Over 100 Million Accounts Exposed in Evite Breach
More than 100 million users of Evite were exposed after the company’s servers were compromised earlier this year. While the company doesn’t store financial information, plenty of other personally identifiable information was found in the leaked database dump. The initial figures for the breach were thought to be much lower, as another database dump of 10 million Evite users was found on an underground marketplace around the time they discovered the unauthorized access, though that site was shut down soon after.
American Express Suffers Phishing Attack
Many American Express customers recently fell victim to an email phishing attack that used the uncommon tactic of hiding the URL domain when hovering over the hyperlink. The attack itself, which requests the victim open a hyperlink to verify their personal information before re-routing them to a malicious site, was reliably full of spelling and grammar mistakes. The phishing landing page, though, looks nearly identical to the real American Express site and even has a drop-down list to catch multiple types of user accounts.
NHS Worries Over XP Machines
Over five years after Microsoft officially ceased support for Windows XP, the UK government has revealed that there are still over 2,000 XP machines still being used by its National Health Services (NHS). Even after becoming one of the largest targets of the 2017 WannaCry attacks, the NHS has been incredibly slow to roll out both patches and full operating sytem upgrades. While the number of effected systems, the NHS has over 1.4 million computers under their control and is working to get all upgraded to Windows 10.
Google Defends Monitoring of Voice Commands
Following a media leak of over 1,000 voice recordings, Google is being forced to defend their policy of having employees monitor all “OK Google” queries. After receiving the leaked recordings, a news organization in Belgium was able to positively identify several individuals, many of whom were having conversations that shouldn’t have been saved by the Google device in the first place. The company argues that they need language experts to review the queries and correct any accent or language nuances that may be missing from the automated response.
Monroe College Struck with Ransomware
All campuses of Monroe College were affected by a ransomware attack late last week that took down many of their computer systems. The attackers then demanded a ransom of $2 million, though it doesn’t appear that the college will cave to such exorbitant demands. Currently, the college’s systems are still down, but officials have been working to contact affected students and connect them with the proper assistance with finishing any coursework disrupted by the attack.
By implementing DMARC, brands lower the odds of their domains being spoofed and used for phishing attacks on recipients. Still, 79.7% of all domains analyzed have no DMARC policy in place, according to 250ok. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks and, unsurprisingly, 91% of all cyber attacks begin with a phishing email. Phishing and spoofing attacks against consumers are likely to … More
The post Companies still don’t understand the importance of DMARC adoption appeared first on Help Net Security.
Is PayPal safe? Well, taking into account that PayPal’s one of the oldest and most ‘seasoned’ online money transfer platforms, it’s safe to assume that many an effort have been made to bolster its security.
Of course, timeline-wise, it was a trial-and-error kind of gig but at the moment, PayPal’s right out there with the big players such as Revolut, Dwolla, TransferWise, Payoneer, and Google Pay. So, what does that tell us in terms of cybersecurity? With that being the question du jour, let’s dig in and find an answer to our “chicken-or-the-egg” question: is PayPal safe or not?
Before we dwelve into it, if you are concerned about PayPal account’s security, here are 11+ scams you should look out for. Right, now onto the breach!
Is PayPal Safe for Your Cybersecurity?
In a nutshell, I would have to venture to say that PayPal is not completely safe. Of course, the same thing can be said about any online money transfer platform, but keep in mind that being the eldest player, it obviously attracts a lot of unwanted attention. And with some 227 million account holders worldwide, figuring out who’s next in line to be swindled is like playing charades.
According to the company, online fraud incidence is holding at a steady two percent, which is pretty decent considering that PayPal alone processes $235 billion in payments per year, and has ties to no less than 17 million websites and organizations.
Considering these numbers, we can assume that the peer-to-peer payment platform is not short of fraud attempts. So, what are the main risks of opening up a PayPal account or holding on tight to the one you have? Here’s a rundown of the most common types of swindling attempts.
SECURE YOUR ONLINE BROWSING!Get Thor Foresight
Phishing’s probably the most ‘abused’ and quite successful online scam (makes you wonder if PayPal is safe or not). Why is that, you ask? I wouldn’t pin it on the account holder’s gullibility; more on the fact that no one’s willing to spend ten minutes of their time reviewing PayPal’s Buyer and Seller Protection policy.
In the aforementioned article, I pointed out that most users are not aware of simple, down-to-earth PayPal facts (i.e. the platform will never request private info like address, password, financial details, or your social security number via email).
If your inbox lights up and you see an email from ‘PayPal’ requesting those details, then it’s more than likely a fraud attempt. PayPal phishing comes in many guises: some will ask you to follow a link in order to review and update your financial info, others try to reel you in with the promises of free cash or out-this-world prizes, while some are nicely wrapped in a sad story that tugs on your heartstrings (i.e. fake charities).
Be careful around emails containing attachments. Official PayPal emails don’t have any, apart from the company’s header.
Email phishing’s not the only dirty trick in the scamming book. Phishing via text messages or smishing, is a quick way of finding out if you have a PayPal account.
