About IndikaWimalasiri

Dear Members,   Legal Practitioners Liability Committee (LPLC) recently published an article about an ongoing fraudulent document sharing email circulating among the legal community. They are essentially looking to steal your credentials to login to your email  accounts by tricking you to click on a link. Highly recommend you are taking time to read the publication to increase your awareness and your staff on this matter.   This is a great reminder to implement two factor authentication on your email accounts (for that matter on all the online services you use where 2 factor authentication is offered) which will significantly reduce the risk of falling in to this type of scams.   Access to the LPLC article below or browsing to the LPC website.   FILE SHARING EMAIL SCAM – MULTI-FACTOR AUTHENTICATION WILL HELP PROTECT YOU    Few quick actions you can take to increase your cybersecurity awareness,   1.Take time to assess your online presence and enable two factor authentication on applications 2. Share the LPLC article with your staff and your colleagues in the industry to increase the awareness 3. Print the PDF in the article and leave them where everyone can see them. Example - on a common wall. 4.Generate and build a cyber risk aware culture by creating space for your staff to learn and stay safe about cyber risks and threats.   Thank you ... View more

Dear members,   We are aware of an email phishing attempt targeting PEXA members, asking about the "PEXA Residential Seller Guarantee". Please be vigilant for similar emails and take time to validate before taking any action within emails. I have attached a sample email a member received on 12 February 2020 for your reference.   If you come across any or similar email notifications, please don't click on any links, inform your PDS/PEXA Partner and forward it to security@pexa.com.au.   ---------------------------------- Phishing email capture below   End of image. ----------------------------------   Thank you.   PEXA Security Team ... View more

  This advisory applies to   Microsoft Internet Explorer   Web Browser       What is the new software vulnerability? PEXA Security is aware of a Microsoft Windows Internet Explorer zero day vulnerability which is being attacked by malicious actors and other cyber criminals over the internet. You can be a target of this attack by clicking on a link or opening an attachment sent you by an unknown party or malicious actor. More information on this can be found on the links below   How do I address/mitigate the vulnerability? Currently there is no patch available from Microsoft for this vulnerability. However, they have provided a workaround to protect users from being a target of this attack.   Important - Given the use of malicious websites as part of the vulnerability’s exploitation routine, individual users are encouraged to practice caution when it comes to clicking links, especially those embedded in a suspicious email message.   Do I need to take any action? Reach out to your IT support service team or your regular System Maintenance team about this vulnerability. They may already be aware of this and it would be important to check with them and follow the instructions given.   https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001 https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html   Thank you. PEXA Security ... View more

  We are aware of a critical zero day vulnerability discovered in the Citrix application.  This vulnerability is still without any permanent fixes and patch is yet to be released by the Citrix vendor.   If you are using Citrix applications (example - for digital signing certificate) described in the article below there is a potential you may be vulnerable.  Your IT team/ support services may already be aware of this and it would be important to check with them and follow the instructions. We recommend you consider implementing the mitigation strategies explained in the advisories below.   https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/   https://support.citrix.com/article/CTX267027   https://support.citrix.com/article/CTX267679   Thank you PEXA Security Team ... View more

  Dear PEXA Community,   This advisory applies to Firefox Web Browser installed on all device types.   What is the new software vulnerability?   New critical vulnerability in the Firefox web browser has been discovered by security researches which is currently being attacked by malicious parties and criminal groups. Attackers could use this vulnerability to gain access to your devices by exploiting the way Firefox browser works on your devices.   Do I need to take any action? Yes. Firefox vendor has released an emergency security update which addresses the vulnerability and has advised everyone who uses Firefox to immediately update to the latest version.   How do I update my Firefox Web Browser? PEXA Security always advise to keep your software, including web browsers, up to date. Please follow the steps below to update your browser,     Open your Firefox Web Browser and Click on the “Menu” and then Click on the “Help"  (As indicated in red colour on the screen capture below)                 2. Click on the “About Firefox”. This will start the update automatically            3.  Make sure version it displays is as same as below highlighted in red text box     PEXA Security recommends members enable automatic updates to make sure in the future, new browser updates are done automatically.     Go to the top right-hand corner “Menu” and click on “Options” from the dropdown menu             2.  Scroll down to the section “Firefox Updates” and tick the “Automatically install updates” check box. This will install updates automatically without any manual intervention in the future.     Thank you. PEXA Security ... View more

