phishing
Latest
Apple engineers propose a way to make using two-factor texts easier
If you've ever used online banking or any other highly-secure website, chances are you've encountered a one-time passcode (OTP) before. These are SMS messages sent to your phone with a unique code that verifies your identity with the website you're on. For a lot of users, inputting this code into the website involves tapping back and forth between the browser and the SMS client -- and in some cases even having to physically write down the code, because it's so long or complicated. Now, Apple engineers have put forward a proposal designed to make the whole process easier and more secure.
NYT: Experts find evidence Russians hacked Ukrainian gas company
Any relationship between former Vice President Joe Biden, his son and the Ukrainian gas company Burisma has become a central figure in the 2020 election campaign and the impeachment of Donald Trump. Now, in a situation with echoes of the 2016 election, the New York Times reports that a security firm claims it has detected successful phishing attacks on Burisma by hackers connected to Russia.
New Orleans declares state of emergency following cyberattack
New Orleans is the latest city to fall victim to a cyberattack, although it appears to have fared better than some of its peers. The city both declared a state of emergency and shut down most of its computers after detecting suspicious activity, including ransomware and a flurry of phishing emails. It's not clear if the ransomware compromised any systems, although Mayor LaToya Cantrell said that there had been no ransom requests or evidence of employees being tricked into handing over login details.
Google adds spam detection and verified business SMS to Messages
Businesses often send one-time passwords, account alerts and appointment confirmations via text. But if you've ever received one of those, you know they tend to come from a random number, and bad actors can take advantage of that by disguising phishing scams as one of those messages. To protect users, Google will soon verify SMS messages from registered businesses.
Google Chrome will warn you if your logins have been stolen
Google is adding several new features to Chrome to keep you safe while browsing online. To start, the next time you try to login into a website, Chrome will warn you if your username and password were compromised in a data breach. It will also suggest you change any passwords you've reused.
Google and Amazon approved home speaker apps that spied on users
Privacy is a hot topic in the realm of smart speakers, from employees listening in on recordings and auditors accessing user locations. Now, another issue regarding speakers has been raised, after security researchers revealed that apps accepted by the Amazon Alexa and Google Home platforms could be used to phish users and to eavesdrop on them.
Safari in iOS sends some Safe Browsing data to Tencent (updated)
Apple's Safari browser has long sent data to Google Safe Browsing to help protect against phishing scams using its Fraudulent Website Warning feature, but it now appears Chinese tech giant Tencent gets some information as well. Users have discovered that iOS 13 (and possibly versions starting from iOS 12.2) sends some data to Tencent Safe Browsing in addition to Google's system. It's not clear at this stage whether Tencent collects any information outside of China -- you'll see mention of the collection in the US disclaimer, but that doesn't mean it's scooping up info from American web surfers.
Instagram is helping users avoid phishing scams
The tech-literate might think we're impervious to phishing scams, but even the best of us get fooled once in a while. Fraudsters are constantly getting better at using email to impersonate friends, coworkers and big brands to obtain people's personal information and passwords. As a measure against these cons, Instagram's new security feature adds a list of official emails the company has sent to the app's security tab, letting users double check whether an email they've received is from the company or a scammer.
Microsoft: Iranian cyberattack targeted a US presidential campaign
Iran has apparently been engaged in a large-scale cyberattack bent on compromising American politics. Microsoft reported that Phosphorous, a known group it believes is linked to the Iranian government, attacked 241 email accounts in a 30-day period between August and September, including those for a US presidential campaign as well as current and former US officials, journalists covering world politics as well as "prominent" expatriate Iranians. Four of these accounts were compromised, though this didn't include the presidential run or any officials.
Twitter is cracking down on financial scams
Twitter has updated its policy on financial scams. As of today, users are not permitted to deceive others into sending money or personal financial information. If you're thinking, it's about time, you're not alone. Previously, Twitter handled cases of fraud via its spam reporting tool. But today's changes detail exactly what is prohibited and should make it easier for users to report fraud.
Consensual phishing: How to crack your half-forgotten crypto password
Phil Dougherty has a side hustle as a friendly hacker. By day, he's a software developer at the University of Wisconsin, building free educational games and conducting research on the ways people play them. Meanwhile, back at home, Dougherty is the shepherd of a program that's constantly running down ways to break into other people's cryptocurrency wallets. Dougherty works with folks who have lost, forgotten or incorrectly written down their Ethereum passwords, locking themselves out of their wallets and forfeiting the digital cash that's lurking within. These people are, essentially, shit out of luck. There's no customer support hotline for Ethereum, no security questions to answer, no "Forgot password?" link.
