Aug
17

“Hi. Just writing to let you know my trip to Manila, Philippines with my family has been a mess…I need you to loan me some money. I’ll refund it to you as soon as I arrive home.”

or…

“How are you and your family doing? hope this email find you all in good health and spirit. I am currently in Burkina Faso on vacation but i will return back as soon as possible due to my poor health. I have tried calling you severally but didn’t get through, please can you call me on … as soon as you get this email? I have something urgent i need to talk to you about.”

That is the kind of fake e-mail thousands of university employees get every year. It appears to come from a friend or a colleague, but is actually from a scammer on the other side of the world.

All these scams have the same story, they were out of the country, they’ve been robbed and they need assistance now, or they are ill, or in some sort of trouble and need your help… This trick relies on good natured people willing to help a friend.

The Stranded Traveler scam is a way to profit from hacking into someone’s webmail account – like Yahoo!Mail, Hotmail or GMail.

This usually happens when somebody has a simple, easily guessable password on their webmail account, or they have left their details on a phishing site.

Once the scammer has gained control of the “mule’s” email account, they log into the webmail account and:

  • Change the webmail password so the real user can’t login.
  • Grab a copy of all the contacts either from the contacts list or individual messages.
  • Filter out non-personal messages to target friends/acquaintances only.
  • Send the ‘stranded traveler’ message out to the contacts and hope for replies with money transfer details.
  • Meantime the real owner of the webmail account is probably unaware there’s a problem until they try to login to their email. Even then, they probably think they’ve forgotten the password rather than being hacked. It’s only when a friend contacts them directly that the scam is revealed – usually far too late.

How to protect yourself: There are various things you can do to prevent being a victim of this scam, either having your webmail hacked or receiving scam emails.

  • Don’t click on attachments in emails from strangers, or if they are from someone you know but look suspicious.
  • Have a complex, hard to guess password. Dictionary words aren’t enough. Preferably a mix of upper and lower case letters plus digits and other characters like (!@#$%^&*)
  • Don’t reveal the password to anyone, and be careful of email messages that pretend to come from the webmail provider. Phishing messages are the most common way that people giveaway their passwords.
  • If you get an urgent email from a friend, especially one asking for money, check with them using other means. Try to call them or check with mutual acquaintances to see if the story is true beyond what you’ve learnt in the email. At worst, you could reply and ask for some information only the real sender would know (keep in mind that the scammer can read/search the hacked webmail account).

So how do scammers get your email password?

  • Phishing websites: Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message are clicked onby the victim and they are directed to a malicious website set up to trick them into divulging personal information, such as usernames & passwords.
  • Trojan programs: If you click on an attachment in an unknown email, it can trigger your computer to download a “Trojan” program that then allows cyber criminals to see every key stroke you make –including your email password.
  • Password breaker program: Often called a “brute force program,” this is software bad guys use to try every combination of numbers and letters until they hit on your password.
  • Email addresses used as logons: You know how many websites have you set up an account using your email address as your User ID? If you then use the same password for that account that you use for email, criminals have what they need: your email address and your password.
Aug
07
Filed Under (Uncategorized) by dw on 07-08-2017

According to the South African Banking Risk Information Centre (SABRIC), South Africans lose in excess of R2.2bn to internet fraud and phishing attacks annually!

This gives South Africa the embarrassing status of having the third highest number of cybercrime victims worldwide!

South Africa has suffered more cybercrime attacks than any other country in Africa.

Antonio Forzieri, Cyber Security Practise Lead: EMEA at Symantec, is quoted as saying that “one in 214 emails sent in South Africa during 2014 was a spear-phishing attack.”

This morning’s attack on the University of Stellenbosch was a spear-phishing attack. (“spear-phishing” is not a new water sport!)

Phishing emails target a broad group of users in hopes of catching a few victims but spear-phishing emails are far more focussed.

SPEAR-PHISHING is where the perpetrator targets a specific person or organisation – like the university. This takes the form of emails addressed to you, ostensibly from within the organisation using an internal e-mail account. It looks familar and appears legitimate!

This morning’s attack came in the form of an e-mail, disguised as being sent from a trusted source, (a known university e-mail address) and tried to fool victims into voluntarily disclosing sensitive information such as usernames and passwords, by encouraging people to open a link that took them to a site that was disguised to look like the university’s webmail login page.