Staying safe online has never been more important for individuals and business’ worldwide. In 2018 alone, Australian businesses lost more than $60 million to e-mail scams. It is also estimated that by the end of 2019, cyber-scam losses will exceed $532 million, surpassing half a billion dollars for the first time.    Understandably, it can be difficult to know where to begin to ensure you’re taking the appropriate steps to avoid falling victim to cybercrime. First, it’s important to get the basics right. Below is a checklist of 12 initial steps that you and your business can take to boost your safety while online.     Anti-Virus — As your first line of defence, ensure you have antivirus protection on all of your devices, including mobile devices.   Two Factor Authentication(2FA)    for e-mail  — Most email providers, such as Google and Hotmail, provide 2FA to protect user accounts. This significantly reduces the threat of intrusion by a hacker if your password is compromised, as your account is secured by an additional layer of protection (the passcode that you receive through SMS or the mobile app).   PEXA members must use Multi-factor authentication (MFA)  to access the platform, providing an extra layer of security when logging into your account.    (Note: It is recommended to use an app-based security PIN generator for 2FA, such as Google Authenticator, rather than SMS).  Phishing  — E-mail phishing is the number one avenue used in cybercrime. The typical phishing email will contain a false and/or mimicked story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. Learn how to identify a phishing e-mail with the help of this  interactive tool .   Password  — Do not use the same  passwords  on multiple systems. If your password is compromised, then hackers can access all of your other services as well. Use a password manager to maintain your varying passwords or pin codes.   Additionally, instead of passwords, use passphrases. Passphrases can be a minimum of three words combined that are easy to remember with numbers and special characters e.g. UniverseAthletic4!  Use host-based firewalls  — Both Windows and Apple OS offer firewall capability. These are not difficult to set up and easy to follow help videos are easily found online.  Update operating systems and applications  — Operating systems (OS) and application vendors frequently release security updates to address vulnerabilities. We highly recommend you have automatic updates enabled so it all happens in the background without waiting for your intervention.  Review applications  — Spend 5-10 minutes inspecting your system and applications. If there are unwanted applications in your program list, uninstall them. This is because third party apps can contain vulnerabilities that hackers may then exploit.  Email Rules  — Email providers offer the capability to create  rules.  If your email is compromised, there is a possibility that the hacker created rules in your email system to forward mail to a hacker managed email account without you knowing it. Go in to the e-mail rules section of your account and make sure that only the rules you’ve created are present. We recommend you complete this action at least once per month.  If you find that there are rules you have not created, delete these rules before immediately changing your password. Back-up  —   Backing up all of your data  is paramount. Ensure your back up solution is on a separate device and is accessible if you cannot or are denied access to your files’ original location. Removable Storage  — Do you use removable media such as USB drives? If yes, we recommend using a Cloud file storage instead, as removable media is easily corrupted or infected with malware.  Browser Security  — There are a few important tips to remember here, including:  a. Do not save password/passphrases on browsers b. Frequently update your web browsers  c. Lookout for duplicate or unsecure web pages  Social Media and App Privacy/Security settings  – Do you use your social media,  such as Facebook, to access third party services? If so, we highly recommend  you review the privacy settings on your social media apps to determine what it has access to. Again, 2FA is your friend here. Other privacy tips include:            a. Check settings to ensure you're not providing unnecessary access to your information to apps you've installed.           b. Switch off Bluetooth when it’s not being used.            c. Do not connect to Free Wi-Fi access points no matter how secure it claims to be. If you have no option, then use a VPN service to secure your communications.           d. Don’t let others including family members, use your device without your supervision. They may unknowingly click on links and pop-ups which will expose your device to the hackers. Where possible use parental controls.    Finally, maintain your cyber security awareness. A great place to refer to is the Australian governments’ Staysmartonline resource and, of course, PEXA’s dedicated security page on the e-Conveyancing Community.      Indika Wimalasiri   ... View more

