Looking out for suspicious links in Kerika

We had some incidents recently where hackers stole the Microsoft credentials from some folks in Europe and North America (there’s been a lot of that lately), and then used these stolen credentials to sign up as Kerika users.

Once they signed up, they created Whiteboards that were made to look like they included official links from Microsoft to download documents.  Here’s what one of them looked like (we have obscured some information):

 

The link in the image shown above led to a phishing site where people might inadvertently enter their Microsoft credentials in order to read this document, which would have looked like it came from a Kerika board that was owned by a trusted colleague.

To make this more convincing, they used a very old feature of Kerika’s Whiteboards that’s called VIEW AS WEBPAGE:

 

This feature was originally built to help nonprofits and open-source teams share their work with people who weren’t Kerika users: the Board Admin could create an ordinary Web page that contained everything that was on the Whiteboard.  This page was then sent to the contacts of the person whose credentials were stolen.

To deal with this, we have made some important security updates throughout the Kerika app, on the desktop and on mobile devices:

  • Whenever you add a link to any task (card), chat, board, or canvas in Kerika, we will check if that link is known to be suspicious or malicious.
    If so, you will be warned, and Kerika’s security team will be informed immediately. Your account will then be monitored to see if this behaviour continues.
  • Whenever you click on any link anywhere inside the Kerika app, we will check again if that link is known to be suspicious or malicious, and will warn you if that’s the case.
    Please take this warning seriously!

We have disabled the VIEW AS WEBPAGE feature for Whiteboards while we evaluate the results of these security improvements.  Once we feel confident we have dealt with this situation we will consider re-enabling that feature. (Let us know if this feature is important to you.)

We are using Google Web Risk service to help screen URLs entered by our users.  Google has been dealing with malicious websites since they started, and we think they have some great resources that we can leverage to improve security for our own users.

Mr Bond, they have a saying in Chicago: 'Once is...