Security researchers unveiled a still-ongoing mass credit card stealing campaign, which started collecting data from unsuspecting online shoppers sometime in October 2018.
The target of this campaign was a pool of over 100 online shops, all of them otherwise deemed legitimate and trustworthy. Six of the targeted websites were even listed in the one million websites Alexa Top.
Moving forward with reporting on this, we’ll dub the mass credit card stealing campaign Magento Analytics, since that’s the name of the domain used for injecting malicious scripts into the code of the online shops.
How Does the Magento Analytics Mass Credit Card Stealing Campaign Operate?
The domain magento-analytics.com was first picked up by the radars of cybersecurity researchers back in October 2018, when they noticed something seemed off about it. Even though the traffic was pretty low, there seemed no purpose to the domain and its traffic was increasingly stealthily, via other portals.
Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight provides:
Automatic and silent software updatesSmart protection against malwareCompatibility with any traditional antivirus.
The name seemed innocent enough at a first glance. Magento is a major e-commerce platform and its engine is used by countless online shops around the world. It would make sense for something called Magento Analytics to be spotted running through these websites from time to time. But the domain didn’t actually contain anything if you tried to access it directly.
Another dubious thing which tipped off the security researchers who looked into it was the fact that the registration address & IPs for the domain was ever changing. While initially the magento-analytics.com domain was registered in Panama, the IP from which it was operating changed a lot. Initially, it seemed to be located in Arizona, US, but then it moved to Moscow, Russia for a while, before heading to Hong Kong, China. This alone warranted a second look from the cybersecurity researchers on the case.
But shifting IPs were not the only thing wrong with this domain, by far. While the domain itself returns just a 430 error page if you try to access it directly (not recommended, though), the researchers were seeing various pages (sub-domains) of the domain with nothing meaningful on them, either. Instead, all of these contained JS scripts.
Through continuous traffic monitoring, the security researchers realized that the Magento Analytics was actually injecting these malicious scripts into the code of 3rd party websites. These websites (online shops) had no idea that the Magento Analytics mass credit card stealing campaign was actually collecting the credit card info of their users.
As soon as the JS code is loaded, a timer is set and the TrySend function is called every 500ms. This function attempts to try to get input data from credit cards
What Were the Losses Incurred by the Magento Analytics Malware Campaign?
Data revealed by the security researchers showed that the TrySend function called by the JS scripts collected the following information from users: card number, name of the cardholder, expiry date, and the CVV code. Basically, it’s everything a hacker would need in order to steal your money afterward.
For now, no one came through to complain explicitly about losing money to the Magento Analytics campaign. But this doesn’t mean that there have been no losses yet. Most likely, the losses were small, or the legitimate card owners managed to annul the transactions, or they just haven’t been able to connect the loss with this particular campaign yet.
We will keep you updated on reports about the losses incurred through Magento Analytics as more is revealed.
The scary part about the Magento Analytics mass credit card stealing campaign is precisely the fact that the injected JS codes weren’t even that sophisticated. All in all, it amounts at a pretty rudimentary online scam. It just shows how disastrous it can be for online stores to allow security holes in their systems, since there will always be malicious 3rd parties interested in exploiting them.
If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox
Data provided in this analysis was obtained by Netlab 360.
This question is not asked just by regular users confused by the “techno-babble” or enraged by information leaks.
It’s also increasingly asked by business owners, analysts, journalists and even the people involved in securing information, whether sysadmins for small companies or even high-level executives in multinational organizations.
This is why we thought to go straight to the source to find the best responses. Last time, we asked specialists to say whether they think that Internet security is a losing battle or not and their responses were memorable. Today, we asked highly accomplished cybersecurity experts from various infosec fields another tricky question and they were gracious enough to provide their insights.
If you’re a regular user angry at your data being exposed to various leaks and cyber attacks, you will get a behind-the-scenes look at the reasons why these incidents happen. If you’re someone involved in handling customers’ data, these perspectives will prove to be just as illuminating.
We wanted to provide you valuable, often hard to find perspectives. We managed to make a great start to answer a simple-looking, but an actually difficult and ramified question.
Why can’t cybersecurity be simpler?
Use the links below to quickly navigate the experts’ replies.
Brent is a Senior Security Consultant at NTT Security and the founder of the Nashville DEF CON group. He can be found at We Hack People, a website dedicated to red team and social engineering assessments.
Security isn’t a convenience because it requires being careful and demands that users be diligent to take extra steps to follow rules.
I focus on social engineering and physical security and see this come in to play on a regular basis when a company hires me to break into their buildings.
For example, tailgating (piggybacking) is one of the most common ways that I gain unauthorized access to a business.
This could be mitigated if employees followed their security awareness training and made sure that everyone who entered was scanning their badge, and that the badge being scanned was valid.
However, this takes time and requires people who are already focused on their own paths and agendas to slow down and be more aware of their surroundings.
Asking them to change their thought process and to “validate” each person coming in the door isn’t something that’s going to happen overnight.
You also have the human kindness factor that is innate in most of us, where we naturally want to help out someone in need.
This is easily exploited by a social engineer in many ways, whether it’s pretending to need help opening the door because their arms are full, or the social engineer can simply tailgate in, be in an “argument” on the phone (making the situation uncomfortable on purpose).
People will want to avoid a potential confrontation with someone who already appears to be upset about something.
Once an attacker has physical access to data, it’s pretty much “game over”.
Full #redteam assessments are a good way to consistently check the level of awareness and response within an organization. Click To Tweet
Companies need to go beyond the required annual “security awareness” training PowerPoints if they want to get serious about addressing these issues.