In most cases, these ‘reverse-engineered’ text messages contain phone numbers. Yes, they entice you into calling them back to confirm a couple of ‘harmless’ details. Of course, they could also pack links to fake credential-grabbing sources, masquerading as legit PayPal pages. So, how this scam work? Here a quick heads-up:
- You receive an SMS that reads: “Your PayPal account has been suspended due to suspicious activity. Please contact us immediately at <fraudster’s phone number>. It is imperative that we speak to you immediately.”
- Another version “PayPal: You spent <random amount> with PayPal. If you did not make this transaction, please call us immediately at <scammer’s disposable phone number>. Thank You.”
- Here’s a version that contains both phone numbers and phishing links: “PayPal: You spent <cash amount of choice> with PayPal. If you did not make this transaction, please login at mobileservices2019.com/txn?id=178948 to revert this transaction. Thank You.”
What happens if you call that number? Well, I guess you’ll have a ‘lovely’ chat with the fraudster who will probably try his best to persuade you into disclosing your account’s details. As for the link, I think we both know how this story ends (with you asking if PayPal is safe or not, of course).
If phishing and smishing don’t work, we will always have vishing. What’s vishing? It’s a phishing method that involves an automated system designed to make voice calls. So, how does this work? Well, according to PayPal’s fraudulent pages and websites section, you may be called by someone claiming to be a company representative, urging you to either confirm or submit some credentials.
The conversation can go something like this:
This is PayPal calling about a possible fraudulent transaction on your account. Please enter your password now to hear the transaction details. We need your immediate response to block or confirm this transaction.
Guess what happens after submitting the password? Yes, it’s bye-bye PayPal money. Even more daunting is the fact that the scheme’s so perfect, that you will keep on thinking that the call was actually PayPal. Before calling, the scammer can change the caller ID to read “PayPal” or something similar. You still wondering if PayPal is safe?
4. Banking Trojans
And because phishing was not enough, now we even have trojans capable of ‘siphoning’ money from your account. This malware variant called a “banking trojan”, can bleed your balance dry even with two-factor authentication.
Cybersecurity researchers revealed that this trojan comes in the guise of a system and battery optimization app called Optimize Android. Upon installation, the app asks the user to switch on the “Enable statistics” option. After that, the trojan will begin analyzing your smartphone’s external and internal storages for banking apps like PayPal. If detected, the malware will wait for the user to enter his credentials before stealing money via the fake click method.
What sort of security measures does PayPal have in place?
To ensure that your hard-earned money stays where it’s supposed to, PayPal employs three types of security measures: email confirmations, PayPal Security Keys, and data encryption. There’s even a fourth measure, but it’s still being tested. Asking yourself if PayPal is safe or not?
1. Email confirmation
Each time you receive\issue a payment, you will be notified via email. Of course, if you receive this payment without performing any action in particular, you should definitely think about contacting PayPal since it’s obvious that someone might be trying to ‘hotwire’ your account.
2. PayPal Security Keys
This is PayPal’s take on 2FA. When switched on, the app will ask you to enter a security code, in addition to your PayPal password. Check your smartphone’s SMS inbox for the code; the security keys service is free of charge, but messaging rates may apply. Check with your mobile provider for additional details.
3. Data encryption
Since all transactions are online-exclusive, there will be a lot of safeguards in place: TLS protocols, Key pinning, and GDP (general data protection). When logging in, PayPal’s platform will determine if your connection’s TLS 1.0 or higher.
Of course, for extra protection, you should ensure that your browser’ capable of handling HTTPS connections (look for the padlock icon next to address bar).
To counter comm-interception attacks, PayPal uses a security layer called Key Pinning. This safeguard ensures that your browser’s communicating with a legit PayPal server. Why would this be useful? Well, scammers can actually intercept data in transit and redirect you to a cloned website. Key pinning prevents such attacks.
Last, but not least, PayPal’s data protection policies for both data-in-transit and at-rest are industry-compliant. This includes PCI-DSS and deference with independent third parties like the American Institute of Certified Public Accountants SSAE16 SOC1, Sarbanes-Oxley Act, and AT101 SOC2.
4. PayPal 3D-Secure (3DS Protocol)
As part of its ongoing anti-fraud crusade, PayPal has added an extra security layer which draws upon EMV’s proprietary 3-D Secure Protocol. Fully compliant with SCA (Strong Customer Authentication), this added layer will require the account holder to transmit a special security code to the bank that issued his credit or debit card in order to complete a transaction.
Depending on your card type, the system’s called “Verified by Visa”, “SafeKey”, or “MasterCard SecureCode”. Keep in mind that not all banking apps are compatible with 3-D encryption. The protocol will not be enabled by default.
Good news is that you will be able to ditch it if you have a hard time completing a transaction. Please note that the 3D-Secure passkey’s different from your PayPal’s password. Yes, it means that you’ll need to enter both in order to complete a transaction.
How to beef up your PayPal account security
Undoubtedly, there will always be someone out there just waiting to bleed your PayPal account dry. Though no one can guarantee complete safety (there’s no such thing in the online world), there are a few things you can try out in order to boost your security. So, without a due, here are some actionable security tips you should follow if you plan on keeping your PayPal account.
#1. Avoid transactioning over public Wi-Fis.