Vulnerability lets text messages steal emails from Android phones
Bogus text messages aren't just being used to send you to malicious websites or crash your phone -- in some cases, they can hijack your emails. Check Point Research has discovered a vulnerability in phones from Huawei, LG, Samsung and Sony that lets attackers use custom SMS to intercept all email traffic on target devices. The attack uses the common Open Mobile Alliance version of over-the-air provisioning, a carrier technique for deploying settings to new phones, to access emails. The attacks require different methods depending on the phone and available info (such as IMSI numbers and requesting PIN codes), but the result is the same: intruders trick users into compromising their phones through messages that pose as network settings changes.
Google is working on a fix for malicious Calendar spam
Since at least May of this year, malicious individuals have been sending Gmail users unsolicited Calendar invites. The scam takes advantage of the fact most people have their Google accounts set to automatically add and notify them of Calendar invites. Since these invites can include an accompanying URL, scammers will use Calendar as a Trojan Horse to get individuals onto a phishing website. With the summer winding down, Google now says it's working on a fix for the oversight.
FEC rules that campaigns can get discounts on cybersecurity
Political campaigns will need cybersecurity to avoid a repeat of the 2016 presidential election, but are often strapped for cash. The Federal Election Commission made a ruling today that will make it legal for campaigns to secure low-cost services from cybersecurity firms, as long as the firms offer the same rates to their non-political clients. According to the New York Times, FEC lawyers initially had concerns that the practice would violate campaign finance laws designed to prevent corporations from currying favor with political candidates.
A flaw in Zoom's Mac app may have let attackers hijack webcams
A serious security flaw in the Mac version of conferencing software Zoom can hijack webcams, but also leave users vulnerable to phishing and DOS attacks.
Google stats show how much a recovery number prevents phishing
In case you haven't already set up a recovery phone number for your Google account, and enabled extra security features like multifactor authentication, the search giant is using hard data to explain why you should. Interestingly, studies (1)(2) researchers presented this week at The Web Conference found that simply adding a recovery phone number to an account blocked 100 percent of automated attacks, 99 percent of bulk phishing attacks and 66 percent of targeted attacks during the period they investigated. That's why you should take advantage of a tool like the Security Checkup now, while your account is still secure, and get at least that level of protection enabled.
Chrome exploit uses a fake address bar for phishing attacks
Cyberattackers don't need to find obscure technical flaws to launch phishing attacks -- they might just need a screen capture and some clever web coding. Developer James Fisher has found a relatively simple exploit in Chrome for mobile that takes advantage of how the app displays the address bar. When you scroll down from the top of a page, the approach displays a fake address bar that won't disappear until you visit another site. The attacker can even craft the page to prevent you from seeing the real address bar when you scroll up.
Facebook groups for buying and selling credit cards still abound
We might think that stolen credit cards and personal information only get traded on the dark web, but the information is moving in plain sight on Facebook. According to intelligence firm Cisco Talos, there are dozens of groups on the social network that rather explicitly buy and sell credit card numbers and other stolen information. The security firm tracked 74 groups in total that have approximately 385,000 members.
Man pleads guilty to hijacking Apple IDs of rappers and sports stars
The end to Celebgate didn't mark the end to attempts to exploit superstars. Georgia resident Kwamaine Ford has pleaded guilty to hijacking Apple IDs of athletes (including NBA and NFL players) and rappers for the sake of spending sprees. From "at least" March 2015 onward, Ford tricked stars into handing over their account details primarily through a phishing campaign where he posed as an Apple customer support rep. Whenever he succeeded, he'd change the sign-in details and attempt to obtain credit card information. He'd use that to pay for "thousands of dollars" of travel, furniture and money transfers.
Evidence mounts that Russian hackers are trying to disrupt the EU elections
Russian hackers are targeting government systems ahead of the EU parliament election, according to cybersecurity company FireEye. The firm says that two state-sponsored hacking groups -- APT28 (aka Fancy Bear) and Sandworm -- have been sending out authentic-looking phishing emails to officials in a bid to get hold of government information.