pm.

-Elliot

*Approximately $8,803 AUD

I look to Matt, waiting for him to tell me this is a joke, but he sits there quietly staring into the distance. Upon further investigation, we see that each computer has been sending my client information to a strange email account, but there is nothing we can do – it's too late now. And how can I trust that this so-called Elliot will pull the information down from the dark web if I pay him??

I’m filled with despair and guilt, if my client's information is purchased, then criminals could perform identity theft and significantly impact their lives, and I would be the one responsible for it! I’m filled with shame, how am I ever going to sleep knowing this was my fault?

Gosh, Why me?

The next day

The next few weeks are spent cleaning up the mess Elliot made, I have emailed all my clients and informed them that their sensitive information has been obtained and the possible effects of this. In addition, I have reported the incident to the Privacy Commissioner, just to be safe.

Patching

The patch that Peter didn’t install, known as CVE-2019-0708, was fixing a vulnerability in the Remote Desktop Protocol (RDP) service that enabled it to be abused remotely. Because Peter did not install the patch, highly skilled and trained Elliot, was able to remotely use Peter’s desktop, access his files and send information to himself.

Software patches usually fix identified vulnerabilities within your system that could be exploited by hackers. Most operating systems, by default, are configured to automatically apply patches when a system is restarted. If yours does not do this, speak with your IT professional to “enable automatic updates”.

Often, people avoid installing patches because they see it as an inconvenience. Usually, your PC must fully shut down for the patch to be installed. However, in Peter’s instance, he could have saved his clients sensitive information and his business by taking a few minutes to install the patch. Read more information on patching here.

Working Outside the Office?

HeatherC — Wed, 18 Mar 2020 22:51:07 GMT

The introduction of e-Conveyancing has afforded industry greater flexibility in their work life; from signing in Slovakia to adopting flexible work hours.

Whether you’re working from home or overseas, we recommend the following when using PEXA outside the office.

Take your laptop

When using PEXA outside of your usual environment, we recommend you use your own device because:

Unfamiliar devices, such as a hotel’s computer, might not have the level of virus protection necessary to comply with PEXA’s Subscriber Security Policy to protect you and your clients.
Your own device should already have signing software downloaded, an unfamiliar device will not. As a result, you’ll have to download and install the software onto the new device – which may not have the correct level of protection.

2. Do not use public WiFi

We recommend you use your mobile as a hotspot (or purchase a 4G mobile router). This will provide you with a safer connection online. Check with your mobile carrier as data roaming charges from mobile devices may apply.

Public WiFi – whether it’s at your hotel or at McDonalds - is easily compromised by hackers and your personal information can be obtained.

3. Keep your DigiCert safe

Ensure you pack your digital certificate (DigiCert). You’ll need it to sign in PEXA as no one else is permitted to do so on your behalf. When out of the office we recommend you:

Disconnect your DigiCert from your computer when no longer accessing PEXA
Do not leave it unattended or in a public place
Keep it in a secure, lockable location (unless you are taking it with you)

4. Use MFA via the smartphone app

Multi-factor authentication (MFA) via PingID gives PEXA Members an extra layer of security as they are required to provide both a password and a one-time passcode when logging into PEXA.

When out of the office or overseas, the PingID smartphone app works best as it provides the code instantly. A code via SMS can sometimes be delayed if your mobile phone service is limited or disrupted. Further, if you’re travelling overseas and have not enabled roaming, you’ll still receive your authentication code if your phone is connected to the internet.

5. Use PEXA Key
If you’re working remotely and cannot attend face-to-face client meetings, PEXA Key provides your business with an extra layer of security when communicating bank account details and allows homebuyers and sellers to track their settlement on their phone.

Bank and trust account details are communicated via the PEXA Key app, removing the need to use email and mitigating you and your client’s risk of succumbing to phishing attacks.

For more information about PEXA Key, visit our help page.

6. Getting help while you’re away

PEXA Support Centre is available by phone on 1300 054 515 between 8.30am – 8.00pm AEST/DT. You can also e-mail the team at support@pexa.com.au. If you e-mail outside of operating hours the team will respond the following business day. The e-Conveyancing Community is another excellent resource you can access for help online via community@pexa.com.au.

Security Advisory - Vulnerability Alert

jesselane — Thu, 16 May 2019 05:31:33 GMT

Dear PEXA Community,

This notice is for anyone that uses Microsoft Windows 7 or Windows Server 2008.

Microsoft has recently announced a critical vulnerability in its Remote Desktop Protocol for Microsoft Windows 7 and Windows Server 2008. This vulnerability opens up the possibility for unauthorised access to your computer system and data.

As a user, it is important that your Windows software is kept up to date to ensure that your device is secure. To keep your Windows software updated, please refer to this article.

PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.

PEXA Security Team

Why Me? - Password blunder

cbrown — Wed, 15 May 2019 00:59:51 GMT

Just another day for John

It’s Monday morning and everything is going smoothly. I made breakfast for my kids, dropped them off at school on time and the barista didn’t burn my coffee – a great start to the day. I get to my desk and look through my emails and I notice there are quite a few spam messages in my inbox. One of them says I won a free toaster, and another is an Indian prince claiming to be my uncle, the usual silly scams. I’m pretty savvy when it comes to security and have never had a breach. My firm uses some of the best firewall and virus protection software available. In addition, I even have a strong password that no-one will ever guess, and I use it across all my accounts so that everything is secure.

After a day full of meetings, I return to my desk and decide to check LinkedIn. I like to keep up with industry news, and a lot of my business comes from the connections I make through the website.

Little did I know that somewhere in the world, Elliot, an individual in an organised group of hackers, was searching the Dark Web, where illegal information can be bought and sold. Elliot stumbles across 117 million leaked LinkedIn username and passwords for 2 bitcoin ($16,853). How interesting. His team quickly purchases the data, as 2 bitcoin is nothing considering the monetary opportunities the data could present. Elliot and his team get to work downloading the data and selecting their victims.

Two weeks later

It wasn’t a good morning. The kids were dropped off late, one of my daughters left their lunch at home and the traffic was abysmal. To make things worse, the petrol prices had gone up another 2 cents – great. I get into the office and my mobile starts ringing almost as soon as I sit down. It’s my mother.

“Hi Mum, how are you?”

“Yes, good. I transferred the money you needed for your car repair. Here I was thinking that the days of you asking me for money were over! Also, when did you change banks?”

I frowned. I didn’t recall asking her for any money, and what car repair or new bank account was she talking about?

“I never asked you for money”

“Yes, you did, last night on Facebook!”

I start to wonder if my mother had finally gone crazy. Suddenly, my desk phone starts ringing, it's one of my most loyal clients.

“John, why am I getting emails from you with dodgy links, and you’ve been asking me for money that I don’t owe you, have you been hacked?”

I quickly access my work email and see to my horror that last night over 100 emails were sent to my clients from my email address, some asking for money, others with suspicious links that I was too scared to click. But I never sent these emails! What’s happening?

Next, I login to my LinkedIn account and see that someone has been posting advertisements from my account, some of them extremely inappropriate coming from someone who considers themselves a professional. I quickly scramble to delete them all, but most of them have already received scathing comments.

I don’t understand what is going on. My heart races and I sink down into my seat, I wouldn’t be surprised if this day marks the end of my career.

Why me?

Unbeknownst to me, over the past two weeks Elliot and his team had been working to execute the perfect crime. Known as credential stuffing, the group was able to use my credentials to access different accounts through automation, and because I used the same password for every account, they were able to easily access my social channels, work email and destroy my professional reputation. Having a strong password is great, but using it for everything isn’t.

Two hours later

My IT supplier confirms that majority of my accounts have been compromised and advises me to change all my passwords and employ a password manager, so I don’t have to remember them all. I post a statement on my website announcing that I have been hacked and instruct my clients to not click on or engage with any material that they have received. The next three weeks I spend ringing my clients and family to explain what has happened, but it’s too late. My reputation is ruined.