Most spear phishing emails have a “call to action” as part of their tactics, which an effort to encourage the receiver into opening a link or attachment or suffer some consequence: “We have detected your mail settings are out of date…Sign in and automatically update your mailbox…”

What was concerning about this morning’s attack, was that the perpetrators had registered a South Africa domain name (which can only be done South Africa) using a name very similar to Stellenbosch, and by including the university’s network acronym, SUN in the domain name! This was not a random attack. It was focussed and judging by the amount of e-mail addresses it was sent to, was specifically engineered to compromise the university network.

What can we do?

  • Prevention always begins with educating all employees about the new reality of spearphishing attacks. By now, everyone should know about the old-style phishing emails, full of typos and promises of unearned millions – they are no longer your main worry. New spear-phishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone that your colleagues trust.
  • Always ask for independent confirmation (such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today.
  • Report anything suspicious. If you accidentally executed anything that you later became suspicious about, you should report it as well. It is important to remove the stigma and embarrassment of being fooled. Anyone, even security experts, can be tricked today, given the sophistication of the attacks.
  • Start to aggressively test employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past.
  • Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.
  • Lastly, if a spearphishing attempt is successful in your institution, then use the actual phishing email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons into focus is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

Aug
07

As if the recent ransomware scares and cleverly disguised phishing scams weren’t enough to keep you up at night, password breaches continue to make news.

Although “online safety” feels more and more like an oxymoron these days, there are still steps you can take to protect yourself when breaches like this occur. It all starts with getting rid of those overly used, poorly designed passwords you know are terrible but you use anyway.

The most secure password in the world is useless if a hacker steals it, but the real problem comes if it is the same password you use for every single log-in.

In other words, it’s essential that you employ a different password everywhere you conduct online affairs.

The well-known data breach repository “Have I Been Pwned”, has recently released a database of over 306 million passwords contained in multiple data breaches.

Previously I used the “Have I Been Pwned” website, by entering my work email address to check if one of my accounts had been compromised by hackers in a data breach.

I was shocked to find out that two of my online accounts, one with Adobe and another with vBulletin, had been compromised by a data breach. My username, passwords and other personal information had been obtained and made publically available by hacker groups.

Embarassing!

Last week, the process for checking the safety of your passwords was given a helping hand by the creator of the Have I Been Pwned site:

A dedicated Passwords page  has been added to the website, allowing users to check a password against a database of 306 million passwords.

The passwords contained in the list were compromised in various data breaches, making them accessible to hackers and other attackers.

While you may be tempted to enter your current passwords into the Have I Been Pwned website, you should never enter current active passwords into any third-party service.

The Passwords page allows you to compare potential new passwords against the database of compromised keys to determine their security. I found it very useful, giving me the peace-of-mind that my current method of creating passwords was relatively safe – for now!

These days, it seems we have to hand out our cellphone number like sweets at a kids party. Whether it be required for signing up for a new account, entering into a raffle, returning a purchase at a retail store, or registering for a discount, your phone number seems to be like a “skeleton key” for opening up all manners of doors.

Does giving out your cellphone number put you at risk of identity theft?

The answer is both “Yes” and “No”.

Yes, oversharing or giving out your number too frequently can lead to more scam calls, texts or unwanted solicitors. These days, our cellphone numbers are being used increasingly by information brokers to gain access to personal information that’s kept by nearly all corporations, financial institutions, and social media networks.

If someone you had just met asked you for your ID number, you would likely not give it to them. What if the same person asked you for your cell phone number? My guess is that you would readily tell them the ten-digit number, with no questions asked.

No, identity thieves cannot open new lines of credit, apply for benefits or make large purchases with your cellphone number.

However, the real threat is with the device itself.

Your cell phone number – which is unique to you – is the doorway to your identity. It provides an entrance to all the data contained on your phone, and can link your other information to you – your email address, physical address, bank account number etc. If your smartphone falls into the wrong hands and isn’t protected, a thief could access your email account and change all of your account log-ins, get into your Facebook and post malicious links, access your two-factor authentication, or even drain money from your mobile wallet.

What can you do about it?

  1. Safeguard your mobile device: Make sure it has a passcode and is set to lock quickly. You’ll also want to have a phone finder app installed so that if it is lost or stolen you can either find it, or worst case, remotely erase all of your data.
  2. Use common sense: If you’re asked for your phone number, ask why. In general, don’t give it out to people you don’t know see if you can leave it blank on online forms – even if that means it may take a few seconds more to identify you the next time you make a purchase.
  3. Enable two-factor or multi-factor authentication on all your devices: This is what happens every time you go to an ATM: to make a withdrawal you need both your debit card and a PIN number. That’s two-factor authentication, which increases the level of security on your devices.
  4. Sign up for the “do not call” lists, which are helpful for run-of-the-mill solicitations. While hackers don’t subscribe to such lists, you won’t get as many pesky marketing calls.
  5. Get more than one cell phone, and only gives out the number to the phone that contains no data or links to personal information.
  6. Choose which private data you are willing to share: When asked for your cell number, especially at a retailer, you may be able provide an email address, zip code or just your name as a way to identify you. It’s worth asking about.