  The threat of cyber-attacks are real but there is something you can do about it.      The Australian Government’s Cyber Security Center has released a critical security advisory to individuals and business organizations using older versions of Microsoft Windows operating systems (Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008) to apply security update/upgrade to newer operating system version to avoid being compromised for the vulnerability named as “Bluekeep”.   What is Bluekeep ? Bluekeep is a vulnerability in the Windows operating system’s Remote Desktop Protocol (RDP – service use to connect to another computer/network remotely) which allows an attacker to execute commands to compromise your computer. BlueKeep exploit has the potential to spread in a virus fashion and self-replicate without requiring any user interaction.   An unpatched system gives criminals a front door to break into your computer or network and steal your corporate and customer information. The threat of cyber-attacks are real but there is something you can do about it.   How to protect my systems? It is critical that organisations and individuals operating older versions of Windows systems  immediately install Windows BlueKeep vulnerability patch , available at Microsoft website.   Recommendations   Identify the Computer Systems operating older version of Windows Operating Systems. ( Windows Vista, Windows 7, Windows XP, Server 2003 and Server 2008 operating systems) Confirm you have backup of data available if needed. Apply the updates through Windows Update or manually by downloading it from Microsoft website. Reach out to your IT service support team and ask them to address the Bluekeep if not already.   Mitigation activities until patch is applied.   Practice due diligence and be alerted around what happens in your computer. If any unusual activities observed, engage your IT personnel to look in to it. Avoid using Remote Desktop Services from internet. (If needed use it only over a Virtual Private Network and with multi-factor authentication.) Always keep operating systems and application up to date. Backup your data to a secure location. (Cloud storage/offsite volume)   More Info - https://www.cyber.gov.au/news/update-acsc-confirms-potential-exploitation-bluekeep-vulnerability ... View more

What is phishing and different variants attached to it?   An email appears to come from a someone you trust, such as your bank, online store, credit card company or a popular website. At first it all appears normal, but it will try to trick you in to giving away sensitive information, installing malware on your device or open an attachment while indicating an urgency.   Phishing is one of the easiest and very successful avenue for hackers to gain access to your organization's information. Security researchers say more than 90% of the data breaches worldwide are started with a phishing email. For us to defend against this malicious attack type we need to be able to identify the threat as there are multiple variants of methods used by hackers.           Key indicators of a phishing email. What to look for? Article below showcase what you need to look for in an email to make sure it is not part of a phishing campaign. This will help to increase your awareness both in and out of work place.     Thank you.   - Indika Wimalasiri -       ... View more