Strong passwords

As far-fetched as it may seem, what happened to John has happened to ordinary people before. It is vital that individuals protect themselves and their personal information by using strong passwords that are unique to each account. Because John used the same password for everything, Elliot was able to use John’s login information to access all his accounts, impersonate him and obtain information.

Understandably, it’s unrealistic that you will be able to create and remember strong passwords for each account so you may want to consider a password manager. By doing this, you will only need to create and remember a strong password for the password manager and change the password every six months.

When you change your password, you should change the entire combination rather than the number at the end. Hackers know this is a common practice and will try different numbers against the end of your password.

When creating a password, it is recommended that you choose two, easily remembered words that are separated by two symbols and a number, e.g. “Alpaca7!@housE”. To make it easier to remember, you could use the names of objects that are around you.

For more information on strong passwords click here.

Security Advisory - Vulnerability Alert

IndikaWimalasiri — Thu, 28 Mar 2019 03:12:21 GMT

Dear PEXA Community,

This security vulnerability notice only applies to members using an ASUS branded laptop device.

Security researchers have discovered a critical vulnerability with ASUS laptop computers relating to its “Live Update” software component. Live Update is functionality on ASUS laptop computers that keeps your ASUS laptop software up-to-date .

As a user, you are required to update the “Live Update” software component to Version 3.6.8 or higher at your earliest window to ensure your device is secure.

The article linked below, published by the vendor, outlines the steps you are required follow to make your device secure.

To ensure your device is safe please follow the details here.

PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.

PEXA Security Team

A Hacker’s Tale – A look behind the curtain #3

cbrown — Fri, 08 Mar 2019 04:45:33 GMT

Seasonal Attacks

Imagine it’s 3 weeks till Christmas

You’ve got (e)mail! (✉)

The email says that you are due to receive a parcel delivery from FedEx. You weren’t expecting anything, but then, it’s close to Christmas. It could be something special – who could it be from? Excitedly, you quickly fill in the required details and send the email. You and your team at your conveyancing firm have been receiving an unusually high number of emails lately. It must be that time of the year, when old contacts try to connect, and banks ask you to validate information. A couple of them have clearly been phishing emails – thank goodness they were identified.

Unbeknownst to you, you’ve missed some.

Meanwhile at the other end of these phishing emails, Elliot is slowly gathering information about you and your firm. Through his multiple phishing emails, he’s managed to obtain quite a bit of information about you, your assistant and some of your colleagues. It was relatively easy to follow you from the coffee shop’s free Wi-Fi. As the ‘man in the middle’ (MITM), he’s managed to have continuous conversations with you and your client Grace. Now he’s just waiting for you to take the bait.

Finally, success! Elliot’s managed to install malware[1] into your system through one of the links you clicked on. This spyware will hide in the background and watch what you’re doing online. It records your online activities and data such as your passwords, credit card details and the websites you regularly visit. All this is happening while you remain unaware that your personal data is being compromised.

By the way, did you know that Elliot isn’t really just Elliot. He is an individual in an organised group comprising of six to seven other perpetrators existing for the purpose of theft. Not wanting to put all their eggs in one basket, at any given time, the team may be running multiple online schemes targeting many organisations. They have spent weeks planning this one, fooling different people and collecting information.

In order to perform the theft of the funds from you and your client, Grace, they have also been spending time cultivating people that can execute the transfer of these stolen funds. Abigail King looks positive as a money mule victim.

A couple of days before Christmas

The group has been busy. They’ve managed to set it up – pretending to be Grace they’ve instructed you to transfer the proceeds from the sale of her house to Abigail King. Once the settlement has completed, $250,000 is moved immediately to Abigail’s bank account. Soon after, she will transfer the money, just under $10,000 at a time, to the group’s overseas account; until she gets caught that is.

Back at your conveyancing firm the property transaction was settled several days ago, but you’ve only just realised what’s happened. The funds have gone to the account you’ve told it to go to, but that’s not the right one! You call the bank. They say that they’ll look into it.

Uncertain what to do next, you ring PEXA and inform them that your email account was possibly compromised. PEXA contacts the bank who holds Abigail’s account, ensuring no further funds can be transferred out. However, approximately $30,000 has already been transferred to an overseas account.

The bank works with their counterparts to retrieve the money. They manage to recover close to $20,000 as the remaining $10,000 has already been physically withdrawn. Just under $240,000 is returned to Grace in total, it’s not everything.

After Christmas

It’s been a few days since the incident, and because it was a phishing scam you contacted your PI insurer, they should be able to cover the money that Grace lost through your cyber security policy. As a precaution, you arrange a full review of your firm’s IT security system as well as change your passwords, and suggest that Grace, do the same. You make a mental note that in the future, you will be diligent in verbally confirm bank details, only using private secure Wi-Fi networks and being wary of phishing email scams. It may also be a good idea to install a firewall to protect your systems from malware. The biggest deterrent to a cybercriminal is attempting to break through a robust cyber security system. They will generally go for an easier target because they are financially motivated to get in and out quickly.

Cybercrime in Australia

Email is the common technique used by cyber criminals and according to the Cyber Security Review, led by the Department of the Prime Minister and Cabinet, cybercrime costs the Australian economy approximately AUD 1B per annum.

The Australian Criminal Intelligence Commission (ACIC) states that Australia is an attractive target for serious and organised crime syndicates, and because of the lucrative financial gains, cybercrime is a serious threat. According to some experts, the majority of hackers are affiliated in one way or another to organised groups. They operate like a legitimate business with people who have a range of skills working towards a common goal.

Some organised groups receive direction and support from nation states – who exist with the purpose of stealing data, disrupting operations or destroying infrastructure. The state sponsors a coordinated attack with the intention of acquiring intellectual property or government data, many of these groups are a part of a collective ‘army’.

In this fictional story, Elliot does not belong to a nation state. He is a member of an organised group, that exist for the purpose of theft. It is highly likely that this group do not reside in Australia and like most others, live a lucrative lifestyle off the stolen proceeds. The reality of this story is that it can happen to you, and that being aware, and putting in the right cyber security controls can stop you from becoming another cybercrime statistic.

[1]Malware is malicious software, written with the intent of doing harm to data, devices or people.

Security Advisory - Vulnerability Alert

IndikaWimalasiri — Thu, 07 Mar 2019 05:41:15 GMT

Dear PEXA Community,

High severity vulnerability has been discovered in the Google Chrome Internet browser. Attackers can use this unpatched vulnerability to steal information from your computer.

Google has issued an update to the Chrome Internet browser to address the vulnerability. PEXA Security strongly recommend PEXA members check the version of the Chrome browser used and make sure it is up to date.

Please follow the steps and figure shown below.

Open Chrome browser -> Click on settings -> Help -> Click on “About Google Chrome”
Check your version number to make sure it’s 72.0.3626.121 or later.

PEXA Security Team

Ransomware: The profitable business of the cybercrime industry

cbrown — Fri, 02 Aug 2019 06:45:08 GMT

Recently, it was reported that a Victorian hospital fell victim to a cybercrime syndicate that held 15,000 medical files to ransom. This attack, a probable result of a phishing scam, inadvertently opened by a staff member, resulted in criminals hacking into the hospital’s server to plant ransomware that scrambled and encrypted data, locking access to files from medical staff.

Ransomware can happen in different forms. For hospitals, holding their data at ransom not only creates reputational damage but could have a serious impact on their patients. Another method of ransomware is to attack a company's IT infrastructure by disabling employee access to laptops or servers. The company is then held to ransom and the payment method is typically demanded in bitcoin or other forms of cryptocurrency. The use of cryptocurrency is prevalent in the cyber fraud community because of its ability to be transferred anonymously.