Keep in mind that unsecured Wi-Fis are great ‘hunting grounds’ for scammers. If the transaction cannot wait, you should consider using your mobile data instead of an open Wi-Fi. Charges may apply, but at least you would have answered the “is PayPal safe?” question.
#2. Using a dedicated device vs. an all-purpose device.
I know that the very thought of using a dedicated device just to view balance may seem like a whim, but it’s actually a lot safer than using an all-purpose machine (i.e. home PC or smartphone). How will this work? Let’s say you have a laptop at home, sitting idly in the corner, and collecting dust.
Instead of letting it die out, you can repurpose it to suit your PayPal needs- use this endpoint to make PayPal transactions, while keeping your smartphone and/or home computer for personal stuff (i.e. online gaming, surfing on the web, social media).
If you use a dedicated machine for PayPal activities, you won’t have to worry about having to deal with spyware or malware picked up from the web because you just had to see that cat video!
#3. Don’t link a debit card to your PayPal account.
I really don’t think it’s a good idea to hook up your debit card to any kind of online account, regardless if it’s Netflix, Google Play, or PayPal.
Now, with a credit card, worst case scenario would be covering for the ‘siphoned’ money (well, it’s not really what I would call an improvement, but you’ll still be able to make due until the next paycheck).
There’s another advantage to linking your credit instead of a debit card: if PayPal refuses to refund your money, you may still be able to settle the matter with the bank that issued your credit card in the first place.
#4. Keep an eye out on your balance
While it’s always a good idea to keep tabs on your PayPal balance, you should turn it into a habit from now on since scammers are known to trickle small amounts from your account. There’s even a short and sweet story to back up that claim. Anissa Wardell of The Publicists Assistant, says that after checking her account, she noticed that small sums kept vanishing (some $5 to $10 every couple of days).
Upon contacting PayPal, she was informed that the money was going to some small UK-based grocery store. Imagine her surprise when she found out that she’s been berry-picking without even being aware that she was doing it. Fortunately, the account was closed in time.
And because all’s well when it ends well, PayPal even offered her a full refund. There’s a lesson to be learned here – if you see that you’re a couple of bucks short, do yourself a favor and contact PayPal on the double. Sure, a few dollars every odd day isn’t a big deal, but imagine what can happen in a couple of weeks if the issue goes unresolved.
#5. Don’t click on in-mail links from ‘PayPal’
Spoofing’s not what you might call a cutting-edge scamming technique. Still, as the saying goes: “if it’s stupid, but it works, then it’s not stupid.” Now, if you come across any PayPal links in emails, hover your mouse over them; chances are that they have nothing to do with PayPal. There’s a surefire way to find out if the email is really from PayPal – hop on your account and go to Notifications. If PayPal wanted to reach out, then there will most certainly be an unread notification.
#6. Buy from trusted sources only
This one’s pretty straightforward– look for the padlock icon next to the merchant’s URL or Google’s checkmark; this is, by far, the fastest way to figure out if the vendor’s legit or someone trying to steal your money.
#7. Get yourself checked out
Trust goes both ways; even more so when money’s involved. As a buyer, you can verify your account by linking it to a valid email address or phone number. There are other, more ‘unsecure’ ways to verify your identity – by supplying your social security number or by attaching a debit\credit card to your account.
A bit of a paradox here, if you ask me; sure, typing in your SSN makes you a real person, but also puts your PayPal in harm’s way. A few bucks missing from your bank account is sad, but imagine what happens in case someone steals your identity. Now, if you opt for the SSN\debit & credit card verifications, I would strongly advise you to keep a close watch on your account and report any suspicious activity.
#8. Use third-party access token software with PayPal Developer
Though it’s a bit tricky, ‘cause it involves messing around with code lines and open-source apps, you will be able to add an access token to your PayPal account through the Developer medium. If you feel up to the task, follow the steps below to make the app generate an access token.
Step 1. Go to PayPal Developer and log in using your credentials.
Step 2. Head to the My Apps & Credentials section.
Step 3. Under the REST API section, click on Create App.
Step 4. Type in a name for your new app and hit the Create App button.
Step 5. Edit and review the app’s details, if necessary and then hit the Save button.
Step 6. To generate the access token, make a token request using the application’s OAuth client id and, of course, the secret keys using the /token command. This will give you the basic authentication values.
Step 7. Look the request body and change the grant_type line to client_credentials.
Step 8. Review your code lines and hit the run button. If written correctly, the app should give you an access token.
Yes, I know that this sounds like Medieval Klingon, but let me give you a hand. Here’s how the access token request should look like:
curl -v https://api.sandbox.paypal.com/v1.oauth2/token \ H “Accept: application/json” \ H “Accept -Language: en_US” \ -u “EO EOJ2S-Z60oN_le_KS1d75wsZ6y0SFdVsY9183IvxFyZp:EC1usMEUk8e9ihI7ZdXLF5cz6y0SFdVsY9183IvxFyZp” d “grant_type=client_credentials”
#1. Don’t oversell your goods
I know that the urge to boast your goods is strong, but you should definitely refrain from being too “flamboyant” in your description. Stick to the basics: size, weight, and condition – anything the buyer needs to know about the product he’s about to purchase. If you’re selling used goods, you should also consider adding notes about any scratches or marks.