Con artists have been constant figures throughout our society’s evolution. From ‘short-cons’, like the Three-Card Monte to ‘long-cons’, when Victor Lustig sold the Eiffel Tower as scrap metal back in 1925. They use their smarts and charisma to gain the trust of unexpectant victims, all for financial gain. Over the past 20-30 years, the world has evolved dramatically, with advances in technology taking precedence. This has given rise to the modern-day con artist; hackers or cyber-criminals. Since the emergence of e-mail, it has been one of the most prominent and successful mediums for fraud world-wide, including the conveyancing industry; as an entry way to more elaborate scams. For us, the every-day person, employee or business owner, it is essential that we are aware of the real risks of cyber-crime. The following scenario is one example of a hacker at large, trying to ‘con’ their way into the conveyancing industry with a duplicate website.   The Hacker Elliot has been dabbling in cyber-crime for some time. It’s quite a lucrative career – if you know what you’re doing – which he and his team do. He is involved in penetrating computer systems, collecting passwords and then selling them to other cyber-criminals for profit.  However, this time, Elliott decided to do something more elaborate than simply selling these credentials.   “One of these usernames and passwords has landed me a gold-mine. I noticed a few ‘PEXA’ e-mails in this person’s inbox. I did my research and figured it could be a big win for the team. The username and password I have doesn’t match his PEXA account, but I have another way in. The team and I set about duplicating the PEXA login page. In the end it looked almost identical to the original and we placed it on a hosting service based in Belize. Next step, we sent the link via a duplicate PEXA e-mail and waited for our victim, Barry, to enter his details into the fake website. Once we capture his credentials, we’ll have easy access to his account, and his client’s money! The Victim Barry’s firm keeps its staff up-to-date with the latest cyber-security trends. They complete security awareness training to maintain the firm's security posture and the integrity of its service. Barry considers himself to be security-savvy, so he had no worries that morning when he opened his inbox.   “I scrolled through my e-mails and noticed a PEXA workspace notification which I opened straight away. I have a million-dollar settlement today and want it to go smoothly. I clicked on the link in the e-mail and instantly thought twice about my decision – it’s unusual for any company to send you a link to their login page. However, the PEXA login page looks legitimate. Although, before I progress any further, I’d better ensure the web page is secure… I look up at the address bar to check for a padlock symbol – no joy. Instead there’s a red triangle with a white exclamation mark inside. Next, I check the URL begins with ‘https’. It didn’t - Oh no! I exit the page immediately and sigh a breath of relief that I hadn’t entered my credentials into the page. I’d better let PEXA know, other practitioners might not check the website’s security level…”   The Hacker On the other side of the world, Elliot checks if Barry has fallen for his scam.   “It looks like Barry is more tech-savvy than we expected. He didn’t enter his details into our fake website. But not to worry, we’ve sent it to multiple others in his industry. Someone is bound to fall for it. Hold on. The website has been removed, Barry must have also informed PEXA. **bleep** it, all that time and money wasted…”  Elliot and his team quickly bounce back from their failed website scam and start planning their next con. “We didn’t fool them this time, but wait until they see what else we have up our sleeves…”       To learn more about how to identify duplicate websites, please refer to the article " How to identify duplicate or unsafe websites"   ... View more

It’s important to be aware of how to identify a duplicate or unsafe website. You can easily check the security certificate beside the web address (URL). You’ll see one of the following three symbols.     Tips If a website does not display the first symbol above (padlock), this confirms that it is not secure and everything you do is susceptible to a cyber-attack. We recommend you close the browser without completing any further actions such as inserting your login credentials etc. Check if the address begins with "https” (not "http)". This will be another indicator of a website’s security level. If you see "http", this means that there is no encryption in place, and information you provide on that page is at risk of being seen by unauthorized personnel.   If you’d like more information about website safety or other aspects of cyber security, the Australian Government’s Stay Safe Online website provides practical tips to assist everyone in staying secure while online.    Regards, Indika Wimalasiri (PEXA Security Team) ... View more

Dear PEXA Community, This advisory applies to Microsoft Outlook App installed on Android devices. New vulnerability in the Microsoft Outlook App for Android has been discovered. Attackers could use this vulnerability to gain access to your emails and phone by inviting you to click on a crafted link. Microsoft has released an update to its Outlook app through the Android Google Play Store. PEXA Security advises its members using Outlook app for emails on Android devices to update the app at your earliest window.   How do I get the update for Outlook for Android? 1. Tap the Google Play icon on your home screen. 2. Swipe in from the left edge of the screen. 3. Tap My apps & games. 4. Tap the Update box next to the Outlook app.   Note - Security always recommends keeping your mobile device OS and Apps up to-date by applying updates as soon as they are available.   PEXA Security Team   ... View more

  Dear PEXA Community,   This security vulnerability notice only applies to members using an ASUS branded laptop device.   Security researchers have discovered a critical vulnerability with ASUS laptop computers relating to its “Live Update” software component. Live Update is functionality on ASUS laptop computers that keeps your ASUS laptop software up-to-date .   As a user, you are required to update the “Live Update” software component to Version 3.6.8 or higher at your earliest window to ensure your device is secure.   The article linked below, published by the vendor, outlines the steps you are required follow to make your device secure. To ensure your device is safe please follow the details here.   PEXA recommends you reach out to your IT Support team/provider if you require further assistance in addressing this security issue.   PEXA Security Team ... View more

