phishing
Latest
Now the Android Gmail app keeps an eye out for phishing links
In a particularly timely upgrade, Google is rolling out new protection against phishing links on its Gmail app for Android. According to the notes, when a user clicks on a suspicious link, they'll get a warning like the one shown above revealing that this could lead to a forged website (similar warnings came to web Gmail last year). Interestingly, this wouldn't have done much to mitigate the fake Google Docs invite that went around earlier since that linked to Google's own website. Still, we have more than enough evidence of what havoc can come about as a result of one fake email -- it's good to see Google doing more to protect users.
Beware phishing emails posing as Google Docs invites (updated)
If you received an out-of-the-blue email purporting to share a Google Docs file, you're not alone -- and whatever you do, don't click the link inside. Many people online, including more than a few journalists, have been bombarded with phishing emails (currently from a mailinator.com account) that try to trick you into opening a fake Google Docs link. If you click through and grant a bogus "Google Docs" app access to your Google account, the perpetrators can get into your email. And of course, havoc follows after that -- the app spams email to everyone you've ever messaged, and bypasses Google's usual login alerts (including for two-factor authentication).
'Major scale' malware targets your Mac through email scams
Mac users are increasingly being targeted by malware after years of being relatively safe, and that means they're facing attacks that other users have unfortunately come to expect for a while. Check Point researchers have discovered Dok, the first "major scale" trojan that targets macOS through an email phishing campaign. The bogus messages (usually aimed at European users) are meant to trick you into downloading a ZIP file that, if you launch it, gives the malware control over your system and lets attackers intercept your internet traffic to spy on your activity or impersonate websites. It'll even delete itself when the intruders are done.
Google is fixing a Chrome flaw that makes phishing easy
As we've seen in the past, a strong password doesn't automatically make people safe online. Often, a specially-crafted email is all that it takes for someone to hand over their digital life to a malicious third party. Although email services are doing more to filter phishing emails before they reach your inbox, a decades-old unicode technique is making it hard for users to determine whether a destination is legitimate. Fortunately, Microsoft Edge, Internet Explorer and Safari are immune and Google is just days away from patching the flaw.
When the 'S' in HTTPS also stands for shady
Just when we'd learned the importance of HTTPS in address bars, spammers and malicious hackers have figured out how to game the system. Let's Encrypt is an automated service that lets people turn their old unencrypted URLs into safely encrypted HTTPS addresses with a type of file called a certificate. It's terrific, especially because certificates are expensive (overpriced, actually) and many people can't afford them. So it's easy to argue that the Let's Encrypt service has done more than we may ever realize to strengthen the security of the internet and users everywhere.
Email scheme stole $100 million from two US tech companies
It's tempting to assume that technology workers are intelligent enough to avoid email fraud, but that's not always the case. Both the FBI and the state of New York have charged a Lithuanian man, Evaldas Rimasauskas, with perpetrating a phishing campaign that siphoned $100 million away from two US tech companies. They're both choosing to remain unnamed, although one is a "multinational online social media company" -- you can probably whip up a short list of candidates based on that description. The scheme wasn't particularly complicated, either, and mostly relied on less-than-attentive employees.
PSA: That Razer esports sponsorship email is a scam
So, you stream your gameplays and recently received a lucrative sponsorship offer via email from popular esports platform Team Razer. Exciting, right? Unfortunately, it's nothing but a scam -- that email is actually from a cyber criminal and not a "scouting agent." Team Razer has sent out a notice that scammers are using its brand name to spread malicious software.
Nigerian man charged in hacking of 108 LA county employee emails
It might not quite rival last week's revelation that up to one billion Yahoo accounts had been hacked in 2013, but it'll be news to anybody who contacted local government officials in Los Angeles. A Nigerian national has been charged with hacking LA county employee accounts that might have exposed personal data of up to 756,000 people. 37-year-old Kelvin Onaghinor has not been arrested and authorities are unsure whether he's still in the US. They're also searching for possible accomplices.
Cybercrime network 'Avalanche' shut down in global sting
A mammoth cybercrime network known as Avalanche has been shut down, following a four-year investigation by German police and a coordinated strike by Europol, the FBI and agencies in many other countries. With a name like a Bond movie title, Avalanche was a sprawling cloud-based network that cybercriminals could rent, using it to distribute malware, ransomware, run phishing campaigns and launder extorted or stolen money.