Regular drills such as internal phishing campaigns, testing unauthorized entry, and even full red team assessments are a good way to consistently check the level of awareness and response within an organization.
Employees should be incentivized to find and report something, and have a clear path of how and who to report incidents to in a way that is easy and convenient for them.
It’s very difficult to incorporate a security mindset 100% into the culture of a company. But, when it’s done correctly, it can be a very effective countermeasure against potential threats.
Security can be simple, but it won’t ever be because business is not simple. And humans are not simple. And security today is in some malevolent Venn diagram right in the damn center of what can only be described for 80% (ish) of the GNP of a country as the small-medium business/enterprise (SMB/SME in the EU UK) security nightmare.
It’s not easy being profitable and everyone from the governments to the regulators (hackers in suits) to the cyber criminals (hackers in hoodies) is out to attack the hard work of organizations which strive to make an honest living.
I’m a cybersecurity Captain Willard.
“I was going to the worst cyber security situation in the world and I didn’t even know it yet. Weeks away and hundreds of dollars/pounds/euros spent on a security project that snaked through the compliance regulations like a main circuit cable plugged straight into the businesses cybersecurity posture. It was no accident that I got to be the caretaker of a business’s cybersecurity any more than being back in some SANS certification course was an accident. There is no way to tell the businesses’ cybersecurity story without telling my own. And if that business story is really a confession, then this may be my own as well.”
That’s where we are today. Most businesses are scared of an existential threat from criminal hackers (or regulatory authorities) and are turning to security vendors and consultants to solve their security problem.
The reality is: the problem is cultural and societal.
We sacrifice #security for convenience and we consistently place profit in front of pragmatism. Click To Tweet
We reward efficiency over good decision making, we sacrifice security for convenience and we consistently place profit in front of pragmatism.
Cybersecurity is complicated because life is complicated and there is no perfection. We can’t be a hundred percent secure – so the rhetoric and fear monger of vendors and security professionals has given in to a feeling of helplessness and disparity among the 80%.
If this short essay strikes you as incoherent, it only matches the vast majority of SMB/SME firms approaches to cybersecurity: cybersecurity perfection is not attainable.
Attempting to apply the binary model of security and compliance to the “grayness” of business, life and society only ends in disappointment.
If this is dystopian view makes you angry or causes you discomfort – good, do something about it – change the security culture, change the business world.
It may never be simple, but you may be able to keep the doors open.
Isaac is the founder and CEO of Teramind, an employee monitoring, and insider threat prevention platform that detects, records, and prevents malicious user behavior. He can be reached at firstname.lastname@example.org.
As much as we wish life to be straightforward and simple, reality seems to tell us a different story.
The reality around security is it feels complicated, dynamic and perpetually a ‘catch up’ game in keeping company data secure.
With new technologies advances like the internet of things (IoT), the security landscape becomes more intertangled, and companies find themselves with new vulnerabilities and ‘patching’ new security holes in their IT infrastructure.
With many moving parts, it’s not a surprise that the traditional approach to a security plan doesn’t seem possible.
In my opinion, the best way to prepare for the future is to move from a protection to a prevention security mindset.
This progressive strategy looks at data security in ‘real time’ meaning security isn’t viewed as an afterthought, rather it’s using data, monitoring, and analytics to anticipate security breaches and adapt quickly to changing security landscapes.
#Teramind: The best way to prepare for the future is to move from a protection to a prevention security mindset. Click To Tweet
Joe is a Senior Security Analyst at Bishop Fox. His thoughts on infosec can be found here.
First, there is an accelerating rate of change and complexity in systems.
Driven by market forces to deliver more features and derive more value, new technologies are invented every day, and old technologies are being leveraged in new and interesting ways.
Second, there has been historically strong pressure to maintain backward compatibility to the point that the foundation of newer technologies is built on legacy systems riddled with security defects that can never be fixed.
Ultimately I think the increasing pace of “what CAN we do” has overshadowed the fundamental question of “what SHOULD we do”, leaving the question of “what can we do SAFELY” unasked.
The foundation of newer technologies is built on legacy systems riddled with security defects that can never be fixed. #securitychallenges Click To Tweet
John is a cybersecurity and privacy enthusiast, working as an analyst for TheBestVPN. He can be reached on Twitter.
That’s the average cost of one cyber hacker who penetrates your security and wrecks havoc on your business.
Online security isn’t just a matter of protecting your website’s IP address. You are protecting your customers from identity theft and your business from a lawsuit.
Of course, those are just two examples of potential damage. Hackers intent on disrupting your business for their own gain won’t stop at mere annoyance. They’ll do everything they can to harm your website and take what they want.
That’s the average cost of one cyber hacker who penetrates your security and wrecks havoc on your business? $3.8 million. #cybersecurity Click To Tweet
Sadly, they’re pretty good at their work. Extremely good.
There’s no shortage of high-ranking companies who’ve fallen victim to a website breach, like Verizon Wireless or Virgin America. All of those hacks damage not only the business but even worse, they damage customer’s privacy even more.
Which further means that you, as a business, don’t just lose the public’s trust, you lose previously loyal customers.
From restore points and network monitoring to firewalls and malware scanning, each integration protects your business and, more importantly, your customers.
Prioritizing simplicity over thorough security is a mission-critical mistake. One that CEOs from bigger companies who’ve fallen victim will tell you not to make.
Peter Buttler is a cybersecurity journalist and a tech reporter. He is the security consultant at PrivacyEnd. You can follow him on Twitter.