Dear PEXA Community,   High severity vulnerability has been discovered in the Google Chrome Internet browser. Attackers can use this unpatched vulnerability to steal information from your computer. Google has issued an update to the Chrome Internet browser to address the vulnerability. PEXA Security strongly recommend PEXA members check the version of the Chrome browser used and make sure it is up to date.    Please follow the steps and figure shown below.   Open Chrome browser -> Click on settings -> Help -> Click on “About Google Chrome” Check your version number to make sure it’s 72.0.3626.121 or later.   PEXA Security Team ... View more

This week is # StaySmartOnline Week. The campaign aims to reverse the threat of cyber-crime by empowering people to discuss and own their cyber-security. Over the next few days we’ll be sharing a number of best-practice resources to assist you, here on Community and on PEXA's social channels.   ... View more

Security Advisory   Every now and again we come across security issues that can impact you at home. There is one that is making some noise in the security world. The new virus/malware discovered can infect your home or small business router (the box that connects to the Internet). It’s called “VPNFilter” and the estimated number of infected devices is around 500,000; in at least 54 countries.   Read on to see if this affects your internet box (router/modem) and what to do to protect yourself.           1. How does this affect you? If you have a router/modem from the following companies, it’s suggested you review your vendor’s update steps. Vendor Action to take Telstra No action – Telstra reports that your modem is updated automatically Linksys Follow the vendor directions Netgear Follow the vendor directions MikroTik Follow the vendor directions TP-Link (TP-R600VPN model only) Follow the vendor directions QNAP Systems Follow the vendor directions            2. Can I learn more about the VPNFilter issue? If you would like to get into the details, follow this link (https://blog.talosintelligence.com/2018/05/VPNFilter.html)          3. Is there anything we can do to be secure? A few helpful tips to keep your home devices secure are: Always change the default password. Put a password on your home wireless network. Use a strong password with at least 8 characters, a combination of upper and lower case, include numbers and special characters such as @, #,and !. Use a different password on your PC, to your email, to your work, and so on. Make sure you update your software regularly so that security patching occurs.   If you still have questions, email security@pexa.com.au ... View more

Dear Members,   Below is an example of an actual phishing email for awareness purposes. Please take a moment to look at the pointers to understand how you can be misguided by a hacker. Being on top of this can help you to stay safe online. Remember, one click is all that matters to open the door to whole new level of issues.       Here are few helpful steps and questions to try/ask yourselves before clicking on any suspicious/unknown email. Reputable & legitimate organizations:   Don't request your sensitive information via email - Legitimate organisations do not send you emails asking you to download certain content e.g. utility bills, gift card link etc. or request you to verify your account details by clicking on a link.   Don't call or address you by a common greeting - Most of the time it will not include generic greetings e.g. "PayPal User", unless it’s advisory and openly available information.   Have their own email domains - Don't just look at the person's name sending the email. Check the full email address including the domain to make sure it is actually from the organisation represented, as most of the time they'll have their own domain. Hover your mouse over the email to verify this and make sure there's no additional numbers or special characters attached to the address. If there are, it is most likely a phishing e-mail.    Don't make grammatical errors - Spelling mistakes and bad grammar are key giveaways that it's phishing.   Don’t force you to their website - Most of the phishing emails contain multiple hyperlinks to maximize their chances of you clicking on one of them.   Don't send unsolicited attachments in the emails - Attractive attachment headings are another giveaway that it is a phishing scam. Another common case is utility bills or any other public event happening around the same time. Scammers use these events or news items to grab your attention and potentially to get you click on the links.   Send legitimate URLs - It may look like it is but it may send you somewhere else. Hover your mouse on the link (do not click) to check the link is actually legitimate and does not represent a different suspicious name. Always type the URL into your browser rather than using links on emails if you want to access the website. Don’t trust the email, instead call the sender to validate the request.   I clicked on it... Now what happens?   If you click on a phishing link accidentally, it does certain actions behind the scenes which you cannot see. These actions could be anything from a simple add popup on your screen to a stealing of your personal/customer data. So, if you fall into this category, speak up and seek help by contacting your internal security professionals or IT partners. Sending phishing emails and inviting people to click on these links are by far the most successful way for organisations to experience data breaches.     if you find any phishing/spam material referring to PEXA, please forward it to security@pexa.com.au     ... View more