In 2017, two companies had their Amazon Web Services accounts compromised by hackers using the victims’ bandwidth and computing power to mine bitcoins, an energy intensive, but potentially lucrative exercise.[1]

Data ransom and bitcoin mining may seem simple and straightforward when compared to more sophisticated hacks such as one which occurred in 2017. The attack, called WannaCry, infected up to 200,000 computers, locking up users’ data in 150 countries, and demanded a ransom to release them. WannaCry was so damaging because the cyber criminals managed to exploit the vulnerabilities of older of Windows software when newer, more secure versions were available.

In Australia, conservative estimates show that cybercrime costs the economy in excess of AUD 1B each year. More than 500,000 small Australian businesses fell victim to cybercrime in 2017 and it is estimated that the majority paid an average of AUD 4,677 in ransom to unencrypt their data. Often small business fall victim as in some cases, maintaining the latest version of IT software is not their highest priority.

Source: Smart Company, From millions to malware: Cyber attacks in Australia by the numbers, July 2018

The cybercrime landscape is ever evolving, and it is therefore imperative for our industry to continually develop and advance a robust security framework. As an industry, we must uphold the highest standards when it comes to cyber security and maintaining the latest in secure software versions. This is non-negotiable when dealing with someone’s most important and emotionally significant investment – their home.

At PEXA, we are determined to ensure that the cyber security practices we have in place continue to protect our members and their customers. Our IT systems are annually audited by external professionals and we continually explore new ways to bolster the security posture of our network. This is achieved by investing, maintaining and constantly improving security controls as well as running a Security Operations Centre to monitor, detect, and respond to cyber-attacks.

What your firm can do

To ensure your practice is protected from similar events, it is important to be aware of how these criminals operate. Hackers like this look for the weakness in a security framework and will exploit vulnerabilities in older versions of software, as they did in the WannaCry ransomware attack. As a preventative measure, we recommend staying up to date with patching.

Patching reduces the risk of hackers exploiting vulnerabilities that have already been remediated by software companies. It updates, fixes, or improves the program or data and mends security vulnerabilities and other bugs.

Firewalls are another layer of protection that can act as a barrier between your computer and the Internet helping safeguard your computer and information. By having a firewall, you reduce the risk of an attacker compromising your computer. There are a number of anti-virus providers that you could employ that meet the requirements in PEXA’s Subscriber Security Policy e.g. Symantec, McAfee, TrendMicro, etc. The Policy also provides guidance on all the security controls that PEXA Subscribers should be leveraging to maximise their security posture.

You’ll notice that in the Victorian Hospital’s ransomware attack, an unwitting staff member fell victim to a phishing e-mail. Training your staff to recognise potential cyber-fraud is the first step to preventing this from happening to you.

Additionally, your business must plan early for this eventuality, however unlikely. Making this decision will assist you in avoiding ‘heat of the moment’ reactions that could have detrimental effects on your business.

Taking the necessary steps to ensure your data is backed-up will alleviate the need to and risks involved in paying a ransom. There are two main options for backing-up your organisation’s data:

perform your own back-ups to a storage device (USB or external hard drive); or
back up to an online (cloud) service.

Business’ that decide to pay a ransom need to be aware of the risks, including the likelihood that even if the ransom is paid, they may not receive their information back and leave themselves open to further attacks. We recommend you speak with your legal advisor beforehand to ensure you are making the correct decision for your firm.

There is a lot of information available to help your firm plan for this scenario. Visit staysmartonline.gov.au for more information on ransomware and PEXA’s online Community forum to learn about measures PEXA takes to bolster security.

[1] Bitcoin miners pool together different computers to solve complex algorithms, success of which generates a set number of valuable new bitcoins.

un-hackable network.

DMc — Wed, 20 Feb 2019 05:30:35 GMT

Is this a unicorn?

https://www.dailymail.co.uk/sciencetech/article-4727572/China-launching-unhackable-computer-network.html

Security alert | phishing e-mail - RESOLVED

Aoife — Fri, 15 Feb 2019 04:00:30 GMT

Hi Community,

PEXA is aware of a phishing e-mail received by various members of your network.

Details of phishing e-mail

From: Pexa Admin

E-mail: dfsffgsgg@telus.net

Subject: Monro-Sale: New conversation message received - Financial Settlement - Payout figure

The e-mail implies that the reader has received a message from ANZ RETAIL AND SMALL BUSINESS. It includes a Workspace number and requests the recipient to click on a link to read a message.

This is an example of a cyber-criminal creating an e-mail to resemble PEXA communications. It is likely member e-mail addresses were sourced from publicly available information online.

See below for a screenshot of the e-mail.

What to do

If you received this e-mail, clicked on the link and entered your PEXA username and password, we advise you to reset your PEXA password now. Please note, multi-factor authentication on entering your PEXA account protects you against unauthorised persons accessing your account.

If not the above, and you receive a similar phishing e-mail or another you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the e-mail
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au

Please note, all PEXA Workspace e-mails are system-generated from PEXA and will be received from pexa.admin@pexa.com.au.

PEXA will never send you an e-mail advising you to click a link to access the PEXA Exchange, and will always direct you to login to access your account via pexa.com.au.

Learn more about phishing e-mails here.

Kind regards

Aoife

Security alert | Phishing e-mail - RESOLVED

Aoife — Wed, 19 Dec 2018 05:30:22 GMT

Hi Community,

PEXA is aware of an instance where a member’s e-mail account has been hacked. The hacker proceeded to send e-mails from the conveyancer’s account to other PEXA members.

Details

The e-mail sent by the hacker informed the recipient of a shared document from PEXA.

Screenshot of e-mail

screenshot of phishing e-mail

What to do

If you receive a similar phishing e-mail or another you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the email
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au

Please note, all PEXA workspace e-mails are system-generated from PEXA. To receive a task related e-mail from a fellow PEXA member is unusual and unnecessary.

For outstanding tasks, please check your workspace(s) via your PEXA account.

Learn more about phishing e-mails here.

Kind regards

Aoife

A Hacker's Tale - A look behind the curtain #2

cbrown — Thu, 24 Jan 2019 22:04:58 GMT

It’s more than just an Internet romance...

The lover’s tale

Abigail thinks she’s in love. It must be love. She’s been looking for love for a while and Elliot seems like the perfect guy. Many of her friends have warned her about internet romances but Elliot’s different. He has never asked her for money. Never asked her for anything. She thinks he might be quite wealthy in fact. He is always moving money around. He’s been struggling lately though. So, she’s been helping him transfer money to his accounts. For some reason, he’s having issues sending money to his overseas account. Abigail doesn’t really know the reasons why, nor does she question it. It all seems too complicated, and as long as it’s not her money she’s transferring over, it must be okay… besides he’s committed to the relationship. He said they will be together soon.

Over the past couple of weeks Abigail’s been transferring money for Elliot’s family and friends. They are all preparing for a big holiday and need the money ready to meet them. It’s not much – a couple of hundred here and there. Now he’s asked for her help to transfer funds from the sale of his property in Australia.

Just a few days ago, Abigail received $250,000 to her account. She’s not meant to transfer everything over to him though. Elliot told her that while he was excited to have sold his house, he needs to move the money in parts to avoid government taxes. He’s asked her to transfer just under $10,000 at a time, over several days, because that way it doesn’t trigger any alerts. Abigail doesn’t completely understand the reasoning, but Elliot is good to her. He said they will meet face-to-face now that he has sold his house, and she is excited to finally put a face to her love.

For the third day in a row she has made the transfer. Something strange has happened though, all her accounts have now been frozen, and her bank keeps leaving messages to call them back.

The practitioner’s tale

Meanwhile your client, Grace, is frantic. She hasn’t received her house’s sale proceeds yet. It’s been a couple of days; how has this happened? You arranged the transfer of the money according to her instructions which you received just before finalising the payment. You look back at the details and see the account name Abigail King and a different BSB – not your client’s.

Wait. What’s happening?

Going back through the email trail you realise that there’s something funny about the email address. The instruction did not come from Grace. Blood drains from your face… you call the bank immediately to try and stop the funds from disappearing. Hopefully it’s not too late.