Security isn’t an accommodation since it requires being cautious and demands clients to be persistent about finding a way to look after weaknesses.
Cyber-security is complex in light of the fact that our life is never 100% perfect.
We can’t be a hundred percent secure – so the talk of security experts has yielded to a sentiment weakness among the 70%.
With new innovations like IoT, the security scene turns out to be more complicated, and organizations end up with new vulnerabilities and ‘fixing’ new security flaws in their IT foundation.
Driven by advertising powers to convey more highlights and determine more esteem, new technologies are designed each day, and old technologies are being utilized in new and fascinating ways.
From re-establishing indicates and organizing monitor firewalls and malware filtering, every coordination in cybersecurity protects your business and most importantly your clients.
Security isn’t an accommodation since it requires being cautious and demands clients to be persistent about finding a way to look after weaknesses.
Let’s state the obvious: the Internet is always changing. Everyday new technology is created while our current technology systems continue to evolve. The cyberworld, in itself, is a complex system; technology companies are creating new systems and features faster than ever before.
However, this “need for speed” approach is not always benefiting the client and/or business at hand. With the ever-changing landscape of the Internet, cyber attacks are becoming more frequent. Hackers are exploiting the cyber-security shortcuts taken by businesses needing to be the “first to adapt.”
By the time the business implements cybersecurity measures, the cyber attack has already happened, and the hackers have moved on. Cybersecurity is like a massive game of Cat & Mouse meets Whac-A-Mole—once you fix one issue, another pops up. No matter how secure your system is one minute, the next, it can be under attack.
To top it all off, there is a shortage of cybersecurity professionals. As we look to the future of the Internet, we must consider the players involved. While we encourage innovation in the fields of software development, we need to do the same in the realm of cybersecurity. After all, we, as individuals, are relying on technology more than ever to keep us safe – but who is going to keep us safe from our technology?
Thankfully, some businesses understand cybersecurity and its complexity. Let’s all hope businesses, small and large, are utilizing them (for all our sakes).
Harsh is the founder and CEO of an award-winning blog known as “ShoutMeLoud”. He`s an engineer by education and a blogger by profession. You can reach him on Twitter.
Some guys think that cybersecurity is as simple as affiliate marketing or blogging. After all, it’s just about providing safe methods for internet users to complete their online activities, right?
Well, not quite.
With more and more hackers trying to get hold of sensitive information and finding new, advanced ways to do it, you can never be at ease. It is crucial that people understand no one is safe, especially if they handle their personal information carelessly.
But even if users and companies do take care of the data, unfortunately, a breach occasionally happens.
I mean, do you really think that Equifax, Target, and so many other companies wouldn’t do anything to prevent the scandals that have happened in the past years?
It has to be complicated because the world wide web is such a complicated realm, nothing like people have ever known before.
So, it all boils down to being constantly on guard and finding new and innovative ways to be one step ahead of hackers and frauds.
We would like to thank all the people who participated in this expert roundup for taking the time to answer this question and provide the community with some necessary insights into the fascinating world of cybersecurity.
Do you have another perspective on why security is too complicated? Are you from a different background or feel the need to add to the topic?
We plan to keep this column updated, so if you want to contribute, drop us a line and let’s talk!
#cybersecurity is too complicated? See what the specialists think or answer yourself! Click To Tweet
If you liked this post, you will enjoy our newsletter.
We truly want to believe that the Internet is a safe place where you can’t fall for all types of online scams, but it’s always a good reminder to do a “reality check”. We, humans, can become an easy target for malicious actors who want to steal our most valuable personal data.
Criminal minds can reach these days further than before, into our private lives, our homes and work offices. And there is little we can do about it. Attack tactics and tools vary from traditional attack vectors, which use malicious software and vulnerabilities present in almost all the programs and apps (even in the popular Windows operating systems), to ingenious phishing scams deployed from unexpected regions of the world, where justice can’t easily reach out to catch the eventual perpetrators.
According to a report from the Federal Trade Commission (FTC), millennials are particularly more vulnerable to online scams than seniors, as shocking as it may seem. The research finds that “40 percent of adults age 20-29 who have reported fraud ended up losing money in a fraud case”.
More than one third of all security incidents start with phishing emails or malicious attachments sent to company employees, according to a new report from F-Secure.
Phishing scams continue to evolve and be a significant online threat for both users and organizations that could see their valuable data in the hands of malicious actors.
The effects of phishing attacks can be daunting, so it is essential to stay safe and learn how to detect and prevent these attacks.
Phishing scams are based on communication made via email or on social networks. In many cases, cyber criminals will send users messages/emails by trying to trick them into providing them valuable and sensitive data ( login credentials – from bank account, social network, work account, cloud storage) that can prove to be valuable for them.
Moreover, these emails will seem to come from an official source (like bank institutions or any other financial authority, legitime companies or social networks representatives for users.)
This way, they’ll use social engineering techniques by convincing you to click on a specific (and) malicious link and access a website that looks legit, but it’s actually controlled by them. You will be redirect to a fake login access page that resembles the real website. If you’re not paying attention, you might end up giving your login credentials and other personal information.
We’ve seen many spam email campaigns in which phishing were the main attack vector for malicious criminals used to spread financial and data stealing malware.
In order for their success rate to grow, scammers create a sense of urgency. They’ll tell you a frightening story of how your bank account is under threat and how you really need to access as soon as possible a site where you must insert your credentials in order to confirm your identity or your account.
After you fill in your online banking credentials, cyber criminals use them to breach your real bank account or to sell them on the dark web to other interested parties.
Here’s an example of a sophisticated email scam making the rounds that you should be very careful.
