Information Security News Alert May 2016
Spam, Scams & Hacking You on Social Media
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
Just One Click While the interconnection of technology has made it simple for us to keep in touch with family and friends, and promote our personal and professional brands, it has also made it simple for criminal hackers to infiltrate our lives. Think about all of the information you store and share with each network you join. Due to the control (or lack thereof) offered to us over our security settings, criminals know they have a revolving door to access our sensitive data. The bigger the network, the bigger the target and ultimately the bigger the payoff. Facebook, the world’s current largest social network (with over 1.59 billion global users), has been, and continues to be, the source of scams and phishing attacks. A post as simple as “share to win!” leads to hundreds of thousands of people being duped, all because they didn’t bother to check the validity of the post or the person posting it. While a “sharing scam” is mostly harmless (similar to an old-fashioned chain email), it reveals the gullible nature of many users, which can lead to malware infection or identity theft. We must always verify the source and think before we click. One of the most common attacks across all social media networks comes via imposters. A scammer creates a profile of YOU, or of someone you know, and sends friend requests, with the
From the Trenches A real story from one of our colleagues
goal of gaining access to private information. Impersonators not only have access to all of your friends’ and family’s accounts, they may use that access to send requests for money or create more fraudulent accounts. They can also post links to fake content that, when clicked, takes your followers to malware-ridden websites, or installs a Trojan, giving the criminal access to your entire computer. (If you think this has happened to you, report it to the social network in question ASAP!) This is especially true of Chinabased QQ, an instant messaging service with the third most users of all social media networks. A criminal hacker gets access to the user’s account via malware and uses it to send money requests to all of that user’s contacts. Even worse, QQ is a target for scamming rings that use Trojan viruses to gain access to an account. These hacked accounts are then sold on the black market to other criminals who use the account to gain access to sensitive information via the user’s chat records and emails. All it takes is one click for your data to be compromised.
My grandma joined Facebook a few years ago like many older folks. But, like many non-tech-savvy folks, she didn’t know how to use it and didn’t post much content (rarely changes her profile picture). One day, I got a friend request from her. I thought it odd and was pretty sure we were already friends, but figured she had accidentally unfriended me somehow. So I accepted the friend request without bothering to look at the profile (after all, it had her exact name and current profile picture). A few days later, I got a message from my mom saying that it was an imposter account and had been reported as such to Facebook. I felt like an idiot! By allowing this imposter into my circle, he or she had unbridled access to all of my friends and family, including phone numbers (which should never be put on a social network), emails and photos.
#dislike WANT TO KNOW MORE ABOUT FACEBOOK SCAMS? Check out this article: facecrooks. com/Scam-Watch/Top-TenFacebook-Scams-to-Avoid.html
SCAMS According to Wikipedia, LinkedIn is a businessoriented social networking service mainly used for professional networking. Unfortunately, the model by which users are connected—accepting requests from total strangers—perpetually breeds spam. Bogus recruiting accounts attempt to build a network map by sending requests to business professionals, which in turn makes the bogus account look legit. Victims are conned into giving up personal details, such as email addresses, which the criminals use to launch phishing campaigns and steer the users to websites built around malware. We need to be cautious when accepting invitations from strangers. And especially cautious when clicking the LinkedIn invite button in your email. When you get a notification that “Claire,” the alleged Director of Operations for Walmart, wants to add you to her network, don’t just automatically click ‘accept.’ Investigate Claire. Why would an executive of a major corporation want to add YOU to her network? How many connections does she have? The lower the number, the more likely the account is fake. Do a reverse image search. Who is Claire? If the account is fake, the profile image will be used for multiple accounts. A simple Google search of the person’s name is always a good starting point before adding someone you don’t know to your network. And always, always, always add users via the website. Never click the request directly from your email. Sending bogus LinkedIn requests is standard operating procedure for phishing emails.
ransomware case file The Cause: Ransomware is a form of malware that encrypts your data and restricts your access to the data until you pay the requested bounty. The Case: Hollywood Presbyterian Medical Center was taken offline when criminal hackers infiltrated the network and shut down basic operations, such as CT scans, lab work and pertinent documentation, by using ransomware. The facility was down for more than a week and had to divert several patients to other hospitals.
