Week in security with Tony Anscombe

With vacations in full swing, cybercriminals will be looking to scam vacationers looking for that perfect accommodation. Learn to identify these scams. Most people are fans of the convenience provided by online shopping, but some criminals uses this to lure clients into Amazon scams. Learn to detect these. Now that organizations are set to evolve a

With vacations in full swing, cybercriminals will be looking to scam vacationers looking for that perfect accommodation. Learn to identify these scams. Most people are fans of the convenience provided by online shopping, but some criminals uses this to lure clients into Amazon scams. Learn to detect these. Now that organizations are set to evolve a hybrid blend of home and office-based work for most employees, it is more important then ever to address the risks that insider threat can – willingly or unwitingly – pose.

Watch out for these scams, targeting Amazon’s customers

Most people are fans of the convenience Amazon brings to online shopping, and that’s precisely what cybercriminals are betting on.

Amazon is the largest online marketplace in the world boasting over US$386 billion in revenue in 2020 with 200 million subscribers to its Amazon Prime service just in the United States. And that’s just a fraction of the whole customer base that it serves around the globe year-round. Of course, such a huge customer pool attracts cybercriminals who are looking to make bank by scamming unsuspecting victims with a variety of tricks that they have in their arsenal of scammery.

Fake order phishing email

As with any major service, Amazon is no stranger to being spoofed or impersonated by enterprising fraudsters who are looking to dupe people out of their personal information, or to access credentials to their accounts. The emails you may receive can take on various forms, however they usually impersonate a common Amazon dispatch email, that regular customers have encountered many times over. For example, you might receive one confirming a purchase that you didn’t make and tries to trick you into clicking on various links that look like contact information to Amazon’s customer service. These links can then redirect to something looking like the official Amazon login page, however, when you try to sign in you will have divulged your credentials to the scammer. Alternatively, by clicking on the link or attachment in the email you may download a malicious payload to your device that will attempt to download keylogging software that will try to harvest your credentials to any services you use.

Generally speaking, unless the fraudster behind the scam did an immaculate job with the counterfeit email there are several warning signs that will give it away as an attempt at phishing. If the email contains, typos, grammar mistakes, or an attachment it is most assuredly a scam. When checking out a link that you’ve received in an email, by hovering your cursor over it, check whether the address is something.amazon.com where something is one of many valid Amazon subdomains – for example, pay.amazon.com or www.amazon.com. If you suspect that you’re being phished you should contact Amazon directly, since it takes these issues seriously.

Gift card scams

Gift card fraud is another perennial problem that you can encounter. The con-artists may utilize different strategies to dupe their victims, however, the ultimate goal remains the same – trick them into purchasing and sending Amazon gift cards. Popular tactics usually include evoking a sense of urgency or pressure in order to make victims act quickly rather than give deep thought to the contents of the message or phone call. Victims may receive unsolicited email messages or phone calls about a pressing issue involving their social security numbers or benefits and to resolve it they’ll have to pay a penalty using gift cards. Alternatively, victims may be told that a family member is in trouble and needs financial help. There are multiple scenarios at play where fraudsters can also impersonate Amazon itself, claim to be someone from the management of the victim’s employer, you name it.

However, fortunately, most of these scams can be uncovered quite easily if you keep a cool head. Government officials will never ask you to pay a fine or penalty with a gift card, so you can be 100% sure that if you get such a request it’s a scam. As for the rest of the scenarios, to verify the claims you just need to call your family member to see if they’re in trouble or the person from your company that requested the gift cards. And of course, it goes without saying that you should contact all of the aforementioned people or institutions through the verified official channels.

Payment scams 

Payment scams come in many shapes and sizes, and while the form may differ, in the end, the scammers behind them are after only one thing – the contents of your bank account. There are multiple ways that this can occur. One tactic that is often utilized is trying to convince you to pay outside Amazon’s secure platform. The crooks will try to lure you in various ways by offering a discounted price, for example, however, if you relent, the most probable outcome is that you’ll both lose your money and won’t get the product. And additionally, you won’t be able to lodge a complaint with Amazon since you paid the fraudulent charges outside the confines of their platform. Other flavors of payment scams to watch out for include paying to claim a prize that you’ve supposedly won or to a seller whose identity you can’t verify, and avoid offers that seem too good to be true or that you find suspicious.

The obvious advice, in this case, is to stick to Amazon’s platform for all orders and payments. Even the company itself warns against sending money outside the confines of its platform: “Don’t send money (by cash, wire transfer, Western Union, PayPal, MoneyGram, or other means, including by Amazon Payments) to a seller who claims that Amazon or Amazon Payments will guarantee the transaction, refund your funds if you’re not satisfied with the purchase, or hold your funds in escrow.”