Probably one of the oldest and most popular Internet scam used mostly by a member of a Nigerian family with wealth to trick different people. It is also known as “Nigerian 419”, and named after the section of Nigeria’s Criminal Code which banned the practice.
A typical Nigerian scam involves an emotional email, letter, text message or social networking message coming from a scammer (which can be an official government member, a businessman or a member of a very wealthy family member – usually a woman) who asks you to give help in retrieving a large sum of money from a bank, paying initially small fees for papers and legal matters. In exchange for your help, they promise you a very large sum of money.
They will be persistent and ask you to pay more and more money for additional services, such as transactions or transfer costs. You’ll even receive papers that are supposed to make you believe that it’s all for real. In the end, you are left broke and without any of the promised money.
Whether it’s Christmas or Easter, we all get all kind of holiday greeting cards in our email inbox that seem to be coming from a friend or someone we care.
Greeting card scams are another old Internet scams used by malicious actors to inject malware and harvest users’ most valuable data.
If you open such an email and click on the card, you usually end up with malicious software that is being downloaded and installed on your operating system. The malware may be an annoying program that will launch pop-ups with ads, unexpected windows all over the screen.
People can be easily scammed by “too good to be true” bank offers that might guarantee large amounts of money and have already been pre-approved by the bank. If such an incredible pre-approved loan is offered to you, ask yourself:
“How is it possible for a bank to offer you such a large sum of money without even checking and analyzing your financial situation?”
Though it may seem unlikely for people to get trapped by this scam, there’s still a big number of people who lost money by paying the “mandatory” processing fees required by the scammers.
Here are 9 warning signs and sneaky tactics to watch out and avoid becoming a business loan scam.
As regards to credit card scams, a recent report from the Identity Theft Resources Center said that the number of credit and debit card breaches have been on the rise last year. To better safeguard your data and prevent thieves from getting access to your payment card details, consider:
Watching your accounts closely and monitor your online transactions;
Taking advantage of free consumer protection services;
This is another classic Internet scam which doesn’t seem to get old. A lottery scam comes as an email message informing you that you won a huge amount of money and, in order to claim your prize or winnings, you need to pay some small fees.
Lucky you, right?! It doesn’t even matter that you don’t recall ever purchasing lottery tickets.
Since it addresses some of our wildest fantasies, such as quitting our jobs and living off the fortune for the rest of our lives, without ever having to work again, our imagination falls prey easily to amazing scenarios someone can only dream of.
But the dream ends as soon as you realize you have been just another scam victim. DO NOT fall for this online scam and have a look at this checklist to see if you are getting scammed.
One of the most frequent Internet scams you can meet online is the “hitman” extortion attempt. Cyber criminals will send you an email threatening to extort money from you. This type of online scam may come in various forms, such as the one threatening that they will kidnap a family member unless a ransom is paid in a time frame provided by the scammers.
To create the appearance of a real danger, the message is filled with details from the victim’s life, collected from an online account, a personal blog or from a social network account.
That’s why it’s not safe to provide any sensitive or personal information about you on social media channels. It might seem like a safe and private place, where you’re only surrounded by friends, but in reality you can never know for sure who’s watching you.
As the Internet plays an important role in our social lives, with apps like Facebook or Instagram we access everyday, it’s inevitable to use apps to look for love as well.
Online dating apps are very popular these days and they are a great way to meet your future life partners. I have actually an example with a friend of mine who was lucky enough to find her future husband on a dating site.
But not all scenarios have a “happy end” like this one, and you need to be very careful, because you never know who can you meet.
A romance scam usually takes place on social dating networks, like Facebook, or by sending a simple email to the potential target, and affect thousands of victims from all over the world.
The male scammers are often located in West Africa, while the female scammers are mostly from the eastern parts of Europe.
Cyber criminals have abused this scamming method for years by using the online dating services. They improved their approach just by testing the potential victims’ reactions.
According to a research published in the British Journal of Criminology last month, the techniques (and psychological methods) used by scammers in online romance scams are similar with those used in the domestic violence cases.
To avoid becoming a victim of these Internet scams, you need to learn how to better protect yourself.
Knowing that hundreds of women and men from all over the globe are victims of this online scams, we recommend using these security tips for defensive online dating, including warning signs that could help you from becoming an easy target.
I would also recommend reading these real stories and learn from them, so you don’t fall for these online scams:
We all saw at least once this message on our screens: “You have been infected! Download antivirus X right now to protect your computer!”
Many of these pop-ups were very well created to look like legitimate messages that you might get from Windows or any other security product.
If you are lucky, there is nothing more than an innocent hoax that will bother you by displaying unwanted pop-ups on your screen while you browse online. In this case, to get rid of the annoying pop-ups, we recommend scanning your system usinga good antivirus product.
If you are not so lucky, your system can end up getting infected with malware, such as a Trojan or a keylogger. This kind of message could also come from one of the most dangerous ransomware threats around, such as CryptoLocker, which is capable of blocking and encrypting your operating system and requesting you a sum of money in exchange for the decryption key.
To avoid this situation, we recommend enhancing your online protection with a specialized security product against financial malware, and complement your traditional antivirus program.
Also, make sure you do not click on pop-up windows that annoyingly warn you’ve been infected with virus. Remember to always apply the existing updates for your software products, and install only legitimate software programs from verified websites.
If you’ve been infected, you can use an antimalware tool such as Malwarebytes to try removing the malware infection or pay attention to these warning signs and learn how to find a doable solution.
Facebook. Everyone is talking about it these days, and the scandal about Cambridge Analytica firm harvesting personal data taken from millions of this social media channel without users’ consent.