The Hacker’s tale

Meanwhile, Elliot is busy moving money around several of his accounts across the world and connecting with different people online. While he’s looking for a way to gain access to steal the funds, he has also been cultivating internet romances with men and women to transfer the funds outside of Australia. He loves living in the internet era where crimes can be performed anonymously, and no-one ever has to see his face. On the internet you can pretend to be whoever you want, and a lot of people believe you.

Money Mules

Unfortunately, the above scenario is all too common. Cyber criminals often use middlemen to transfer stolen money to their accounts. These middlemen are real people, with real accounts and they don’t have unusual bank account activity. Known as money mules, they are sometimes recruited or deceived into helping cyber criminals carry out these crimes. Offenders like our fictitious character Elliot.

These criminals have been known to recruit money mules via romance scams or employment scams. In a romance scam, the ‘money mule’ is emotionally invested and could also be considered a victim. Employment scams often offer potential money mules a job that requires minimal effort with lucrative returns – for instance, a small commission for receiving and transferring money.

According to the Australian Federal Police, it is a crime to transact in the movement of stolen funds, even if you are unaware that you are acting as a money mule. Money mules are caught because they are not trying to hide their activities, and when caught, they can have their entire bank accounts, including their own funds, suspended and potentially face criminal prosecution.

How can I protect myself?

Be wary of advertisements for a guaranteed income or job with lucrative returns and very little effort
Don’t transfer money on behalf of someone else, especially when you have never met them
Never give your bank details to anyone
Protect your personal information and be suspicious if anyone asks you for those details
Be cautious of people seeking financial assistance or asking you for financial details – money sent via wire transfer is rarely recoverable
As a business operator, when receiving instructions to transfer money, confirm that the instructions you’ve received have come from your client - verbally confirm details or changes with your client
Be cautious of situations where the name on the account differs from that of your customer

I think I am a victim, what can I do?

Anyone who has disclosed their bank account details, received funds into their account or suspect that they are a victim of a mule scam should contact their bank or financial institution immediately.

For more information on this and more, please refer to Scam Watch

A Hacker's tale - A look behind the curtain #1

cbrown — Thu, 20 Dec 2018 05:14:13 GMT

Shhh! Someone's listening...

An uninvited guest, Elliot, has inserted himself into your conversation. You are sitting at a coffee shop having a chat with your client Grace, and unbeknownst to you, Elliot, at the next table is virtually listening to your entire conversation. This unwanted guest eavesdrops the conversation with your client and gathers all their critical information. When you leave the table, he continues the conversation with your client pretending to be you.

I know what you’re thinking - this would not be possible face-to-face. Your client, Grace, knows what you look like, what you sound like. But what if I told you that this is not improbable at all… this is happening online today.

This seemingly far-fetched scenario is a very real cyber-attack method, aptly called man-in-the-middle (MITM). The hacker, in this instance, Elliot, effectively intercepts your conversation, places himself in the middle and conveys the information he wants to pass on to both sides.

How could this happen?

Hackers like Elliot use various methods to gain access to your computer systems. Elliot may have used a phishing scam, or capitalised on poorly secured Wi-Fi routers, often found in public areas with free hotspots. His goal is to obtain your password and access your email account. The current statistics show an increase of 80% in hacks performed through an email compromise.

Changing your password may not be enough

Once Elliot has got into your system, he can create a rule that automatically forwards your emails to a secondary account. This means that any email you receive is also sent to his email account. Using further filtering with key words, he only needs to monitor what he deems as relevant emails. So, even if you regularly change your email password, in this scenario, the hacker still has access to your emails.

How does it work?

With access to your emails, Elliot then uses the information he has obtained, and, mimicking your email style, he can begin a new conversation as you, with your client, Grace. With valuable context acquired, the hacker then impersonates Grace, responding to your emails.

Once he has obtained the information required, he then exits the conversation. You and your client, Grace, are none the wiser, until that is, you realise you are a victim of a scam. By then, money has exchanged hands and you may or may not be able to recover missing funds.

What can you do to protect against a MITM attack?

Be aware of potential phishing emails. They could appear to be from a trusted source, masked as from your family, friends or even your bank. Instead of clicking on the link, type the website address into your browser.
Moving your mouse over the link will show the website name. If the name doesn’t look like the site, don’t click on it.
Use secure Wi-Fi networks, or if using public networks, connect with a virtual private network (VPN)
Ensure you have a comprehensive internet security solution. An interesting article on this topic can be found here.

I think I am a victim, what can I do?

If you suspect that you’re a victim of a scam:

Change your passwords to be unique on all of your systems.
Check if there are any forwarding rules in your email account, and if found:
1. Record the email address being forwarded to
2. Confirm no-one in your organisation created this rule
3. Have your team check their email accounts for forwarding emails and reset their passwords too
4. Inform your clients by telephone and verbally reconfirm all details, especially bank account details
5. Delete the rule
6. If this has impacted your PEXA business, inform PEXA Security alias – security@pexa.com.au. PEXA is working with Law Enforcement to identify these types of behaviours and any information you provide could help in the tracking and potential capture of those involved in cyber-crime.

At PEXA…

Multi-factor authentication (MFA) provides an additional level of security to access your PEXA Workspace. The levels include your PEXA account name, password, your MFA token, and your digital signing token and pin. However, you still need to be vigilant when it comes to communicating with your client. Soon, PEXA will introduce a new app that will allow your clients to input financial data directly into the Workspace and enable you to request and receive information from your clients securely. [Stay tuned]

As our world becomes more and more connected online, it’s important to be aware of the cyber threats that could compromise the security of your personal information and business operations. Cyber criminals have a low cost of entry into criminal activities and they often have the anonymity to avoid detection. With many targets they will usually go for the easiest person to scam so stay informed and be aware. Collectively, we are better together, as we work as one to reduce the threat of cyber-crime and stay smart online.

By Craig Brown, Head of PEXA Security

PEXA Security Initiatives

cbrown — Thu, 28 Feb 2019 03:17:01 GMT

Hi Community,

The team at PEXA continues to explore techniques and technologies to align with the ever-changing security landscape. Below is an update on current security initiatives happening on the PEXA platform including our insights into a topical security concern – phone porting.

Multi-Factor Authentication

In September, multi-factor authentication (MFA) was rolled out to PEXA members. MFA requires the user to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. This includes a password and unique authentication code which regularly changes. Members choose to receive an authentication code by SMS, the PingID mobile app, or the PingID desktop app.

MFA was added as another layer of authentication on top of digitally signing. Members with the relevant authority must digitally sign-off transactions with their unique [bespoke] digital signing token and PIN, confirming that all details are correct prior to the transfer of funds.

More than verification

Additionally, we initiated the following measures to boost the protection of members while transacting online:

Increased monitoring of unusual activity surrounding password resets, new user creations and changes to BSB and account numbers. If such activity is detected by PEXA, a member of PEXA’s team will contact members to confirm that the activity is legitimate.
Machine learning algorithms to detect behavioural anomalies on a per user basis. If the behavioural pattern of a user changes, PEXA’s risk profiling mechanism is activated to trigger an alert. The member will then be promptly contacted by PEXA’s Security team.
Workspace time stamps and summary screen so that members can see when the Financial Settlement Schedule was last updated and by which user.

Phone porting

A current concern from industry is the possibility of phone porting – a situation where a scammer uses your personal details to port your mobile number from one provider to another, therefore accessing further personal details.

With a suite of security measures in place to protect PEXA members and your clients, and lawyers and conveyancers continuing to practice their due diligence, the small percentage of members who have chosen to receive their authentication code via SMS should not be alarmed.

It is important to note that for phone porting to occur, the scammer would require several pieces of a user’s ID, as well as the ability to convince a service provider to transfer the SIM details from one telco to another. Therefore, not only would the scammer need to know the targeted user’s personal information, they would also need to know if that user has chosen SMS as the preferred method.

To assist in preventing this from happening, I advise members to remain vigilant of people calling, emailing and requesting personal details.