Dodgy phone calls

Sometimes scammers will resort to more “analog” means to try and hoodwink their victims – fake support calls. The content of the calls might vary, however, they often sound like a pre-recorded message impersonating Amazon claiming it has registered something wrong with your account, something that would pique your interest – a fishy purchase, lost package, etc. According to a warning issued by the United States Federal Trade Commission, the message will then either inform you to press 1 to speak to a customer support agent or give you a number to call back. If you engage in conversation, the scammers will most likely try to wheedle sensitive data out of you like your personal information or your payment data.

The most sensible thing to do, before going into full-blown

Leading cybersecurity agencies reveal list of most exploited vulnerabilities of the past 2 years

There are 30 vulnerabilities listed in total; organizations would do well to patch their systems if they haven’t done so yet

The leading cybersecurity and law enforcement agencies from the United States, the United Kingdom, and Australia have issued a joint cybersecurity advisory focusing on the top 30 vulnerabilities that were commonly abused by threat actors over the course of 2020 and 2021.

The advisory, coauthored by the United States’ Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Center (NCSC) and the Australian Cyber Security Centre (ACSC) revealed that the four most targeted vulnerabilities in 2020 were related to remote work focused technologies. This could be attributed to the COVID-19 pandemic that forced most companies to quickly transition to a work-from-home environment.

“The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.” the advisory reads.

According to the U.S. government’s findings, the most exploited vulnerability in 2020 was a flaw in the Citrix Delivery Controller. Tracked as CVE-2019-19781, the arbitrary code execution bug was rated as critical in severity and holds an almost perfect score of 9.8 out of 10 on the common vulnerability scoring system (CVSS) scale. If an attacker is successful in exploiting the security loophole they could take over the affected system. The vulnerability attracted cybercriminals because it is easily exploited and the fact that Citrix servers are used extensively worldwide.

“In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet. CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs,” CISA went on to add.

You can find the full list of vulnerabilities with recommended mitigations in CISA’s advisory.

Patch your systems immediately 

The quartet of agencies urged companies and organizations to patch their vulnerable systems as it’s one of the easiest ways to mitigate the chances of the vulnerabilities being exploited and having their systems compromised. It goes without saying that patches should be deployed as soon as practicable. However, sometimes not everything can be patched, in those cases, the best course of action is to apply workarounds or other mitigations that vendors usually provide.

“In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks,” said Executive Assistant Director for Cybersecurity, CISA, Eric Goldstein.

Tackling the insider threat to the new hybrid workplace

Now that organizations are set to evolve a hybrid blend of home and office-based work for most employees, it is more important then ever to address the risks that insider threat can – willingly or unwitingly – pose.

The old adage “a chain is only as strong as its weakest link” is regularly repurposed for discussions about cybersecurity. It couldn’t be more apt—except in cyber-arena, each link is represented by an individual employee. That makes a lot of potential weak points for attackers to probe. And they do, relentlessly. Unfortunately, the switch to mass remote working during the course of the pandemic turned a long-running problem into an even bigger challenge for cybersecurity teams.  

Now that organizations are set to evolve a hybrid blend of home and office-based work for most employees, this is a challenge that can’t be ignored any longer. The stakes are simply too high. 

The scale of the insider threat 

Although malicious insiders are a growing issue, the bigger problem relates to negligent or careless employees. Humans are the ones that click on links, set passwords, configure IT systems and code software. They are naturally error-prone and can be manipulated by social engineering. So, naturally they represent a prime cyber-risk for organizations and a major opportunity for threat actors. In a hypothetical world free of human-made mistakes, it’s difficult to imagine a cybersecurity industry worth the estimated US$156 billion it is today.  

How does human error contribute to security risk? A few statistics are worth highlighting. 

  • Some 85 percent of breaches involved a human element last year, according to Verizon 
  • Nearly 19 percent of breaches involved “miscellaneous errors” 
  • Around 35 percent of breaches featured social engineering 
  • Phishing attacks increased 11 percent from 2020-21 
  • Nearly US$2 billion was lost last year to Business Email Compromise (BEC) attacks in which users are tricked into wiring corporate funds to fraudster 
  • Missing devices represent a major but unquantified threat. Over 1,000 were lost or stolen from UK government departments alone in 2020.

    The financial impact of such threats is debated. However, one estimate claims that an insider breach on average cost global organizations nearly US$11.5 million in 2019, up by 31 percent on 2017 figures. 

    How threat actors are targeting remote workers 

    With the pandemic came new opportunities to target employees. Almost overnight, organizations shifted from centralized IT systems secured with proven policies, processes and technology to a distributed workforce. Employees were not only using potentially insecure home networks and devices, but may also have been more distracted by home life, especially those with childcare commitments. Even those without suffered by being more isolated, making it harder to quickly sanity check suspicious emails with colleagues or IT staff. 