Why this nitpicking? Because it’s a common PayPal scamming technique to open disputes over products not matching their descriptions. And yes, it doesn’t matter how insignificant the differences are; they’ll still try to dispute it. To avoid this embarrassing situation, post lots of close-up pictures and consider adding a follow-up note to ensure that the package arrived on time and everything’s hunky-dory.
#2. Only agree to ship to confirmed addresses
PayPal wholeheartedly encourages the seller to ship only to buyers who have confirmed their shipping address. Before completing the transaction, ensure that the person verified his credit card and that the billing will be done to the same address. Consider adding tracking to your shipment.
#3. Avoid using labels that are emailed or sent to you
Always use your shipping company’s labels or wrappings. If someone asks you to stick a different label or postage mark on the package, it’s a high chance that you may be dealing with a scammer. So, avoid shipping through major postal services, using labels received at home or over email, and use online tracking. Now, if your goods exceed $250, request a signature on delivery.
#4. Watch out for suspicious transactions
In some cases, especially when high-value items are involved, the scammers will attempt to rush the shipment or to make partial payments through several PayPal accounts. Always ask for full payment from a single, trackable, and registered PayPal account, and don’t forget about signature confirmation on receival.
#5. Don’t misplace your sale and shipment records
Keep in mind that PayPal buyers are legally entitled to dispute any transaction within 180 days. Still, that’s not the end of the line; to qualify for the company’s seller protection program, keep all the records pertaining to sale and shipping. Moreover, you’ll be more likely to outwit a potential scammer if you send out the requested documentation and for quick responses to disputes.
PayPal Security FAQ
Q: Is PayPal safe to keep money?
A: As long as you take the necessary precautions, there’s no reason to worry about money deposited in your PayPal account. If you have any reasons to believe that your PayPal’s account might be at risk, contact PayPal support.
Bear in mind that PayPal does not replace a regular bank account, so you should refrain from keeping all your money tied in your online account.
Q: Is PayPal safe to use with bank account?
A: The platform allows account holders to tie in their bank accounts, by attaching a credit or debit card. To bolster your security, I would advise against linking a debit card to your PayPal account. In the event that a scammer breaks into your account, fraudulent credit card charges can easily be cleared with the issuing bank. However, if the scammer manages to empty your debit card, then there’s nothing more to be done.
Q: Is PayPal safe to transfer money?
A: PayPal is one of the safest money transfer environments. Make sure that you carefully read the terms and conditions that apply to your case (buyer or seller).
Q: Is PayPal safe to buy online?
A: As long as you make your purchases from legitimate vendors, the chances of being scammed are negligible. If you have any reason to doubt the seller’s intentions, contact PayPal for a quick check-up. In the meantime, you can search for signs of frauds yourself.
Look for things like billing address doesn’t match the shipping one, the vendor wants to use postal services instead of relying on a shipping company. If the seller has an e-shop or a presentation website, you can also check the content for any discrepancies (i.e. stock photos, spelling errors, texts on how to get rich fast, over-inflated user comments, spammy articles).
So, is PayPal safe? Long story short: yes, it is or, at the very least, it’s safer compared to other online-money transfer services. Of course, no one can guarantee that nothing bad will happen to you when using PayPal.
It’s safe to assume that it all boils down to what we do in the ‘shadows’, I guess: if you’re careful enough about your account’s cybersecurity, then the only way someone’s going to steal your money would be to rob you at gunpoint. Lessons learned? Avoid shady vendors, put several security layers between you and the scammer, report suspicious activity, and don’t go overboard with the selling bit. Do you have any sad or amusing PayPal stories to share with the rest of the community? Don’t be a stranger and leave a comment.
A national trade association has disclosed a data breach that allegedly took place following a successful phishing attack. On 3 July, the American Land Title Association (ALTA) said that the security incident affected title and settlement company usernames and passwords. It also noted that it first learned about the data breach on social media. As […]… Read More
The post National Trade Association Discloses Data Breach Tied to Alleged Phishing Attack appeared first on The State of Security.
We take a bloodied baseball bat to Android malware, and debate the merits of a social media strike, as one of the team bites the bullet and buys a smart lock for the office.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Oli Skertchly.
Phishing scams aren’t as compelling as some of the more sophisticated attacks that you read about. But their prosaic nature is part of what makes them so concerning.
After all, every unusual email you receive could be a phishing scam, whether it’s an account reset message from Amazon or a work request from your boss.
And evidence shows that attacks like this will happen regularly and in incredibly convincing ways. For example, Proofpoint’s Understanding Email Fraud Survey has found that 75% of organisations had been hit by at least one spear phishing email in 2018.
Spear phishing is a specific type of phishing attack in which criminals tailor their scams to a specific person. They do this by researching the target online – often using information from social media – and by imitating a familiar email address.
For example, if the target works at ‘Company X’, the attacker might register the domain ‘connpanyx’ (that’s c-o-n-n-p-a-n-y-x rather than c-o-m-p-a-n-y-x), hoping that the recipient won’t spot the difference.