It’s still the most popular social media network where everyone is active and use it on a daily basis to keep in touch with friends and colleagues. Unfortunately, it has become also the perfect place for online scammers to find their victims.
Just imagine your account being hacked by a cyber criminal and gaining access to your close friends and family. Nobody wants that!
Since it is so important for your privacy and online security, you should be very careful in protecting your personal online accounts just the way you protect your banking or email account.
Facebook security wise, these tips might help you stay away from these online scams:
Do not accept friend requests from people you don’t know
Do not share your password with others
When log in, use two-factor authentication
Avoid connecting to public and free Wi-Fi networks
Cyber criminals will lure you into believing you can make money easy and fast on the internet. They’ll promise you non-existent jobs, including plans and methods of getting rich quickly.
It is a quite simple and effective approach, because it addresses a basic need for money, especially when someone is in a difficult financial situation.
This scamming method is similar to the romance scam mentioned above, where the cyber attackers address the emotional side of victims. The fraudulent posting of non-existent jobs for a variety of positions is part of the online criminals’ arsenal.
Using various job types, such as work-at-home scams, the victim is lured into giving away personal information and financial data with the promise of a well paid job that will bring lots of money in a very short period of time.
Read and apply these ten tips that can help you avoid some of the most common financial scams.
These scams are commonly used during hot summer months or before the short winter vacations, for Christmas or New Year’s Day.
Here’s how it happens: you receive an email containing an amazing offer for an exceptional and hard to refuse destination (usually an exotic place) that expires in a short period of time which you can’t miss. If it sounds too good to be true, it might look like a travel scam, so don’t fall for it!
The problem is that some of these offers actually hide some necessary costs until you pay for the initial offer. Others just take your money without sending you anywhere.
In such cases, we suggest that you study carefully the travel offer and look for hidden costs, such as: airport taxes, tickets that you need to pay to access a local attraction, check if the meals are included or not, other local transportation fees between your airport and the hotel or between the hotel and the main attractions mentioned in the initial offer, etc.
As a general rule, we suggest that you go with the trustworthy, well known travel agencies. You can also check if by paying individually for plane tickets and for accommodation you receive the same results as in the received offer.
If you love to travel, you can easily fall prey to airline scams by simply looking for free airline tickets. Airline scams are some of the most popular travel scams, and we recommend applying these valuable tips.
12. Bitcoin scams
If you (want to) invest in Bitcoin technology, we advise you to be aware of online scams. Digital wallets can be open to hacking and scammers take advantage of this new technology to steal sensitive data.
Bitcoin transactions should be safe, but these five examples of Bitcoin scams show how they happen and how you can lose your money.
The most common online scams to watch out for:
Fake Bitcoin exchanges
Everyday scam attempts
Here’s how you can spot a Bitcoin scam and how to stay safe online.
The spread of fake news on the Internet is a danger to all of us, because it has an impact on the way we filter all the information we found and read on social media. It’s a serious problem that should concern our society, mostly for the misleading resources and content found online, making it impossible for people to distinguish between what’s real and what is not.
We recommend accessing/reading only reliable sources of information coming from friends or people you know read regular feeds from trusted sources: bloggers, industry experts, in order to avoid fake news.
If it seems too good to be true, it’s most likely a scam. Take a look over these online scams Click To Tweet
This type of scam could come in the form of a trustworthy website you know and often visit, but being a fake one created by scammers with the main purpose to rip you off. It could be a spoofing attack which is also involved in fake news, and refers to fake websites that might link you to a buy page for a specific product, where you can place an order using your credit card.
To avoid becoming a victim of online scams, you can use tech tools such asFact Check from Google orFacebook’s tool aimed at detecting whether a site is legitimate or not, analyzing its reputation and data.
Cyber security experts believe that these Internet scams represent a threat for both organizations and employees, exposing and infecting their computers with potential malware.
We all love shopping and it’s easier and more convenient to do it on the Internet with a few clicks. But for your online safety, be cautious about the sites you visit. There are thousands of websites out there that provide false information, and might redirect you to malicious links, giving hackers access to your most valuable data.
If you spot a great online offer which is “too good to be true”, you might be tempting to say “yes” instantly, but you need to learnhow to spot a fake shopping siteso you don’t get scammed.
We strongly recommend reading these online shopping security tips to keep yourself safe from data breaches, phishing attacks or other online threats.
Many websites have a loyalty program to reward their customers for making different purchases, by offering points or coupons. This is subject to another online scam, because cyber criminals can target them and steal your sensitive data. If you think anyone wouldn’t want to access them, think again.
The most common attack is a phishing scam that looks like a real email coming from your loyalty program, but it’s not. Malicious hackers are everywhere, and it takes only one click for malware to be installed on your PC and for hackers to have access to your data.
As it might be difficult to detect these phishing scams, you may find useful this example of acurrent phishing campaign targets holders of Payback couponing cards, as well as some useful tips and tricks to avoid being phished.
Sadly, there are scammers everywhere – even when you are looking for a job – posing as recruiters or employers. They use fake and “attractive” job opportunities to trick people.
It starts with a phone call (or a direct message on LinkedIn) from someone claiming to be a recruiter from a well-known company who saw your CV and saying they are interested in hiring you. Whether you’ve applied or not, the offer might be very appealing, but don’t fall into this trap.
To protect yourself from job offer scams, it’s very important to:
Do a thorough research about the company and see what information you can find about it;
Check the person who’s been contacted you on social media channels;
Ask for many details and references and check them out;
Ask your friends or trustworthy people if they know or interacted with the potential employer.