If you have any questions about this information, please don’t hesitate to reply below.

Regards,

Craig Brown
Head of PEXA Security

Stay Smart Online Week

IndikaWimalasiri — Mon, 08 Oct 2018 02:55:39 GMT

This week is #StaySmartOnline Week.
The campaign aims to reverse the threat of cyber-crime by empowering people to discuss and own their cyber-security.
Over the next few days we’ll be sharing a number of best-practice resources to assist you, here on Community and on PEXA's social channels.

Security alert | Phishing e-mail

Aoife — Tue, 11 Sep 2018 01:11:34 GMT

Hi Community,

PEXA is aware of a phishing e-mail received by a member of your network.

Details of phishing e-mail

From: Jessica Wong

E-mail: cains8x@nsas.avinetmail.net

The e-mail implies to have a contract of sale attached and requests to settle via PEXA. See below for a screenshot of the e-mail.

What to do

If you receive a similar phishing e-mail or another you believe to be suspicious, please:

Do not respond
Do not click links or download attachments
Delete the email
Report it to your relevant security administrator or e-mail PEXA’s security team at security@pexa.com.au

Learn more about phishing e-mails here.

Kind regards

Aoife

Phishing e-mail

PEXA Digital Certificate Software not correctly digitally signed

Andrew_GC — Wed, 05 Sep 2018 12:10:15 GMT

PEXA's digitial certificate software download is signed with a certificate issued to 'pexa.net.au'. Why should anyone trust software signed by a website? Especially one that is not in use? It is trivial to register website names, and numerous 'pexa.' domains are available for registration now by anyone. How are we to discern whether pexa.net.au is actually owned by the Property Exchange Australia Limited? How then, are we to determine whether to trust the signer and install this software?

The software should be signed with a certificate issued to PROPERTY EXCHANGE AUSTRALIA LIMITED.

Surely PEXA does not think that users should ignore incorrect security certification of its software? Or that we should trust anything with 'PEXA' in it somewhere? This is EXACTLY how fake (malicious) software is promulgated.

Here is a snip of what the digital signatures look like on correctly signed software by two other well known software companies (left hand side) and on the right-hand side, a snip of the PEXA software signature. (Red markup added by me for emphasis)

I posted about this in the general forum section, but received no response.

Member security alert | phone scam

Aoife — Tue, 14 Aug 2018 01:44:56 GMT

Hi Community,

PEXA is aware of a current phone scam purporting to come from PEXA.

So far, two cases have been identified.

Details

Phone call one: Scammers contacted an AIC member telling them that they have been randomly selected by PEXA to trial PEXA 5.6.

Phone call two: Scammers contacted an AIC member referring to an email sent two months ago from PEXA regarding security enhancements and asking for email addresses.

Please note, a PEXA employee will never call you and ask for your e-mail address.

What to do

If you receive a call similar to the above or that you believe to be suspicious, please:

Ask for the caller’s full name
Ask for the caller’s e-mail address
Record the caller’s preferred phone number

Then, contact your Account Manager, PEXA Direct Specialist or PEXA’s security team at security@pexa.com.au to alert them.

It’s important that we continue to work together to defend against scammers, phishing attempts and/or cyber-fraud. Please reach out if you encounter any suspicious behaviour.

Kind regards

Aoife

Using your PEXA login credentials and Digital Certificates

cbrown — Fri, 10 Aug 2018 01:45:18 GMT

This checklist will help you protect your identity and the integrity of the network when using your PEXA login credentials and Digital Certificate to electronically sign in PEXA.

Following the steps below will help you remain compliant with your professional obligations, and those set out in the Model Participation Rules which govern your use of PEXA. Non-compliance with these obligations may result in the Registrar of Titles in your jurisdiction instructing PEXA to suspend or terminate your access to the network.

Ensure you are the only person who knows your PEXA password
Upon registering with PEXA, unique credentials are provided to an organisation’s nominated Subscriber Manager. If required, the Subscriber Manager can then create individual user profiles with unique login details for additional employees within their organisation. Employees should never share User IDs or password login details for PEXA.

Select different passwords for your email, desktop access and PEXA
Using the same password across multiple log in channels is risky - if one was compromised, then all could be compromised. Strong passwords have a minimum of 10 characters and use a mix of uppercase and lowercase letters, numbers and special characters like !, &, and *. # (Using a special character in your password will increase the difficulty of breaking it significantly).

Ensure each employee required to sign documents and authorise funds in PEXA has their own Digital Certificate
Every Subscriber is required to obtain and maintain at least one Digital Certificate. The number required will depend on how many people will be signing on behalf of the organisation. Digital Certificates are assigned to an individual – when used to digitally sign, both the signer and organisation are clearly identifiable. If your Digital Certificate is shared within your firm and misused in a PEXA transaction, you will be identifiable as the signer.

Ensure no one else has access to your Digital Certificate and PIN
Your Digital Certificate is your unique, binding electronic signature. If a digitally signed document in a PEXA transaction is called into question, and it is suggested that the owner of the Digital Certificate was not the person who applied it, your professional reputation and ability to claim on your professional indemnity insurance could be impacted. Whenever your digital signature is applied in PEXA, it is taken to be signed by you and is binding, similar to a ‘wet’ signature. It is important to check documents and the Financial Settlement Schedule prior to signing. Should someone other than the owner of a Digital Certificate use it to sign in PEXA, it may be considered the equivalent of forging a ‘wet’ signature. We suggest you do not leave it inserted in your computer, and instead consider locking it away and ensure secure storage provisions are available for all employees with a Digital Certificate.

Plan ahead to ensure your business has sufficient coverage to sign in PEXA
Consider how many people in your organisation may be required to digitally sign in PEXA and arrange Digital Certificates for each unique user. When managing operations, you may need to account for staff leave, those who are frequently out of the office, and ensuring there are enough people present who are trained and authorised to sign in PEXA.

Know what to do if you or a staff member move on to a new job
A Digital Certificate identifies both you and the firm, therefore cannot be taken by the owner to a new job. A new Digital Certificate will need to be ordered by their new employer. In these circumstances, Digital Certificates must be cancelled by calling the PEXA Support Centre on 1300 084 515.

Multi-factor authentication (MFA)
MFA is utilised to confirm that the person logging in to PEXA is the person who owns the profile being used, and not someone else. MFA requires the user to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. As MFA requires the owner of the profile to pair their mobile phone, logging in requires the user to have their device on them, enabling them to receive their authentication code by SMS or the PingID app directly. It’s important to note that each Subscriber will be required to authenticate with their own device every 12 hours.

Talking to consumers about the security of e-Conveyancing

TJ — Thu, 12 Jul 2018 23:29:43 GMT

Hi Community,

We've had a few questions on how to talk to consumers about the security of e-Conveyancing. Here's some talking points that might assist when having these conversations with your customers.

You can discuss your personal experience transacting through PEXA and point out that over a million transactions have taken place on the platform safely without issue or interference.

Over 1.2 million transactions have been successfully processed through the platform, and over $150 billion in property value settled.

Provide your customers the assurance that your business has good cyber security measures in place and that the PEXA platform itself is incredibly secure.

As your representative, I must physically sign off on the account details using my own digital signing certificate and password before a payment can be processed. If the details of any such payment change prior to a settlement proceeding in PEXA, I am required to re-sign before settlement can take place. I always check to make sure that the details are accurate immediately prior to digitally signing the settlement schedule.
PEXA’s Information Security Management System (ISMS) aligns with the international security standard ISO27001 – protecting PEXA’s platform against online cyber security threats. Importantly, this is an e-Conveyancing regulator (ARNECC) requirement as well as a PEXA cyber security measure.
In addition, the ISMS is independently audited – currently by Ernst & Young (EY) – each year. Independent reviews ensure PEXA’s cyber security is fit for purpose and up to date. All review outcomes and recommendations are shared with PEXA’s regulator, ARNECC. The results of the audit demonstrate that PEXA has consistently complied with the international security standard.