You might think that would be easy enough to notice, but scammers are adept at hiding the signs of their scams.
Sustained threat of spear phishing
Proofpoint’s report found that 41% of organisations suffered multiple attacks in a two-year span, suggesting that those that fell victim once were likely to do so again.
It also found that only 40% of organisations have full visibility into email threats, meaning those organisations are being targeted regularly and simply aren’t aware of the scale of the threat.
- 4 eye-opening facts about phishing
- Think you’re not susceptible to phishing? Think again?
- Angler phishing: A guide to social media scams
Commenting on the report, Robert Holmes, vice president of email security products at Proofpoint, said:
“Email fraud is highly pervasive and deceptively simple; hackers don’t need to include attachments or URLs, emails are distributed in fewer volumes, and typically impersonate people in authority for maximum impact.
“These and other factors make email fraud, also known as business email compromise (BEC), extremely difficult to detect and stop with traditional security tools. Our research underscores that organizations and boardrooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat.”
Phishing is a top concern
Clearswift’s Cyber Threatscape report also highlights the threat of phishing. The information security organisation polled 600 decision makers and 1,200 employees in the UK, US, Germany and Australia, and found that 59% of respondents said phishing was their biggest concern.
Phishing was the number one risk in all four regions, beating out the threat of employees’ lax attitudes (33%), the vulnerability of removable devices (31%) and failure to remove login access from ex-employees (28%).
According Dr Guy Bunker, senior vice president of products at Clearswift, this report “highlights that businesses need to change the way they’re approaching the task of mitigating these risks”.
“The approach should be two-fold, focused on balancing education with a robust technological safety net. This will ultimately help ensure the business stays safe,” he adds.
How can you prevent phishing attacks?
There are several ways you can address the risk of phishing. The first is to conduct staff awareness courses to educate employees on how phishing scams work and what they can do to mitigate the risk.
These courses should be repeated annually to refresh employees’ memories and maintain a workplace culture that prioritises cyber security.
You may also benefit from a thorough re-evaluation of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.
It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.
A version of this blog was originally published on 9 April 2018.
The post 75% of organisations have been hit by spear phishing appeared first on IT Governance Blog.
If you’re an avid Instagram user, chances are you’ve come across some accounts with a little blue checkmark next to the username. This little blue tick is Instagram’s indication that the account is verified. While it may seem insignificant at first glance, this badge actually means that Instagram has confirmed that the account is an authentic page of a public figure, celebrity, or global brand. In today’s world of social media influencers, receiving a verified badge is desirable so other users know you’re a significant figure on the platform. However, cybercriminals are taking advantage of the appeal of being Instagram verified as a way to convince users to hand over their credentials.
So, how do cybercriminals carry out this scheme? According to security researcher Luke Leal, this scam was distributed as a phishing page through Instagram. The page resembled a legitimate Instagram submission page, prompting victims to apply for verification. After clicking on the “Apply Now” button, victims were taken to a series of phishing forms with the domain “Instagramforbusiness[.]info.” These forms asked users for their Instagram logins as well as confirmation of their email and password credentials. However, if the victim submitted the form, their Instagram credentials would make their way into the cybercriminal’s email inbox. With this information, the cybercrooks would have unauthorized access to the victim’s social media page. What’s more, since this particular phishing scam targets a user’s associated email login, hackers would have the capability of resetting and verifying ownership of the victim’s account.
Whether you’re in search of an Instagram verification badge or not, it’s important to be mindful of your cybersecurity. And with Social Media Day right around the corner, check out these tips to keep your online profiles protected from phishing and other cyberattacks:
- Exercise caution when inspecting links. If you examine the link used for this scam (Instagramforbusiness[.]info), you can see that it is not actually affiliated with Instagram.com. Additionally, it doesn’t use the secure HTTPS protocol, indicating that it is a risky link. Always inspect a URL before you click on it. And if you can’t tell whether a link is malicious or not, it’s best to avoid interacting with it altogether.
- Don’t fall for phony pages. If you or a family member is in search of a verified badge for their Instagram profile, make sure they are familiar with the process. Instagram users should go into their own account settings and click on “Request on verification” if they are looking to become verified. Note that Instagram will not ask for your email or password during this process, but will send you a verification link via email instead.
- Reset your password. If you suspect that a hacker is attempting to gain control of your account, play it safe by resetting your password.
The post #Verified or Phishing Victim? 3 Tips to Protect Your Instagram Account appeared first on McAfee Blogs.
European police have arrested six people as part of an investigation into a theft which saw €24 million (US $27 millon) stolen from users of cryptocurrency exchange.
Read more in my article on the Tripwire State of Security blog.
Scammers steal millions by impersonating a French politician, we offer fashion tips for DDoS attackers, and hear how a small town fought a sextortionist preying on young women.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.
Many of us live out whole lives on Facebook, Twitter, Instagram and LinkedIn, publicising our thoughts, interacting with friends, strangers and businesses, and keeping abreast of current affairs.
But all that activity has made social media a breeding ground for a new form of cyber attack known as angler phishing.
What is angler phishing?
Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.
This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.