All of this takes more time and effort, but ask yourself ow much privacy and security are you willing to trade away for a little more convenience?

According to International Business Times, a new study finds more than 80% of Americans reuse their passwords, and many others continue to use inadequate security practices when it comes to the passwords they use to protect their accounts.

The security provider SecureAuth and research firm  Wakefield Research found that not only do people use the same password more than once, they also use the same login credentials for at least 25 percent of their accounts.

While most millennials are more tech savvy and open to new and more secure forms of authentication like biometrics, their password practices are worse than the general population. A whopping 92% of millennials admitted they reuse passwords, compared to 81% of Americans overall.

Even more troubling, more than one in three people – 36% – reported they use the same password for 25 percent or more of their online accounts.

Despite the rampant reuse of passwords – a major security weakness – most Americans are very concerned about the possibility of their account information being stolen. 69% said they were more worried about their online information being stolen than their wallet.

Many Americans have already experienced such a breach of an online account. 35% of people surveyed said they have had an online account hacked – including 50% of millennials.

Of those people who have fallen victim of a hack, 91% reported the account breach carried severe repercussions for them. The biggest issue for those who have been hacked include spam messages (42%), account lockouts and money stolen (38%) or an unauthorized purchase being made from their account (28%).

About one in five people—19%—who had an account hacked reported having personal information stolen, including Social Security numbers, date of birth, photos, tax records and other sensitive personal files.

Despite identity-based detection techniques such as geo-location, device recognition, and phone number fraud prevention, the practice of reusing passwords puts users at increased risk in the case of a data breach. Once passwords are stolen from one site or service—an occurrence that happens regularly—a malicious actor could use that same password to gain access to another account belonging to the same user.

Given the number of massive database breaches, including those from sites like LinkedIn or Yahoo that included millions of users, it is relatively easy for an attacker to cross reference an account and use the stolen credentials to attempt to break into another account.

Additional security protocols like using two-factor or multifactor authentication or using a password manager to generate more secure, unique passwords can provide some additional protection from these types of attacks.

Don’t think for a moment that this survey is only relevant to Americans, in an article recently tweeted by Stellenbosch University’s Information Technology, South Africa has the third highest number of cybercrime victims worldwide and lose in excess of R2.2bn to internet fraud and phishing attacks annually. South Africans are just as bad as the Americans with their poor password practices!

Jun
27

Your smartphone can be easily hacked easily if you plug it in to charge via USB at a public place like an airport, cafe or on public transport.

Researchers at security firm Kaspersky Labs found that they could install a third-party application, like a virus, onto the phone via its USB cable connection to a computer. It took them under three minutes.

They also found that the Android and iOS phones tested leaked a host of private data to the computer they were connected to whilst charging, including the device name, device manufacturer, device type, serial number and even a list of files.

It’s well known that public Wi-Fi connections are a security risk, but did you know that the USB cord used to charge your phone is also used to send data from your phone to other devices?

By pairing it with any charging station (airport, plane, mall), which usually has a computer hidden behind it, you run the risk of having your photos or contact info sent to that device. If the computer behind the charging station is compromised, it could inject malicious code directly into your device.

You should also avoid connecting your mobile device via USB to a rental car’s entertainment system just for charging. Use the cigarette lighter adapter instead so you don’t have to worry about your personal info being stored in a car that’s not yours.

How to protect yourself:

  • Only plug your phone into trusted computers, using trusted USB cables
  • Protect your cell phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging.
  • Use encrypted apps like WhatsApp and iMessage to communicate
  • Antiviruse programs can be a pain, but they help to detect malware even if a “charging” vulnerability is used.
  • Always update your cellphone operating system to the most recent version, as that will have the most up-to-date bug fixes.

Save

Malware: Is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.
The term “malware” is a compound word from two other words “Malicious” and  “software” and describes software created by hackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems.

Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs.

Some forms of malicious software are:

Spyware is a type of malware installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally to monitor users.

While the term spyware suggests software that monitors a user’s computing, the functions of spyware can extend beyond simple monitoring. Spyware can collect almost any type of data, including personal information like internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, which can result in slow internet connection speeds, unauthorized changes in browser settings, or changes to software settings.

Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately. While the most widely recognized form of spam is e-mail spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, internet forum spam, junk fax transmissions, social networking spam, television advertising and file sharing network spam

Phishing is attempting to acquire information (and sometimes, indirectly, money) such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing e-mails may contain links to websites that are infected with malware. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details on a fake website which looks are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Spear-phishing is a more targeted form of phishing. Ordinary phishing involves malicious emails sent to any random email account, but spear-phishing email is designed to appear to come from someone who recipient knows and trusts — such as a colleague, business manager or human resources department — and can include a subject line or content that is specifically tailored to the victim’s known interests or industry.  Phishing attacks are so successful because employees click on them at an alarming rate, even when emails are obviously suspicious.

Pharming is a hacker’s attack intended to redirect a website’s traffic to another, bogus site.
The term “pharming” is a compound term based on the words “farming” and “phishing”. Phishing is a type of social-engineering attack to obtain access credentials, such as user names and passwords. In recent years, both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting e-commerce and online banking websites.

Save

May
15
Filed Under (Editorial, Tips) by dw on 15-05-2017

Ransomware stops you from using your PC. It is malware that holds your PC or files for “ransom”.

Although there are different types of ransomware, all of them will prevent you from using your PC normally, and they will all ask you to do something (like demanding money) before you can use your PC.

Ransomware can target PC users, whether it’s a home computer, a computer on a university network, or servers used by the government.

Ransomware can:

  • Prevent you from accessing your operating system.
  • Encrypt files so you can’t use them.
  • Stop certain apps from running (like your web browser).
  • Ransomware will demand that you pay money (a “ransom”) to get access to your PC or files.
  • There is no guarantee that paying the ransom or doing what the ransomware tells you will give access to your computer or files again.

There are two types of ransomware, lockscreen ransomware and encryption ransomware.

Lockscreen ransomware shows a full-screen message that prevents you from accessing your PC or files. It says you have to pay money (a “ransom”) to get access to your PC again.

 

 

 

 

 

 

 

Encryption ransomware changes your files so you can’t open them. It does this by encrypting the files.

Some versions of ransom usually claim you have done something illegal with your PC, and that you are being fined by a police force or government agency. These claims are false. It is a scare tactic designed to make you pay the money without telling anyone who might be able to restore your PC.

The latest versions encrypt the files on your PC so you can’t access them, and then simply demand money to restore your files.

Ransomware can get on your PC from nearly any source that any other malware (including viruses) can come from. This includes:

  • Visiting unsafe, suspicious, or fake websites.
  • Opening emails and email attachments from people you don’t know, or that you weren’t expecting.
  • Clicking on malicious or bad links in emails, Facebook, Twitter, and other social media posts, instant messenger chats, like Skype.

It can be very difficult to restore your PC after a ransomware attack – especially if it’s infected by encryption ransomware.

The best solution to ransomware is to be safe on the Internet and with emails and online chat:

  • Don’t click on a link on a webpage, in an email, or in a chat message unless you absolutely trust the page or sender.
  • If you’re ever unsure – don’t click it!
  • Often fake emails and webpages have bad spelling, or just look unusual. Look out for strange spellings of company names (like “PayePal” instead of “PayPal”) or unusual spaces, symbols, or punctuation (like “iTunesCustomer Service” instead of “iTunes Customer Service”).
Dec
07

androidmalwareEarly this month it was revealed that Android users, the operating system used by most brands of South African smartphones, were vulnerable to a major security flaw.
Check Point, a large Internet security firm, disclosed that around 13,000 Android smartphones per day are being breached by a malware called “Gooligan”.

Like most hacks, this particular threat relies on the you to download apps via unsafe stores that contain malware which is specifically targeting the Google accounts of Android users. It appears that this malware targets the user’s Google accounts by stealing their authentication/passwords and presents an opportunity for criminals to access data on your Gmail, Google Docs, Google drive and other Google services – hence the name “Gooligan”.

If you download your apps from the apps store on your phone or Google Play, you are okay, because Android require app developers to go through a quality assurance process, but if you have installed innocent-looking, albeit booby-trapped software from app stores outside Google’s authorized Play store, then you are at risk.

If you’re unsure as to whether your device has been infected, a free service has been set up by Check Point to check user names.

This Check Point service requests users to enter their email address. A search is then conducted against known compromised accounts.

Google Android is the world’s most popular mobile operating system, but an ‘open’ operating system, which basically means that smartphone manufacturers are free to alter Android to work in any way they want, and anyone can release apps for it.