It’s a Spammer’s World... and we’re just living in it.
The biggest security hole in social media is its connection to your personal email. Just like with the LinkedIn example, where bogus accounts are sending out network requests, every social media app sends email notifications of posts, likes, friend requests, etc. If we’re not careful, those email notifications could lead to phishing and malware. For that reason, it’s important to verify the validity of the link by doing a mouseover, hovering the cursor over the link before actually clicking on it. Otherwise, login to your social media account instead. It’s all too easy for a criminal hacker to send spam email posing as a link from a popular social network.
Macros still pose a threat! If you receive an Office document, and are notified that it contains a macro, be sure to verify the sender before enabling it. Know and follow company policy concerning macros and if you want more info, visit http://bit.ly/1MyH9b0 and check your specific software version for assistance.
The Cost: In the end, HPMC determined the best way to restore operations was to pay the ransom and obtain the decryption key. The bounty was approximately $17,000 in the form of Bitcoins. What to do if this happens to you: At work, take no further actions, and immediately notify your incident response team, or appropriate management.
Text Message Scams The rise of unsolicited text messages is bringing on another form of scamming that puts your personally identifiable information (PII) at risk. Usually, it’s a bogus message, such as your bank claiming your account is locked and you need to call a certain number and give certain credentials. Or it’s a link to claim a prize you’ve supposedly won—clicking the link installs malware on your phone that gives criminal hackers access to your PII. To avoid being scammed, simply think before you click, and check out the Federal Trade Commission’s list of how to protect your personal information.
Keeping Kids Safe on Social Media + 10 Tips for Parents Smart, secure networking starts
at home and it starts early. At some
point, our children will reach the age where they’re old enough to
develop an online presence. It’s up to us as parents to educate
them about the dangers associated
with these networks, and how important it is to protect that
1.
Don’t assume your child knows more than you about navigating technology.
2.
Make sure your kids know what is and is not appropriate to post.
3.
Don’t post personal financial information such as credit and debit card numbers, bank statements and pay checks on social media.
4.
Don’t post other personal, nonfinancial information on social media, such as a new driver’s license.
5.
Don’t post information about the place you work.
6.
Don’t post your social plans and vacation details.
7.
Don’t let your kids “check-in” everywhere they go.
8.
Know with whom your kids are connecting.
9.
Monitor your kids’ credit reports.
online presence.
In order to do that, we need to educate ourselves on every social
media network our children are joining. That means joining the
network and boning up on how
information is shared, so that we can teach them how to protect their
email spoofers
are getting smarter
accounts in addition to teaching
them why what they share matters. We don’t necessarily want to
Even the most security aware folks can get spoofed when scammers are good at what they do. “The email was surprisingly well written without the spelling and grammar errors I have come to expect from fake emails.” That says it all; scammers are getting better at getting clicks. Which means we need to get better at vetting. Think before you click, and when in doubt delete! Read the whole story by visting the link below.
scare our children, but making
blog.thesecurityawarenesscompany. com/scam-alert-help-i-had-aneaster-disaster-in-the-philippines/
blog.thesecurityawarenesscompany. com/conversation-starters-for-kidsreceiving-tech-gifts/
them aware of the dangers ahead is part of our jobs as parents. For that reason, showing them
examples of how their shared information can be used against them, and introducing them to
concepts like cyber bullying and
stalking, can be a fantastic way to
educate them. If they are aware of the consequences, they will make smarter choices.
No idea where to begin? Try these conversation starters:
10.
Be actively involved in your child’s online life.
PHISHING IN ACTION An information security professional shared this example of a real phishing email that came through her inbox. It made her pause because it looked so legitimate. Read through her notes about the thought process she used to figure out if it was real or not. Inconsistencies in the links! “Service@paypal.com” was just the display name. “Service@pp.com” was the actual email URL.