Here’s an example:
Making complaints on social media puts pressure on organisations to resolve the issue promptly.
Organisations often respond more quickly to issues raised on social media, as it provides an opportunity for good PR.
Most responses are along the same lines as our example: the organisation asks the customer to provide their personal details, so it can verify the issue and respond appropriately.
Unfortunately, cyber criminals have exploited this by spoofing corporate accounts and intercepting customer queries.
They use account handles that mimic legitimate sites – like ‘@dominoscustomercare’, for example – search for customer complaints directed at the legitimate site and respond.
Eagle-eyed individuals might notice that the response came from a different account than the one they messaged, but it’s not uncommon for a big company to direct customer complaints to a dedicated account.
But more often than not, people see that the response comes from an account with the organisation’s name and logo and don’t notice the difference.
The fraudster will then ask the customer to direct message them their account details (as many genuine organisations do) or direct them towards what is supposedly a customer support page but is in fact a malicious site, which steals personal information or infects the customer’s device with malware.
Phishing email protection
Many social media users know very little about angler phishing. That’s bad news for organisations, given how often employees browse social media during their lunch breaks or quiet periods.
After all, it only takes one person clicking a bogus link to infect the organisation’s systems.
That’s why it’s important to teach your staff how to spot scammers’ bait. Our Phishing Staff Awareness Course teaches you everything you need to avoid every type of attack, from social media scams to email- and SMS-based threats.
A version of this blog was originally published on 19 June 2017.
You probably know what phishing is. It’s been around almost as long as the Internet, and everyone from your employer to Facebook provides warnings about how to identify and report such scams.
But are you aware of how extensive phishing is? The cyber security company Webroot has identified four facts about how phishing works that might make you see the threat in a new light.
1. Phishing sites have a lifecycle of about 15 hours.
In order to reduce the chances of being detected and blocked, scammers are constantly creating new phishing sites and deactivating old ones.
On average, phishing sites are live for only 15 hours. By the time someone’s raised the alarm about a malicious site and the organisation has updated its security measures and warned employees not to click the link, the fraudster is already well on their way to their next scam.
2. Most malicious links are hidden within benign domains.
Scammers rarely use dedicated domain names for phishing attacks these days, because they can be easily identified and blacklisted.
Instead, malicious emails will almost always contain domains “associated with benign activity” to increase the probability of their success. Criminal hackers prefer to compromise a single page of a benign site and replace its content with a phishing page, which is more difficult to detect.
3. About 400,000 phishing sites are created each month
To keep up with the phishing sites’ brief lifecycle, scammers are forced to create hundreds of thousands of phishing sites each month.
The websites might be used for a single phishing campaign or used for a variety of attacks. Either way, it’s easy to see why it’s so difficult for spam filters keep track of malicious sites. There are simply so many that a few will inevitably fall through the system and end up in users’ inboxes.
4. Google, PayPal and Apple are the most commonly spoofed organisations
Scammers have always targeted well-respected organisations, but things are so much easier for them now that there are dozens of organisations that collect the majority of people’s personal data.
Google is the most frequently spoofed organisation, but PayPal, Amazon and Facebook are also hugely popular subjects for phishing scams.
Want to know how to prevent phishing attacks?
If you want to avoid falling for phishing scams, you have to trust your own judgement. Technological solutions like spam filters can’t catch everything, and they won’t help in the event of specific forms of phishing, like BEC (business email compromise) scams.
Fortunately, no matter how severe the threat is, there are always clues that can help you identify phishing scams.
You can teach your employees how to become experts at spotting those clues with the help of our Phishing Staff Awareness Course. Packed with real-life examples and best practices for staying safe, this online course helps employees become an active part of your organisation’s cyber security strategy.
A version of this blog was originally published on 14 December 2016.
In the last few months, we’ve seen a sudden increase in Spear Phishing attacks. Spear phishing is a variation of a phishing scam wherein hackers send a targeted email to an individual which appears to be from a trusted source. In this type of attack, the attacker uses social engineering tricks and some…
The evolving cyber threat landscape has taken a new leap. The recent past shows a startling rise in the number of incidences of phishing attacks, where visitors have been lured into clicking fraudulent links, under the cover of security marks like padlock icon and ‘HTTPS’. Considering the rising number of…
Obviously, my initial thought it was a phishing email, decent quality and a well-timed attempt given Liverpool and Tottenham Hotspur were confirmed as finalists after very dramatic semi-final matches on the previous nights. I logged into my Zavvi account directly, then reset my password just in case, and after a bit checking with the embedded links within the email, and research on the Zavvi website, I soon established it was a genuine email from Zavvi.
So unless the Athletico Madrid stadium has undergone a huge capacity upgrade, it became obvious that someone at Zavvi had made a huge blunder, resulting in personalised competition winner emails to be sent on mass to thousands of Zavvi customers.
What compounded matters was Zavvi keeping relatively stum about the blunder throughout the day. The e-commerce entertainment retail store published an apology mid-morning on their Facebook page, but after 100s of comments by angry customers, they deleted the post a couple of hours later. It took them almost 8 hours before Zavvi finally followed up to the "Congratulations" email, by emailing an apology which offered a mere 15% discount off their website products. I suspect most Zavvi customer won't be too happy about that, especially those that went through the day believing they had won a once in a lifetime competition.