However, this also means Android is more prone to malware than other mobile operating systems. The logic is simple, if you wouldn’t use a Windows PC without malware protection, then you shouldn’t leave your Android smartphone exposed.

Fortunately, protecting your Android smartphone or tablet is straightforward — and free:

Step 1: Update your version of Android…

step1

It’s important to keep your Android software up to date.  As well as new features, each update includes bug fixes to help protect your phone.
Tap the Settings icon, then scroll down to About phone (or About tablet) – Software (or System) update.
You’ll see your update status, including whether your software is up to date.

 

Step 2: Prevent app installs from unknown sources…

step2

Check that your Android device is set up to only allow app installations from the Google Play store.
To do this, go into the Settings – Security. Scroll down and under Device Administration look for Unknown sources. Make sure this is unchecked.

 

 

Step 3: Restrict downloads with a password…

step3

If other people use your Android smartphone then it is essential to enable a password for installation of new apps. This is especially important for parents who don’t want their children installing sometimes expensive apps without their knowledge.
Launch the Google Play store app then tap the menu button at the top right – it looks like three stacked dots. Now tap Settings and look for User Control.
Tap Parental Controls and turn the slider On. You’ll be asked to Create content PIN.

Step 4: Read and understand permissions…

step4

When you tap the Install button in the Google Play store, your Android device will display an App permissions dialogue box.
Scroll down and tap See all to view everything that the app wants to access on your handset.
Some apps have a legitimate need to access certain features of your smartphone. A web browser, for example, will need access to the internet, while a photo app will need access to the device’s storage.
If in doubt, or if you don’t want to share the information, don’t install the app.

Step 5: Install free antivirus software…

step5

You should install antivirus software onto your Android smartphone. Fortunately, this is both easy and free.
There are plenty of good free antivirus products on the Google Play store that will protect against viruses and malware, blocking dangerous links and some even help you find your phone.

Step 6: Finally… Use common sense…

Protection is all well and good, but it pays to be cautious.
First and foremost don’t click on suspicious links and always delete anything that looks suspect. Email hacking is very common – you may receive an email from a trusted source containing a YouTube link with an unusual heading – don’t click on the link and, if your email app allows it, flag the message as spam or junk mail.
Additionally, if you get a spam text message informing you you’ve won a prize, delete it. If you haven’t entered a competition, you’re highly unlikely to have won a prize.

Jan
15
Filed Under (Editorial, Tips) by dw on 15-01-2015

PhoneScamHave you ever received a call from someone with a heavy Indian accent from Microsoft saying your computer had errors or viruses? The purpose of these telephone calls is to get an easy R500 (or whatever amount they choose) by scaring you into thinking there’s something really wrong with your computer and that they can fix it for you.

These tech support phone scams have been going on for many years and scammers keep on defrauding innocent people if their money because their success ratio is still worth their time and effort. Pensioners and non-technical people are most often victims, as these smooth-tongued Indian operators are very good at blinding you with “technospeak”.

Often the caller’s number will not appear on your phone, a sign that they were using some Voice over IP (VoIP) or such technology that both completely hides their identity and costs them nothing for long distance calls.

This scam is a well-oiled machine which starts off with the alleged Microsoft representative asking you to turn on your computer to perform some checks for errors. They essentially make you open different applications which aren’t typically known by regular users.

Step 1: Scare Tactics

You will be instructed to press the “Windows” and “R” keys together to get to the Windows Run dialog box and then run a command to open up Window’s Event Viewer:

Conveniently, the Event Viewer will always show some warning or error which the scammer can use to instill fear. Often files legitimate files stored in the Windows Prefetch folder will be  called spyware and viruses, but this is a lie, as those Prefetch files are simply used by Windows to launch programs faster. The “System Configuration Utility”, also known as msconfig, will be also used to focus the victim on the status of each Service  to count how many “stopped” ones there are.

Step 2: The “Intervention”

The next step of the scan consists of allowing a remote person to fix these “issues” for the victim. This involves giving the scammer access to your computer using a remote control program like TeamViewer.

The scammers will then perform questionable tasks to “repair” the system, such as installing trials of other legitimate security software, installing malware (including rogue security software) designed to collect the user’s personal information, and deleting the aforementioned files that were previously claimed to be malware.

Step 3: The “Hit”

They then coax the victim into paying for their services or the software designed to “repair” their computer, and in turn, gain access to the victim’s credit card information, which can be used to make additional fraudulent charges. Afterwards, the scammer may also claim that the victim is eligible for a refund, and request the user’s bank account information—which is instead used to steal more money from the victim rather than providing the promised refund.