You can tell your customers that as a result of the most recent events there have been extra security measures put in place by PEXA to reduce the risk of this type of fraud happening in the future.

And, of course, letting them know if it does occur, PEXA is implementing a residential sellers guarantee to cover the lost funds.

To further protect us (lawyers and conveyancers), PEXA has also introduced extra security measures to protect against a recurrence of this incident. This includes:

Increased monitoring of PEXA Workspaces
Creation of new users in an ‘inactive’ state, pending PEXA activation after verification
Providing Workspace time stamps
Introduction of multi-factor verification

PEXA has also recently announced a residential seller guarantee, safeguarding all transactions that occur on their platform.

Email impersonation fraud – reassurance for Lawcover insured lawyers

TJ — Fri, 29 Jun 2018 01:24:08 GMT

Lawcover have provided reassurance to their customers regarding email impersonation fraud, please find below their full pdf.

"The recent email fraud incident identified by PEXA has caused a number of lawyers to contact Lawcover to understand their insurance coverage.

The email fraud referred to has been a risk for some time and is one about which Lawcover has repeatedly warned law practices to be aware. Our message remains the same irrespective of the method of funds transfer – be aware and prepared for the risks of email impersonation fraud and follow steps to protect yourself from becoming a victim or an unwitting participant in a fraudulent activity.

While individual matters will of course depend on the facts of the case and the terms and conditions of the relevant policy, the following should provide some reassurance about the extent of your insurance coverage as a Lawcover insured. "

Security Advisory - New Malware could be Infecting your Home Modem/Router Devices

IndikaWimalasiri — Wed, 30 May 2018 23:09:27 GMT

Security Advisory

Every now and again we come across security issues that can impact you at home. There is one that is making some noise in the security world. The new virus/malware discovered can infect your home or small business router (the box that connects to the Internet). It’s called “VPNFilter” and the estimated number of infected devices is around 500,000; in at least 54 countries.

Read on to see if this affects your internet box (router/modem) and what to do to protect yourself.

1. How does this affect you?

If you have a router/modem from the following companies, it’s suggested you review your vendor’s update steps.

Vendor	Action to take
Telstra	No action – Telstra reports that your modem is updated automatically
Linksys	Follow the vendor directions
Netgear	Follow the vendor directions
MikroTik	Follow the vendor directions
TP-Link (TP-R600VPN model only)	Follow the vendor directions
QNAP Systems	Follow the vendor directions

2. Can I learn more about the VPNFilter issue?

If you would like to get into the details, follow this link (https://blog.talosintelligence.com/2018/05/VPNFilter.html)

3. Is there anything we can do to be secure?

A few helpful tips to keep your home devices secure are:

Always change the default password.
Put a password on your home wireless network.
Use a strong password with at least 8 characters, a combination of upper and lower case, include numbers and special characters such as @, #,and !.
Use a different password on your PC, to your email, to your work, and so on.
Make sure you update your software regularly so that security patching occurs.

If you still have questions, email security@pexa.com.au

Five steps to protect yourself by LPLC

AnnaHardie — Mon, 21 May 2018 01:01:26 GMT

Hi community,

Scams Awareness Week runs this week from 21 – 25 May 2018 and the Australian Government is urging Australians to be on the lookout for threat-based impersonation scams by taking a moment to ask ‘is this for real?’

I thought you might be interested in the following article Australians Lost $340 million to scammers in 2017.

I also found a helpful resource on LPLC's website about cyber fraud. There's also a downloadable poster which I've attached to this post (link below). It covers 'Five steps to protect yourself'. It would be worthwhile printing for your offices as a reminder.

Security Reminder - Confirming client bank details

JoW — Fri, 18 May 2018 00:47:23 GMT

PEXA is aware of phishing attempts outside the PEXA platform where unknown parties are intercepting emails between practitioners and their clients and fraudulently changing customer bank details which may result in the unwitting misdirection of funds.

While not specific to e-Conveyancing, PEXA urges all practitioners to take steps to reduce the risk of fraud. This includes verbally confirming bank account details with your clients before entering them into the settlement schedule (if completing the transaction electronically).

It may not be sufficient to simply confirm with the client that they have sent you an email with their bank account details. It would be appropriate to read the bank account details out to your client, confirming that the information you have received is the same as what the client intended to send.

The Law Institute of Victoria offers a practical guide covering cyber security which we would encourage you to read. In addition, The Queensland Law Society has also published a warning in relation to email scams.

If you have any questions or concerns regarding an existing transaction, or guidance on how to stay safe online, please contact the PEXA Support Centre on 1300 084 515 or visit the security page on our website.

Kind regards,

Phishing Emails... How to stay away from it...

IndikaWimalasiri — Tue, 17 Apr 2018 00:30:28 GMT

Dear Members,

Below is an example of an actual phishing email for awareness purposes. Please take a moment to look at the pointers to understand how you can be misguided by a hacker. Being on top of this can help you to stay safe online. Remember, one click is all that matters to open the door to whole new level of issues.

Here are few helpful steps and questions to try/ask yourselves before clicking on any suspicious/unknown email.

Reputable & legitimate organizations:

Don't request your sensitive information via email - Legitimate organisations do not send you emails asking you to download certain content e.g. utility bills, gift card link etc. or request you to verify your account details by clicking on a link.

Don't call or address you by a common greeting - Most of the time it will not include generic greetings e.g. "PayPal User", unless it’s advisory and openly available information.

Have their own email domains - Don't just look at the person's name sending the email. Check the full email address including the domain to make sure it is actually from the organisation represented, as most of the time they'll have their own domain. Hover your mouse over the email to verify this and make sure there's no additional numbers or special characters attached to the address. If there are, it is most likely a phishing e-mail.

Don't make grammatical errors - Spelling mistakes and bad grammar are key giveaways that it's phishing.

Don’t force you to their website - Most of the phishing emails contain multiple hyperlinks to maximize their chances of you clicking on one of them.

Don't send unsolicited attachments in the emails - Attractive attachment headings are another giveaway that it is a phishing scam. Another common case is utility bills or any other public event happening around the same time. Scammers use these events or news items to grab your attention and potentially to get you click on the links.

Send legitimate URLs - It may look like it is but it may send you somewhere else. Hover your mouse on the link (do not click) to check the link is actually legitimate and does not represent a different suspicious name. Always type the URL into your browser rather than using links on emails if you want to access the website. Don’t trust the email, instead call the sender to validate the request.

I clicked on it... Now what happens?

If you click on a phishing link accidentally, it does certain actions behind the scenes which you cannot see. These actions could be anything from a simple add popup on your screen to a stealing of your personal/customer data. So, if you fall into this category, speak up and seek help by contacting your internal security professionals or IT partners. Sending phishing emails and inviting people to click on these links are by far the most successful way for organisations to experience data breaches.

if you find any phishing/spam material referring to PEXA, please forward it to security@pexa.com.au

Overseas login to PEXA

SRJ — Mon, 09 Apr 2018 00:57:07 GMT

I am going on leave for 2 weeks and have 2 PEXA settlements due while I am away. Is there any limitation on logging in to PEXA from an overseas location? I ask because some sites, such as ASIC, will not allow login from outside Australia.

Obviously I need to take my Licence key with me, but is there any other issue you can think of?

Phishing Emails referring to PEXA

IndikaWimalasiri — Wed, 07 Mar 2018 21:34:22 GMT

Dear Members,

Forwarding suspicious emails to security@pexa.com.au

We have made changes to our security configurations when you forward a phishing/suspicious email to PEXA via security@pexa.com.au

Previously when you forward an email to security@pexa.com.au with potential malicious content it denied successful delivery and often you would have received a delivery fail/bounce back message. But not any more.... Now you can click the forward button on the actual malicious/phishing email and send directly to us via security@pexa.com.au without the email being blocked.

It is important members forward us the actual email to PEXA instead of trying to send it as PDF or a Screenshot of the email.

Thank You.