To avoid these types of online job scams, check thisarticle.
Smartphones. You can’t live without them in the era of Internet. They’ve become essential for communication, online shopping, banking or any other online activity.
Needless to say the amount of data we store on our personal devices which make them vulnerable to cyber criminals, always prepared to steal our online identities or empty our bank accounts.
Smishing (using SMS text messages) is a similar technique to phishing, but, instead of sending emails, malicious hackers send text messages to their potential victims.
How this happens? You receive an urgent text message on your smartphone with a link attached saying that it’s from your bank and you need to access it in order to update your bank information, or other online banking information.
Be careful about these SMS you receive and don’t click on suspicious links that could redirect to malicious sites trying to steal your valuable data. These useful tips can help you easily spot these types of online scams.
If you are considering selling different items on specialized online sites, we strongly recommend watching out for overpayment scam.
A typically overpayment online scam like this works by getting the potential victim “to refund” the scammer an extra amount of money because he/she send too much money. The offer will often be quite generous and bigger than the agreed price. The overpay (extra money) is to cover the costs of shipping or certain custom fees.
One such story can unfold right now and can happen to each of you. This happened to one of our Heimdal Security team members. After smiling a bit and seeing the method, we did realize that’s a common online scam and we had to share it with you. Also, we included a few security tips and actionable advice to prevent falling prey to overpayment online scam.
Our colleague posted a sofa for sale on a Danish site called dba.dk which is a sort of a flea market online. After a few days, he received a message from a person claiming to be interested in the item and willing to pay more than the price offered, via PayPal account.
Here’s how a scam email looks like in which the malicious person asks for personal information to transfer the money.
Also, here’s the confirmation email coming from the scammer which shows that he paid an extra amount for the sofa, including extra shipping fees and MoneyGram charges the extra fee for transportation.
After that, he also got another email saying that he needs to refund the extra amount of money, including the shipping and transportation charges to a certain shipping agent via MoneyGram transfer.
Here’s how the phishing email looks like that you should be very careful and don’t fall for it:
Follow these security tips to protect yourself from overpayment online scam:
If you notice a suspicious email coming from untrusted source or something out of ordinary, you should report it as soon as possible.
If you receive a similar email like the one our colleague got, do not transfer extra money to someone you don’t know, especially if he/she wants to overpay. A legitimate buyer won’t do that.
Also, do not transfer money to a fake shipping company or some private shipping agent, because it’s part of scam and you need to be very careful.
Do not provide personal information to people who don’t show a genuine interest in buying your item.
Do not send the product to the buyer until the payment was completed and received in your bank account.
19. Tech Support Online Scams
Here’s another online scam that is common and you need to be extra careful. The next time your smartphone rings and you don’t know the number, think twice before answering. Maybe it’s not your friend on the other end of the phone, maybe it’s the scammer!
According to a recent report “nearly half of all cellphone calls next year will come from scammers”, so we need to learn how to better detect and prevent such malicious actions coming from skilled persons.
Tech support scams are very common and widespread these days. Scammers use various social engineering techniques to trick potential victims into giving their sensitive information. Even worst, they try to convince potential victims to pay for unnecessary technical support services.
These tech “experts” pretend to know everything about your computer, how it got hacked and many other details that help them gain your trust and convince victims to fall prey for their scams.
A scenario like this can happen as we write this, and one of our Heimdal Security team members recently got a phone scam call. While we got amused by the conversation he had with the person pretending to work for an Indian tech support company, we realized it can happen to anyone which can become an easy target.
The person, pretending to be the representative of a software company and experienced one, is informing our colleague that his computer got hacked by cybercriminals, and offers to guide him and solve this urgent problem.
With poor English skills, he gives details about the serial number of the computer, and provide guidance to access the unique computer ID, trying to misrepresent normal system as having serious issues. After a few minutes, the call is transferred to another tech representative who informs our colleague that they detected unusual activity going through his computer. He’s been told that multiple attempts have been seen on the PC in which hackers tried to get unauthorized access to his computer.
Our colleague detected this as being scam and didn’t go along with it, but for someone without technical knowledge, it may not be so easy to spot.
You can listen to this call here:
If someone else would have fallen prey for this online scam, things would have gone even further. The so-called tech scammers could persuade the potential victim to give them remote access to the system. To “help” the victim, scammers mention about additional software that are required to be installed and victims need to pay for these software victims, hence, provide credit card details. You can find out more info here
How to avoid getting scammed by tech support “specialists”
To avoid becoming an easy target of these sneaky tech support scammers, we strongly recommend following these basic rules:
Do not trust phone calls coming from people pretending to come from tech “experts”, especially if they are requesting for personal or financial information;
DO NOT PROVIDE sensitive data to them or purchase any software services scammers may suggest you as a solution to fix your tech problem.
DO NOT allow strangers to remotely access your computer and potentially install malicious software;
Make sure you download software apps and services only from official vendor sites;
Don’t take it for granted when a stranger calls you out of the blue, pretending to have a technical solution for your issues. Make sure you ask for proof of their identity and do a quick research about the company they are calling you from;
Always have an antivirus program installed on your computer, and for more protection, consider adding multiple layers of security with a proactive security solution like our Thor Premium Home, which will stop any type of online threats.
Have a security-first mindset and be suspicious about everything around you. Also, consider investing in education and learn as much as possible about cyber security. Here’s how you can reduce spam phone calls.
Since some scams are so well organized and really convincing, and people behind them so difficult to catch, we need to always keep our guard up. Stay informed about the latest scamming strategies.