They used my actual name, not something generic like “customer” so I had to really think about this.
Link inconsistencies! When I hovered over “Click here to login”, this very long URL appeared. Clearly, this is not a real PayPal address. (And it had my email address in the url, so it probably contained a script to capture the associated login information!)
The day before receiving this message, I had just set up a new bank account on my PayPal account and sent money to a friend, so it’s not unreasonable to believe that some recent account activity may have triggered their security alarms.
While this email looks really good – no obvious spelling or grammar issues, it includes the PayPal logo, it used my actual name – there’s still some odd formatting that I know the PayPal design team would never let go out to a customer.
I opened a browser and logged in the way I usually do – WITHOUT clicking on any of the links in the email – and upon entering my account, lo and behold, there were NO account notifications, nothing indicating that my account was limited. That confirmed my suspicions that this was a phishing email. As you can see, they can be very convincing!
HEADLINE NEWS Massive Government Data Breach Exposes Every Filipino Voters’ PII
Y!
Yahoo Security @YahooSecurity • Mar18 Yahoo kills password authentication with their new account key http://bit.ly/265SiGA
GSO
Get Safe Online @GetSafeOnline • Mar 21 Incidents of online ticket fraud rose by 55%, costs UK public £5.2m http://bit.ly/1XHesZy
M
Microsoft MMPC @msftmmpc • Mar 22 Microsoft releases new Office feature to combat macro malware http://bit.ly/1SjUkLK
The personally identifiable information (PII) of 55 million
Filipino voters could have been exposed in a March 27th
data breach of the Philippine Commission on Elections (COMELEC). This could be the worst government data breach
anywhere, ever. Supposedly, its purpose was to convince the
commission to implement stronger voting security for their upcoming elections.
COMELEC seems to be brushing off the incident, but
according to Trend Micro, the amount of PII that was exposed is alarming: 15.8 million fingerprint records, 1.3 million
overseas Filipino voter passport numbers, a list of officials that have admin accounts, and more.
Trend Micro warns Filipinos that they could now be targeted
by criminals. For more information on the breach, visit their blog: http://bit.ly/1VCIBup.
Many of World’s Most Powerful People Exposed by Panama Papers Leak
E IBT
The Panama Papers leak has been dubbed the biggest
ESET @ESET • Mar 23 Self-protecting USB steals data via undetectable trojan http://bit.ly/1Ry3tgF
Intl. Business Times @IBTimes • Mar 23 Hackers breached water treatment plant & successfully changed levels of chemicals in water http://bit.ly/1SfJp5Y
ever of its kind, overshadowing the Wikileaks and Edward Snowden scandals with 2.6 terabytes of incriminating data made public. Law firm Mossak Fonesca was exposed as
helping several power players worldwide protect and hide
their millions, and a cascade of resignations has followed. To
C
Cloudmark @Cloudmark • Mar 31 55+ companies have fallen victim to W-2 spear phishing attacks http://bit.ly/22AlalS
read the details of this unfolding story and to stay up-to-date, visit the ICIJ: https://panamapapers.icij.org/.
From a security standpoint, this leak more than likely arose
from an insider threat (though still unconfirmed). This is a
WP
common cause of breaches and, in this case, very difficult to
Washington Post • @washingtonpost • Apr 12 FBI paid hackers to crack into iPhone; will they tell Apple how? http://wapo.st/1VkMpl7
confirm. It’s unclear where to draw the line between legitimate
whistleblowing and criminal theft of information. And who
should be prosecuted: the law firm for failing to protect its clientele’s confidential data, the whistleblower who has access
to that data, or the heads of state who were engaging in illegal and seedy business? Only time will tell!
IBM
IBM @IBM • Apr 14 Hybrid malware GozNym used in attacks against 24 US & Canadian banks to steal millions http://ibm.co/1qU7JSg