PEXA Cyber Security Team

How to Spot a Phishing Email

IndikaWimalasiri — Fri, 23 Feb 2018 04:59:41 GMT

How to Spot a Phishing Email

The typical phishing email will contain a concocted story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. In an email, there will be links or buttons that take you to a fraudulent website. The fraudulent website will also mimic the appearance of a popular website or company (in this case PEXA). The scam site will present you almost identical login page looks like PEXA waiting for you to login with your actual PEXA login credentials. Where malicious party able to collect your credentials and then they can re-use this to login to PEXA or sell them on the internet. If you felt you have accidentally just did that then your next best option to change the PEXA password immediately.

How to Protect Yourselves?

Whenever you get an email about your PEXA account, or a workspace needs action the safest and easiest course of action is to open a new browser, type https://www.pexa.com.au/ OR https://workspaces.pexa.com.au , and log in to your PEXA account directly. Also you can call your known contact which appears to be sent the email to validate.

Do not click on any link in an email that requests personal information.

How to report a phishing email ?

Follow these steps:

Forward the entire email to security@pexa.com.au . (Refer to "How to forward a phishing email to PEXA")
Do not alter the subject line OR forward the message as an attachment.
Delete the suspicious email from your email account.

We’ll let you know quickly if the email is legitimate. Your vigilance helps protect other PEXA users.

A genuine PEXA email will never ask you for

Credit and debit card numbers
Bank account numbers
Driver's license numbers
Email addresses
Passwords
Your full name

Further steps to protect you from Phishing

Monitor your PEXA account. Check your account periodically for suspicious activity. If you notice unauthorized use, report it to us.
Be smart about your password.Change passwords often and use unique passwords that include letters, numbers, and symbols.
Keep security software current. Update your firewalls and security patches frequently.

Below is an identical looking malicious PEXA website.

--- END ---

Risky behavior exposing you to a data leakage

IndikaWimalasiri — Thu, 22 Feb 2018 03:41:19 GMT

Risky behavior exposing you to data leakage

Here’s an simple opportunity to check whether you’re exposed to data leakage.

Do you find yourself guilty of the following?

I don’t keep my software (apps, browsers, etc.) and my operating system up to date by installing updates as soon as they’re released.
I don’t use antivirus and additional layers of security that can protect me against second-generation malware.
I don’t pay attention to password security and I reuse passwords.
I use public Wi-Fi networks for online banking and online shopping.
I frequently share personal details on social media or in emails.
I don’t use two-factor authentication.
I don’t have anything to hide or nothing valuable that cyber criminals may want.
I open emails from unknown senders. (Remember your emails have pretty much the full digital print of your life. You have your Driver’s License, Passport, Bank Account details sent to an authority or another business. Don’t you?)
I download and open attachments from unknown senders.
I am just a small business and no one is interested in what I do.

This is not meant to be an incriminatory interrogatory, but rather a way to evaluate your own cyber security practices. You may find out that your online safety measures are inadequate, but that doesn’t mean you can’t make a change for the better.

From the Law Society of NSW

TJ — Sun, 24 Jun 2018 22:53:10 GMT

From The Law Society - NSW

"In one instance the criminal has hacked into one of the party’s computers and has been monitoring the emails between the solicitor and the other party. The other party sent its final instructions as to the bank account details where the payment of $250,000 was to go to by attaching a PDF of the instructions to the email. However, the hacker amended the PDF with their own bank account details and stated this was the account where the funds were to go. Accordingly, the solicitor referred instructions to PEXA to pay the $250,000 to the wrong bank account. The payment of the $250,000 was paid to the wrong bank account. Luckily, the other party was eagerly awaiting the funds and contacted the solicitor immediately and the bank was notified, and the funds were saved."

https://www.lawsociety.com.au/cs/groups/public/documents/internetcontent/1439012.pdf

To be clear, this wasn't a breach of the PEXA platform - the user's computer and or email client were compromised and the false bank details were entered into PEXA by the user who received the email with the amended PDF.

In order to protect yourself in similar circumstances, a great tip is to, as a matter of course, telephone the other party (using the telephone details on file) in every transaction where new bank account details are given, to confirm those new bank details with the client prior to the transfer.

Security Awareness - Spam Emails

IndikaWimalasiri — Mon, 29 Jan 2018 22:04:28 GMT

Spam and what is it?

Spam or spamming is big business and a mechanism criminals use as well as marketing companies to get your attention, or to convince you to click on a malicious link. Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. See below for a few tips to reduce the number of spam emails you get.

Enable filters on your email programs

Most internet service providers (ISPs) and email providers offer spam filters, however, depending on the level you set, you may end up blocking emails you want. It’s a good idea to occasionally check your junk folder to ensure the filters are working properly.

Report spam

Most email clients offer ways to mark an email as spam or report instances of spam. Reporting spam will also help to prevent the messages from being directly delivered to your inbox.

Own your online presence

Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information.

6 Simple Steps for a Stronger Password

IndikaWimalasiri — Mon, 29 Jan 2018 22:05:42 GMT

1. MAKE YOUR PASSWORDS STRONG

Short and simple passwords might be easy for you to remember, but unfortunately they are also easier for cyber criminals to crack.

Strong passwords have a minimum of 10 characters and use a mix of:

Uppercase and lowercase letters
Numbers
Special characters like!, &, and *. # (Using a special character in your password will increase the difficulty of breaking it significantly)

Use passphrases

Criminals often perform password brute force attacks, in which a computer program tries to guess every possible password combination to match your password. Using passphrases will significantly reduce this attempt.

What is a passphrase? A passphrase is collection of words that is meaningful to you, but not to someone else. For example: "horseswimminghigh#" is 18 characters long. Depending on the systems you access, you may be limited to a defined number of characters.

2. CREATE PASSWORDS HARD TO GUESS

Avoid using personal information such as your children, partner or pets name, favorite football team or date of birth as your password, as they can be easy for others to guess and for computer programs criminals use to guess passwords.

When trying to hack into an online account, cyber criminals start with commonly found words and number combinations.

Here are some things to avoid using:

Dictionary words
A keyboard pattern like qwerty
Repeated characters ( ex : aaaaa)
Personal information such as your date of birth or driver’s license number

3. CREATE UNIQUE PASSWORDS EVERY TIME

If you need to reset a password, don’t just change one part of it. Instead of changing a number at the beginning or end, create something completely new you’ve never used before. Get into the practice of changing your password often, ideally every few months.

4. DON’T SHARE PASSWORDS, EVER.

Never share your password with someone, not even with someone you trust or in the family.

What if a business or company I know asks for my password?

Reputable companies won’t ask you to give them your password over the phone, via emails, or SMS messages. This might be a warning sign of phishing or a scam.

PEXA will never ask you for your password or PIN; either by email, SMS, over the phone or at a branch.

5. DO NOT USE SAME PASSWORD FOR ALL THE ACCOUNTS AND SERVICES

This is a common mistake a lot of people make. Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password. If a criminal has access to several of your online accounts, it increases the chance that they may impersonate you to your online friends, or businesses you deal with.

6. STORE PASSWORDS SAFELY

As your online presence grows you may have many accounts with different passwords. You can store these passwords in a password manager. There are many password manager apps available. Almost all of these password manager solution allows PIN access method to make it more secure.

If a web browser you are visiting asking you to save your password think twice whether you want to do that. This is not a good practice. Do not allow web browser to save your PEXA account passwords.

Keep Up to Date with Software and Applications – "Known as Patching"

IndikaWimalasiri — Mon, 29 Jan 2018 02:24:17 GMT

Keep Up to Date with Software and Applications – "Known as Patching"

No matter which phones, tablets, laptops or computers your organisation uses, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Doing so is quick, easy, and free.

Smart Phones/Tablet Manufacturers and developer owners frequently release new updates to their products. The purpose of updates are to update the device with new features and to also fix newly found vulnerabilities. Staying up to date with updates is critical to staying safe online.