Have you met some of the above scams while browsing or in your email inbox? What were the most convincing ones?
*This article was initially published by Andra Zaharia in January 2016.”
Spend time with your family, not updating their apps!
Let THOR FREE
Silently and automatically update softwareClose security gapsWorks great with your favorite antivirus
The idea that we should create a gargantuan list of cyber security tools started running through our minds a while ago because, in our journey into the cyber security and data protection world, we ran into lots of useful tools.
When we decided to work on this list, we had no idea how and where to begin.
What tools should we include? What should we not? How do we tell if one is worthy and the other one is not?
Do we mention ultra-known products?
Should we stick to what’s free or should we also add paid products?
Eventually, we came up with what we’re about to read. But first here’s a quick guideline that you should read before we jump right to the subject:
We don’t claim this is the ultimate list. It’s not complete and it’s definitely not final. It probably never will be. We are aware that we missed lots of essential, important tools – by mistake or just because we can’t know them all. So please feel free to jump in with more useful tools that you feel they should be mentioned.
We stayed away from recommending antivirus, VPN or firewall products. There are independent industry experts who only do that. Instead, we prefer to list those experts or websites that will help you compare such services, in order to choose what’s best for you
We tried to test them all before recommending them. And we only included tools that have free versions.
Here’s our list :
50+ free security tools you can use for your online protection
A unique and strong password is key to our online safety. We keep recommending this in our articles (and we’ll keep doing it) so people can realize the importance of setting passwords that hackers can’t reach.
First of all, here’s why it should be unique:
We never use the same key for our house and car, right? Then why would we use the same password for our accounts?
Our online accounts are interconnected. If one of those passwords is breached, the cyber criminal will have access to the rest of your accounts.
And no matter how careful you are not to give out your password, sometimes you might not be responsible for the breach. Companies have plenty of vulnerabilities. Their employees can have poor security habits. Their ex-employees might want to get vengeance this way. Your online connection might not be secure and your traffic unencrypted. There are tons of flaws out there that could expose your credentials.
Second of all, here’s why it should be strong (and what does “strong” mean):
Most people have weak passwords. They use family or pets names, favorite songs, birth dates and so on. This type of information nowadays is readily available online – usually posted directly by us, on social networks or blogs or forum comments.
If a cyber criminal really wants to hack your account and you use such a password, all they’ll have to do is spend some time finding out more information about you.
They also have the technical skills to test out millions of passwords combinations in a short period of time. So there’s that.
SplashData released its annual list of top worst passwords of 2017, where we see that people continue using the classic”123456″.
Constantly coming up with strong, unique passwords is hard. We get it.
It’s hard to remember to change them, and it’s even harder to remember them. Especially since it’s not recommended to write them down – not in a document on your desktop, not in an email draft, not in your phone or written on a paper that stays under your mouse pad. No, no, no, no.
And since not all of us have an elephant memory, some smart guys created tools that make it easier for us to manage passwords.
Passwords managers are easy to use. You install them as browsers plug-ins and they help us save passwords and keep them encrypted. When we log in to a new account, the password manager will ask us if we want to save the password.
All we have to do is remember the password that we use for the password manager tool account.
Here are some of the most popular apps for password management:
LastPass – it’s one of the oldest and most known password managers.
1Password – not exactly free, but offers a free trial that lasts 30 days
Activate two-factor authentication
Ok, so this is plan B. If passwords fail and a cybercriminal somehow manages to find out your beautiful, strong, unique and completely random password, the second-factor authenticator will work as an extra shield.
Two-factor authentication adds an extra layer of protection. This way, the password will not be enough to access your account, you’ll also have to prove your identity using the second method. This usually consists of a unique, time-sensitive code, that you receive using your mobile phone.
In order not to do this every time you log into your account, you can choose to remember the devices you use and only require the second way of authentication when you want to log in from a new device (laptop, PC, tablet, browser, whatever that may be).
I always wonder why the companies don’t enable this option by default. It would help avoid a lot of accounts that end up compromised because of poor passwords habits.
If you want to check what services offer users the possibility to activate two-factor authentication, use this tool:
There are several projects out there that store a huge database of leaked, stolen or compromised passwords. Other projects gather all the past data breaches. You can use them to confront with your passwords or accounts and check their databases. If someone ever used a password that’s the same with yours and was leaked in a past breach, you’ll have to change it.
You can also check if you have any accounts that were compromised in any of those data breaches.
It’s highly recommended that you avoid checking in from your social accounts – especially from your home.
Something so common and apparently innocent as a social media check-in can turn into a nightmare. You can never control who can access your social network posts. You never know who else benefits from the information you shared.
There have been many cases of people who checked in while on vacation, bragged about the wonderful places they visited, only to come back home and find out that they were robbed. Burglars were tipped off thanks to the posts on social media.
However, if it’s already too late and you already have plenty of check-ins made online, you can remove your previous ones.
For Facebook, you’ll have to do that manually for each post you published and then turn off location for future posts. However, for Instagram, there’s an easier batch solution that you can use.
Instagram is constantly updating its network and has changed the geo-map feature for mobile that let you control geotag location. Now you have the option to save photos you see and like on Instagram, save and add them to your photos collections.
Revoke access to third-party apps
You probably logged in with your social accounts to any third-party apps – games, other social networks, streaming services and so on.
For privacy matters, it’s recommended that you only allow access to trustworthy apps. Those apps have access to your profiles and personal information.
From time to time, make sure you check every single app that you allowed to access your account and remove the ones that you don’t use anymore.