The DBIR has evolved since its initial release in 2008, when it was payment card data breach and Verizon breach investigations data focused. This year’s DBIR involved the analysis of 41,686 security incidents from 66 global data sources in addition to Verizon. The analysed findings are expertly presented over 77 pages, using simple charts supported by ‘plain English’ astute explanations, reason why then, the DBIR is one of the most quoted reports in presentations and within industry sales collateral.
DBIR 2019 Key Takeaways
- Financial gain remains the most common motivate behind data breaches (71%)
- 43% of breaches occurred at small businesses
- A third (32%) of breaches involved phishing
- The nation-state threat is increasing, with 23% of breaches by nation-state actors
- More than half (56%) of data breaches took months or longer to discover
- Ransomware remains a major threat, and is the second most common type of malware reported
- Business executives are increasingly targeted with social engineering, attacks such as phishing\BEC
- Crypto-mining malware accounts for less than 5% of data breaches, despite the publicity it didn’t make the top ten malware listed in the report
- Espionage is a key motivation behind a quarter of data breaches
- 60 million records breached due to misconfigured cloud service buckets
- Continued reduction in payment card point of sale breaches
- The hacktivist threat remains low, the increase of hacktivist attacks report in DBIR 2012 report appears to be a one-off spike
Phishing scams have become incredibly popular these days. Cybercriminals have upped the ante with their tactics, making their phishing messages almost identical to the companies they attempt to spoof. We’ve all heard about phishing emails, SMiShing, and voice phishing, but cybercriminals are turning to social media for their schemes as well. Last week, the “Nasty List” phishing scam plagued Instagram users everywhere, leading victims to fake login pages as a means to steal their credentials. Now, cybercriminals are capitalizing on the success of the “Nasty List” campaign with a new Instagram phishing scam called “The HotList.”
This scam markets itself as a collection of pictures ranked according to attractiveness. Similar to the “Nasty List,” this scheme sends messages to victims through hacked accounts saying that the user has been spotted on this so-called “hot list.” The messages claim to have seen the recipient’s images on the profile @The_HotList_95. If the user goes to the profile and clicks the link in the bio, they are presented with what appears to be a legitimate Instagram login page. Users are tricked into entering their login credentials on the fake login pages, whose URL typically ends in .me domains. Once the cybercriminals acquire the victim’s login, they are able to use their account to further spread the campaign.
Images courtesy of Bleeping Computer.
Luckily, there are steps users can take to help ensure that their Instagram account stays secure:
- Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. And if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common indicators of a potential scam at play.
- Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in .me.
- Reset your password. If your account was hacked by “The HotList” but you still have access to your account, reset your password to regain control of your page.
How often do you check your social media accounts? According to a recent study, internet users spend an average of 2 hours and 22 minutes per day on social networking platforms. Since users are pretty reliant on social media, cybercriminals use it as an avenue to target victims with various cyberattacks. The latest social media scheme called “The Nasty List” scams users into giving up their Instagram credentials and uses their accounts to further promote the phishing scam.
So, how exactly do hackers trick innocent users into handing over their login information? Cybercriminals spread this scam by sending messages through hacked accounts to the user’s followers, stating that they were spotted on a “Nasty List.” These messages will read something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.” If the recipient visits the profile listed in the message, they will see a link in the profile description. An example of one URL that has been listed in these scam profiles is nastylist-instatop50[.]me. The user is tricked into believing that this link will supposedly allow them to see why they are on this list. This link brings up what appears to be a legitimate Instagram login page. When the victim enters their credentials on the fake login page, the cybercriminals behind this scheme will be able to take over the account and use it to further promote the scam.
Fortunately, there are a number of steps Instagram users can take to ensure that they don’t fall victim to this trap. Check out the following tips:
- Be skeptical of messages from unknown users. If you receive a message from someone you don’t know, it’s best to ignore the message altogether or block the user. Additionally, if you think a friend’s social media account has been compromised, look out for spelling mistakes and grammatical errors in their message, which are common in these scams.
- Exercise caution when inspecting links sent to your messages. Always inspect a URL before you click on it. In the case of this scam, the URL that appears with the fake login page is clearly incorrect, as it ends in a [.]me.
- Reset your password. If your account was hacked by ‘The Nasty List’ but you still have access to your account, reset your password to regain control of your account.
The post The “Nasty List” Phishing Scam Is out to Steal Your Instagram Login appeared first on McAfee Blogs.
Today, users are extremely reliant on our GPS devices. In fact, we’re so reliant on these devices that map features are programmed into almost every IoT device we use as well as inside of our vehicles. However, the Department of Homeland Security has issued an alert to make users aware of a GPS receiver issue called the GPS Week Number Rollover that is expected to occur on or around April 6, 2019. While this bug is only expected to affect a small number of older GPS devices, users who are impacted could face troubling results.