If you don’t apply these regular patches to you computers, tablets and other smart devices then you are at high risk of being a victim of online scams and frauds.

All devices have a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement.

If you don’t wish to manually update there is an option to set it to “automatic update” which will require no action from you when a new update is available.

Happy Updating ......

Secure Your Computer, Tablet, Smart Phone

IndikaWimalasiri — Mon, 29 Jan 2018 02:41:19 GMT

Our lives are increasingly dependent on the internet and our digital devices. Digital copy of our lives always lives on these devices. Our personal data is a big business for some organizations. On top of that cyber criminals are increasingly interested in your personal data so they can impersonate you and use your details to carry out illegal activities. This is the main reason why we should think twice and take effective actions to secure our digital devices.

This article provides few tips how you can be on top of this.

Set up a password, pass-code, PIN or fingerprint/face-id to lock your devices especially mobile devices.
Keep your devices up to date at all time. Think about setting automatic updates.
Enable automatic screen lockout after a set period of time.
Develop a habit of deleting your web browsing history regularly on your mobile devices and other browsers.
Enable remote locking and remote wipe capabilities on your devices. This will greatly help to take action in case you have lost the possession and control of your device.
Be vary of public Wi-Fi spots specially the free offers. – Wi-Fi is a great tool for criminals to lure you in to traps so they can get easy access to your data.
Switch off your Bluetooth when not used. If you don’t use Bluetooth regularly it is recommended you switch this capability off on your device.
Be mindful operating your device in crowded places. Shoulder surfing is a good technique cyber criminals use. Shoulder surfing refers to looking over your shoulder as you type in our password/PIN/financial details to try and capture them.

Security Awareness - General Information Security

IndikaWimalasiri — Mon, 29 Jan 2018 00:20:42 GMT

Video provides information security awareness in and around your workplace. Simple tips how you can create a secure working environment for yourself and colleagues around you without any technical controls. Video runs just over 2 minutes.

Cyber Security Awareness - Phishing Attacks

IndikaWimalasiri — Mon, 29 Jan 2018 00:12:10 GMT

Video provides great insight in to Phishing attacks and how they are conducted. Video is just over 3 minutes and would be helpful to identify and defend against these sort of common attacks.

Password Security

IndikaWimalasiri — Thu, 25 Jan 2018 03:30:14 GMT

STOP. THINK. ACTION

IndikaWimalasiri — Mon, 29 Jan 2018 03:37:20 GMT

Protect Yourself with these STOP. THINK. ACTION

When in doubt, throw it out

Links in email, tweets, posts and online advertising are often how cyber criminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.

Think before you act

Be wary of communications that asks you to act immediately, offers something that sounds too good to be true, or asks for your personal information.

Make your password a sentence

A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!

Unique account, unique password

Having separate passwords for every account helps to protect you against cyber-criminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.

Lock down your login

Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.

Awareness

Be generally aware about the issues, incidents, current affairs happening in the world. Cyber criminals try to take advantage of these events by using them to grab your attention.

Malicious Emails and How to Protect Yourself

IndikaWimalasiri — Mon, 29 Jan 2018 03:04:26 GMT

Have you ever received an email that looked like it came from a colleague, friend, employer or your utility company? Did you think twice before opening it or clicking on the link in that email?

No matter the controls we have in place there might be a time when one weak link provides an attacker access via a malicious email. A malicious email can look like it comes from someone you know at PEXA, a Financial institution, an e-commerce site, a government agency or any other service or business. The email often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address.

If you are unsure whether an email request is legitimate, try to verify it with these steps

Contact the company or the person you know directly – using information provided on an account statement, on the company’s official website or any other previous legitimate official transcript.

Search for the company online – but not with information provided in the email.

Read it carefully. Most likely you will see grammar or spelling mistakes.

Watch out for anything asking urgent action. Requesting urgent action is a common phishing technique.

Hove your mouse pointer over the link provided (do not click) and it should show you the actual web address its trying to take you to. Most of the times these are malicious websites created just to infect your computer just by visiting them.

What to Do if You Are a Victim

Report it to the appropriate people within the organization or your IT & Network service provider, including network administrators. They will be alert for any suspicious or unusual activity.

If you believe your financial accounts may be compromised, contact your financial institution immediately to take actions to protect your accounts.

Watch for any unauthorized charges to your account.

Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Centre.

rss.livelink.threads-in-node

Security Alert - Phishing Messages via PEXA Community

Security Alert | WeTransfer Email Phishing

Security alert | Scam calls being made to members

Phone and email scammers impersonating the Australian Cyber Security Centre (ACSC)

Stay safe during the holiday period with our best-practice guide

Security alert | Automated or "robo" calls to clients

Data and data breaches | What you need to know

Security webinar | recording and FAQs

PEXA Security Awareness Week – webinar, daily tips and five things PEXA will never do

Five things PEXA will never do | Cyber-security

Security Alert | Fraudulent calls related to PEXA Key

Reduce your cyber-security risk significantly by implementing these simple steps

Security alert | Email phishing communication

Security Alert - WeTransfer Email Phishing

Security Update - High Profile Twitter Accounts Hacked

Security checklists for safe browsing

Security Shorts | Confirming a website is secure

Remote working | Advice on how to keep property transactions safe

Scam Alert - Scammers using COVID-19 to steal information

File Sharing Email Scam - Multi Factor Authentication will help to protect you

(LPLC) Beware the risk that your clients email may have been compromised

Phishing Email Notification

Microsoft Internet Explorer Critical Zero Day Vulnerability

Security Advisory – Citrix Zero Day Vulnerability Alert

Security Advisory - Critical Vulnerability Alert

Reduce your risk of falling victim to cyber attacks

FAQs | Microsoft to cease Windows 7 support by January 2020

Member Security Alert

A web browser, the internet, and PEXA walk into a bar...

Security Shorts - Episode 1

Tips to protect your mobile device & its data

Can you spot the scam? - phishing email

Security Advisory - Vulnerability Alert - "Bluekeep"

Are you using unsupported software?

Phishing.. Is it only emails?

Key indicators of a phishing email. What to look for?

Why does Community need 3rd party trackers to operate full capacity?

Cyber-Criminals, the Modern-Day Con Artists

How to identify duplicate or unsafe websites

Security Advisory - Vulnerability Alert

Why Me? Peter’s patching pickle

Working Outside the Office?

Security Advisory - Vulnerability Alert

Why Me? - Password blunder

Security Advisory - Vulnerability Alert

A Hacker’s Tale – A look behind the curtain #3

Security Advisory - Vulnerability Alert

Ransomware: The profitable business of the cybercrime industry

un-hackable network.

Security alert | phishing e-mail - RESOLVED

Security alert | Phishing e-mail - RESOLVED

A Hacker's Tale - A look behind the curtain #2

A Hacker's tale - A look behind the curtain #1

PEXA Security Initiatives

Stay Smart Online Week

Security alert | Phishing e-mail

PEXA Digital Certificate Software not correctly digitally signed

Member security alert | phone scam

Using your PEXA login credentials and Digital Certificates

Ensure you are the only person who knows your PEXA password

Select different passwords for your email, desktop access and PEXA

Ensure each employee required to sign documents and authorise funds in PEXA has their own Digital Certificate

Ensure no one else has access to your Digital Certificate and PIN

Plan ahead to ensure your business has sufficient coverage to sign in PEXA

Know what to do if you or a staff member move on to a new job

Multi-factor authentication (MFA)

Talking to consumers about the security of e-Conveyancing

Email impersonation fraud – reassurance for Lawcover insured lawyers

Security Advisory - New Malware could be Infecting your Home Modem/Router Devices

Five steps to protect yourself by LPLC

Security Reminder - Confirming client bank details

Phishing Emails... How to stay away from it...

Overseas login to PEXA

Phishing Emails referring to PEXA

How to Spot a Phishing Email

Risky behavior exposing you to a data leakage

From the Law Society of NSW

Security Awareness - Spam Emails

6 Simple Steps for a Stronger Password