Dear Members,   Forwarding suspicious emails to security@pexa.com.au   We have made changes to our security configurations when you forward a phishing/suspicious email to PEXA via security@pexa.com.au Previously when you forward an email to security@pexa.com.au with potential malicious content it denied successful delivery and often you would have received a delivery fail/bounce back message. But not any more.... Now you can click the forward button on the actual malicious/phishing email and send directly to us via security@pexa.com.au without the email being blocked.   It is important members forward us the actual email to PEXA instead of trying to send it as PDF or a Screenshot of the email.      Thank You.   PEXA Cyber Security Team       ... View more

How to Spot a Phishing Email    The typical phishing email will contain a concocted story designed to lure you into taking an action such as clicking a link or button in the email or calling a phone number. In an email, there will be links or buttons that take you to a fraudulent website. The fraudulent website will also mimic the appearance of a popular website or company (in this case PEXA). The scam site will present you almost identical login page looks like PEXA waiting for you to login with your actual PEXA login credentials. Where malicious party able to collect your credentials and then they can re-use this to login to PEXA or sell them on the internet. If you felt you have accidentally just did that then your next best option to change the PEXA password immediately.   How to Protect Yourselves? Whenever you get an email about your PEXA account, or a workspace needs action the safest and easiest course of action is to open a new browser, type https://www.pexa.com.au/ OR https://workspaces.pexa.com.au , and log in to your PEXA account directly. Also you can call your known contact which appears to be sent the email to validate. Do not click on any link in an email that requests personal information.   How to report a phishing email ? Follow these steps:   Forward the entire email to security@pexa.com.au .  (Refer to "How to forward a phishing email to PEXA") Do not alter the subject line OR forward the message as an attachment. Delete the suspicious email from your email account. We’ll let you know quickly if the email is legitimate. Your vigilance helps protect other PEXA users.   A genuine PEXA email will never ask you for Credit and debit card numbers      Bank account numbers Driver's license numbers Email addresses Passwords Your full name Further steps to protect you from Phishing   Monitor your PEXA account. Check your account periodically for suspicious activity. If you notice unauthorized use, report it to us. Be smart about your password.Change passwords often and use unique passwords that include letters, numbers, and symbols. Keep security software current. Update your firewalls and security patches frequently.           Below is an identical looking malicious PEXA website.   ---  END --- ... View more

Risky behavior exposing you to data leakage   Here’s an simple opportunity to check whether you’re exposed to data leakage.   Do you find yourself guilty of the following?   I don’t keep my software (apps, browsers, etc.) and my operating system up to date by installing updates as soon as they’re released. I don’t use antivirus and additional layers of security that can protect me against second-generation malware. I don’t pay attention to password security and I reuse passwords. I use public Wi-Fi networks for online banking and online shopping. I frequently share personal details on social media or in emails. I don’t use two-factor authentication. I don’t have anything to hide or nothing valuable that cyber criminals may want. I open emails from unknown senders. (Remember your emails have pretty much the full digital print of your life. You have your Driver’s License, Passport, Bank Account details sent to an authority or another business. Don’t you?) I download and open attachments from unknown senders. I am just a small business and no one is interested in what I do.   This is not meant to be an incriminatory interrogatory, but rather a way to evaluate your own cyber security practices. You may find out that your online safety measures are inadequate, but that doesn’t mean you can’t make a change for the better. ... View more