After the election, hackers target think tanks with phishing attacks
Now that the election is over, the Russian teams of hackers suspected of breaking into the Democratic Party's systems have reportedly launched a new phishing attack on US political think tanks and non-government organizations. Incident response firm Volexity has compiled information on "The Dukes" (aka APT29 or Cozy Bear) that it believes are behind the attacks. This time around, they worked by posing as a Harvard professor, sending links to Microsoft Office Word or Excel documents that contained a macro used to install a malware downloader on that target's computer. Once installed, it downloads a PNG file that has a backdoor embedded via steganography.
Google slaps 'repeat offender' tag on unsafe sites
Google is closing a loophole in its Safe Browsing search policy. While it already flags sites that violate its malware, phishing and other policies, bad actors can temporary halt those activities. Then, once the warnings are removed, they resume, and unsuspecting searchers are none the wiser. Starting today, however, Google is flagging such sites as "repeat offenders," and webmasters won't be able to appeal the warnings for 30 days.
Microsoft patch for Google-outed exploit is still a week away
Microsoft is still more than a little upset at Google revealing unpatched Windows security flaws, but it'll at least have a solution in hand in the days ahead. The software giant now plans to issue a patch for affected version of Windows on November 8th. You're in good shape if you use both Windows 10 Anniversary Update and a sufficiently up to date browser (both Chrome and Edge should be safe), but you'll definitely have to be cautious if you can't use one of the known safe browsers or the latest version of Windows.
Researcher-created Twitter bot phishes two out of three users
Phishing, the malevolent hacker technique of getting hapless folks to click malevolent links, just got a powerful new weapon. Black Hat researchers have created a Twitter bot that reads your tweets and sends you a message catered to your interests — along with a shortened URL leading to hacktown.
Lastpass addresses two major vulnerabilities found by users
Bad news, LastPass users: bug bounty hunters found two major security exploits with the password manager's browser extensions. Good news? Both of them have already been patched. In a quick update to the company blog, LastPass commented on a pair of separate, unrelated bugs that opened its browser extension to attacks exploitable by phishing.
Second man pleads guilty to breaking into celebrity accounts
No, the convictions over celebrity account breaches aren't over yet. Chicago man Edward Majerczyk has agreed to plead guilty to using phishing scams to fool more than 300 people into compromising their Gmail and iCloud accounts, including 30 celebrities. The bargain reduces his sentence from a maximum of 5 years in prison to between 6 to 12 months. We'll learn the extent of his time behind bars in a few weeks, when the case transfers from California to Illinois for sentencing.
Cybersecurity forecast: Heavy smug
When you think of rockstar hackers and infosec pundits, I'm sure it's easy to imagine people who are humble, kind and patient, and never look down on anyone who would reuse a password. OK, maybe infosec types aren't known for doing benevolence all that well when they need to communicate with those not in the know about computer security. And when they do, they seem to prefer to do it from a stage and safely behind the title of "expert." Case in point: the much-ballyhooed talk being given at the Aspen Ideas Festival, where a professor at Rochester Institute of Technology, Josephine Wolff, is making a case today for punishing people when they're not good at computer security.
The Milwaukee Bucks fell prey to a phishing email scam
Just because you're part of a major league sports team doesn't mean you're immune to internet fraudsters. The Milwaukee Bucks have confirmed that they fell victim to a phishing scam that compromised the basketball team's financial data. After receiving an email impersonating team president Peter Feigin, an employee sent out 2015 tax year data for all of the Bucks' employees, including players. Yes, that means that the salaries and social security numbers of some NBA athletes are in sinister hands.
Google enhances Gmail security and beefs up its warning systems
Google is trying to make Gmail as safe as it can possibly be with a few new features designed to prevent phishing, malware and hacking. This week, Google is rolling out an updated warning system on links sent through Gmail that may lead to unsafe sites. If you click a dangerous link in Gmail, you'll see a full-page warning with routes to more information and ways to protect your computer.
Seagate released employee tax data in phishing attack
Tax season is upon us (sorry for the reminder), and apparently if you want the W2-form information of thousands of Seagate employees, past and present, all you have to do is email and ask for it. A company spokesperson confirmed the phishing attempt to Krebs on Security, saying that on March 1st a Seagate employee released 2015 W2 info to someone believed to be acting in official capacity for the storage-minded outfit. Yep, it's pretty similar to what happened with Snapchat recently.
Even Snapchat falls victim to phishing attempts
Snapchat bragged about its eight billion daily video views on Monday, but over the weekend something happened that the ephemeral social app is probably less enthusiastic to admit: it's just as susceptible to phishing attempts as anyone else. A post on the company's blog says that last Friday someone impersonating the ghostly app's CEO emailed the payroll department and requested and received information about some of its staff.