You may be wondering, what will cause this rollover issue? GPS systems count weeks using a ten-bit parameter, meaning that they start counting at week zero and then reset when they hit week 1,024, or 19.5 years. Because the last reset took place on August 21, 1999, it appears that the next reset will occur on April 6, 2019. This could result in devices resetting their dates and potentially corrupting navigation data, which would throw off location estimates. That means your GPS device could misrepresent your location drastically, as each nanosecond the clock is out translates into a foot of location error.
So, how does this rollover issue translate into a potential cyberthreat? It turns out that the main fix for this problem is to ensure that your GPS device’s software is up-to-date. However, due to the media attention that this bug is receiving, it’s not far-fetched to speculate that cybercriminals will leverage the issue to target users with phishing attacks. These attacks could come in the form of email notifications referencing the rollover notice and suggesting that users install a fraudulent software patch to fix the issue. The emails could contain a malicious payload that leaves the victim with a nasty malware on their device.
While it’s difficult to speculate how exactly cybercriminals will use various events to prey on innocent users, it’s important to be aware of potential threats to help protect your data and safeguard your devices. Check out the following tips to help you spot potential phishing attacks:
- Validate the email address is from a recognized sender. Always check the validity of signature lines, including the information on the sender’s name, address, and telephone number. If you receive an email from an address that you don’t recognize, it’s best to just delete the email entirely.
- Hover over links to see and verify the URL. If someone sends you a link to “update your software,” hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
- Be cautious of emails asking you to take action. If you receive a message asking you to update your software, don’t click on anything within the message. Instead, go straight to your software provider’s website. This will prevent you from downloading malicious content from phishing links.
The post The GPS Rollover Bug: 3 Tips to Help You Avoid Phishing Scams appeared first on McAfee Blogs.
Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most popular techniques cybercriminals use to gain access to passwords and financial information, as well as encourage victims to click on suspicious links.
Online betting provides cybercriminals with a wealth of opportunities to steal personal and financial information from users looking to engage with the games while potentially making a few extra bucks. The American Gaming Association (AGA) estimates that consumers will wager $8.5 billion on the 2019 NCAA men’s basketball tournament. What many users don’t realize is that online pools that ask for your personal and credit card information create a perfect opportunity for cybercriminals to take advantage of unsuspecting fans.
In addition to online betting scams, users should also be on the lookout for malicious streaming sites. As fewer and fewer homes have cable, many users look to online streaming sites to keep up with all of the games. However, even seemingly reputable sites could contain malicious phishing links. If a streaming site asks you to download a “player” to watch the games, there’s a possibility that you could end up with a nasty malware on your computer.
Ticket scammers are also on the prowl during March, distributing fake tickets on classified sites they’ve designed to look just like the real thing. Of course, these fake tickets all have the same barcode. With these scams floating around the internet, users looking for cheap tickets to the games may be more susceptible to buying counterfeit tickets if they are just looking for the best deal online and are too hasty in their purchase.
So, if you’re a college basketball fan hoping to partake in this exciting month – what next? In order to enjoy the fun that comes with the NCAA tournament without the risk of cyberthreats, check out the following tips to help you box out cybercriminals this March:
- Verify the legitimacy of gambling sites. Before creating a new account or providing any personal information on an online gambling website, poke around and look for information any legitimate site would have. Most gambling sites will have information about the site rules (i.e., age requirements) and contact information. If you can’t find such information, you’re better off not using the site.
- Be leery of free streaming websites. The content on some of these free streaming websites is likely stolen and hosted in a suspicious manner, as well as potentially contains malware. So, if you’re going to watch the games online, it’s best to purchase a subscription from a legitimate streaming service.
- Stay cautious on popular sports sites and apps. Cybercriminals know that millions of loyal fans will be logging on to popular sports sites and apps to stay updated on the scores. Be careful when you’re visiting these sites you’re not clicking on any conspicuous ads or links that could contain malware. If you see an offer that interests you in an online ad, you’re better off going directly to the website from the company displaying the ad as opposed to clicking on the ad from the sports site or app.
- Beware of online ticket scams. Scammers will be looking to steal payment information from fans in search of last-minute tickets to the games. To avoid this, it’s best to buy directly from the venue whenever possible. If you decide to purchase from a reseller, make sure to do your research and only buy from trusted vendors.
- Use comprehensive security software. Using a tool like McAfee WebAdvisor can help you avoid dangerous websites and links, and will warn you in the event that you do accidentally click on something malicious. It will provide visual warnings if you’re about to go to a suspicious site.
The post How Online Scams Drive College Basketball Fans Mad appeared first on McAfee Blogs.
This infographic covers the most common phishing attacks. This graphic does a good job on covering all the vectors a phishing attempt could occur from email, text messages, phones calls to USB drives. Phishing is one of the most prevelant cyberattacks and one of the most successful for hackers to pull off. It’s important to […]
The post The Most Common Phishing Attacks – An Inforgraphic appeared first on Security In Five.
This post is to show you what a real email extortion attempt scam is about. In Episode 408 of my Security In Five podcast I talk about how you shouldn’t completely ignore your email spam folders. That epsiode came out of an experience I had after I reviewed my spam folder and realized one of […]
The post Case Study: A Hacked Website Turns Into An Email Extortion Scam appeared first on Security In Five.