Here’s how you can remove access to external apps from every major social network:
Google and Facebook are among the networks that offer the possibility to do a security check-up. They will take you through the steps you need to check or activate in order to enhance your account’s protection.
Safe Pad – an online notepad that is encrypted end-to-end.
Keeping malicious software under control
There are some major software apps that are buggy and expose you to global cyber attacks. “Software” and “buggy” might just be pleonasms for the moment, as all software have bugs and vulnerabilities.
What you should bear in mind is that you can reduce your odds of being infected just by keeping those buggy apps up to date. Or disabled until you really need them and activate them punctually. Or uninstalled, if they aren’t vital to your work.
By “apps” we mean browsers, plug-ins, add-ons. Chrome, Firefox, Flash Player, Java, and Adobe Reader, just to name a few of them, but you should take a look over the infographic published here to find out more about the top most vulnerable apps.
Here’s how you can reduce your odds of getting infected:
1. Keep those vital apps up to date. You can use an automated patching tool that will take care of that for you, silently (Thor FREE does that).
2. Use a tool that will scan your traffic and restrict your access to infected web pages (our product also does that, and also makes sure that none of your data goes out to the bad guys).
3. No clicking on suspicious links or attachments, short links that you don’t know where they’ll lead you, nothing that you never requested or sounds fishy (even if it’s coming from your online buddies). Staying away from dangerous web locations also is vital (that means no websites that host illegal content, such as torrents).
If you want extra anonymity, here is a list of tools that are focused on encryption and privacy:
Tor Project – we’re sure you already know about this one. You can use Tor to browse the web while staying anonymous.
Comparison VPN – the name is pretty much self-explanatory, right? “VPN” comes from “Virtual Private Network” and it’s used to encrypt your outgoing and ongoing traffic. This tool will help you compare between different VPN services.
Duck Duck Go – it’s a free search engine but, unlike others, it doesn’t track you, doesn’t collect or share any of your personal information.
Disconnect – the basic version will block trackers from websites.
uBlock – a lightweight free and open source browser extension that will help you filter our annoying or unwanted content, such as tracking cookies and ads (available for Mozilla, Chrome, Safari and even Microsoft Edge).
Ghostery – a free browser extension that lets you control trackers from the websites that you visit.
If you want to avoid any phishing or malware attacks, it’s best that you don’t click on any links that you don’t know where they’ll lead you. They might be links shortened using services such as Bit.ly or Unshorten or links that look similar to perfectly legitimate ones but use a variation in spelling or domain.
Use one of these services to check where a link will redirect you:
As an alternative to remotely check where a short link will take you, you can also use a service that remotely takes screenshots of a given website.
This kind of services are usually used by developers, to see how a website will look on different resolutions and browsers used by users, but they can also come in handy when it comes to Internet security.
This way, you’ll see how a website looks like and where you’ll end up if you click on that link, without actually visiting it.
How valuable are the work documents that you keep on your desktop, your email or in the cloud?
What about your collection of photos or private conversations? Would you miss them if they were ever deleted or lost?
What if they were stolen? Or, even worse, encrypted in a ransomware attack?
Stop telling yourself “it can’t happen to me”. The odds for ending up with malware attacks are against you.
And most of these attacks are automated, nobody hand picks you as a victim. It’s enough for you to have files and outdated browsers, plugins or apps. You don’t even have to click or download anything to end up infected – nowadays you can be compromised even on perfectly legit websites.
Bad news is that even if you pay the ransom, there’s no guarantee that you’ll receive the encryption key to gain back access to your files. Or the encryption might have gone wrong and corrupted the files. It’s one of the reasons why the FBI advises against paying the ransom.
Let’s not forget about the recent cyber attacks (WannaCry, Petya ransomware) impacting big organizations and institutions (Telefonica, Renault, FedEx, the National Health Service (NHS) in England and Scotland, Maersk, Government of Ukraine, and many more) that saw their computers compromised and lost access to valuable information.
No matter how many Internet security layers you have in place, always have a backup. Set in place at least two automatic backups. If everything else fails, at least you’ll be covered.
And here are two more tools that will help you out:
Best Backup – helps you choose the backup solutions suited to your needs
Spider Oak – backup solution focused on encryption and Internet security
Although ignored by most people, this step is also important to cyber security. Take your time and file a report if you run into anything that looks fishy.
If you have a hunch that something is wrong and you might have fallen into a trap, immediately contact your bank or credit card institution and close the accounts you believe they may have been compromised.
If this is not the case and you simply ran into spam, scams or phishing attempts, it’s best that you report them to government organizations or even cyber security companies.
Here are some of the places where you can do that:
Found this super useful list of free #cybersecurity tools, check it out: Click To Tweet
In the cyber security game, the good guys and the bad ones constantly try to outrun each other. That’s why you should always remember that no tool is bulletproof. Don’t rely exclusively on a software or an app to keep you safe, as they all have flaws and vulnerabilities.
Instead, try to think and act like a journalist. Question everything that you receive or run into in the digital world, even if it only looks slightly suspicious. Triple check it before you act on it, be sure that you don’t throw yourself into anything fishy.
Continue to improve your cyber education. In time, you’ll train your intuition and it will become increasingly easier to spot potential compromises.
It’s essential that you never give up on healthy Internet security habits. Add as many security layers as possible – onion style – in order to decrease the impact of a potential attack.
Hope for the best and prepare for the worst, right?
This article was initially published by Cristina Chipurici in May 2016 and it was republished in July 2017.
The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to:
Block malicious websites and servers from infecting your PCAuto-update your software and close security gapsKeep your financial and other confidential details safe