    Stress also played a potentially key role here, increasing insider risk. According to an ESET report produced last year with business psychology specialist The Myers-Briggs Company, 47 percent of respondents were somewhat or very concerned about their ability to manage stress during the crisis. Stressed employees may be more likely to panic and click on a malicious link, or fail to report a potential breach to IT, the report warned. Long working hours may have a similar effect. Official data from the UK’s Office of National Statistics revealed that home workers were at their desks for on average five hours longer than office-bound colleagues in 2020. 

    The ESET report had more concerning findings including: 

  • CISOs reported a 63 percent increase in cybercrime since lockdowns began  
  • Although 80 percent of respondents had a remote working strategy in place, only a quarter said it was effective  
  • Around 80 percent said that increase cyber-risk caused by human factors is a challenge 
  • 80 percent of companies said that an increased cybersecurity risk caused by human factors posed some sort of challenge 

    Alongside phishing, other hybrid working threats including: 

  • RDP hijacking, which is used increasingly by ransomware actors. This is facilitated by weak or previously breached credentials 
  • Unpatched systems (eg VPNs, laptops) 
  • WiFi and/or smart home devices without strong passwords 
  • Use of shared devices, where employees’ house mates or children visit risky sites and unwittingly download potentially malicious software  How to secure the hybrid workplace 

    With a partial return to the office, hopefully some of these challenges will recede. Less stress and isolation may positively impact risk reduction efforts. But there’s also the potential for staff to bring bad habits learned during the crisis back into work—along with any malware hiding on devices. The ferrying of laptops back and forth between home and work may also increase the risk of lost or stolen devices. 

    However, there are things that security teams can do to minimize the risks associated with the new hybrid workplace. These include: 

  • Mandating use of multi-factor authentication (MFA) for all accounts and devices 
  • Policies to require automatic updates be switched on for all devices 
  • Strong passwords for all home devices including routers 
  • Psychometric testing to help identify where human weaknesses exist. This intel could be used to develop better security protocols and making training more personalized and effective 
  • Strict vetting/auditing of suppliers and their capabilities for mitigating insider threats 
  • Data loss prevention tools
  • Network segmentation  
  • Restricting access rights to least privilege principle 
  • Zero Trust approaches to limit the damage that can be caused by insider incidents 
  • Modifying working culture so those at home
  • Most Twitter users haven’t enabled 2FA yet, report reveals

    Twitter’s transparency report revealed that users aren’t quick to adopt 2FA and once they do enable it, they choose the least secure option

    According to the data shared by Twitter in its recently released transparency report, the popular social network’s users are reluctant to adopt two-factor authentication (2FA) to bolster their account security. In fact, the report paints a pretty bleak picture considering that over the second half of 2020 only 2.3% of active Twitter accounts had at least one 2FA method enabled.

    A quick refresher, 2FA also widely known as multifactor authentication (MFA), is one of the simplest ways to add an extra layer of security to your accounts. There are three classic authentication factors, often known as “something you know, something you have, and something you are”. To put it into simpler terms the first are things like passwords and PINs, the second are things like physical keys, tokens, or SMS codes, while the third is biometrics like fingerprints and face scans. So, in the unfortunate event that your password is compromised, the cybercriminals will have a tough time getting in.

    Although the adoption of 2FA isn’t widespread among users, on the bright side Twitter registered an uptick of 9.1% in the number of users that had at least one 2FA method enabled. Over the years Twitter has started  supporting a variety of 2FA methods, including sending a unique code via text message, using a mobile authenticator app, or using a security key.

    “In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks. Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks. Security keys are the newest and most secure form of 2FA since they include built-in protections from phishing attacks,” said Twitter.

    If we look at the breakdown of the authentication methods favored by users that have them set up, SMS-based authentication codes are by far the most dominant option used by over 79% of accounts with 2FA enabled. Meanwhile, on the other end of the spectrum, security keys, which are considered the safest option, are used by a meager 0.5%. An interesting piece of information since Twitter recently allowed users to set security keys as their sole 2FA method.

    While Twitter did concede that the adoption rate of 2FA remains relatively low, the popular social platform went on to add that it was encouraged to observe a significant increase in 2FA usage over the recent reporting period. “Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter,” the company concluded.

    If you haven’t secured your account with one of the several 2FA methods Twitter offers just yet, you’d do well to do so now. And while you’re at it you can follow our recommendations on how to stay safe on Twitter and mitigate the chances of your account getting hacked. 

    Booking your next holiday? Watch out for these Airbnb scams

    With vacations in full swing, cybercriminals will be looking to scam vacationers looking for that perfect accommodation.

    Summer vacation planning is in full swing, and most of us are looking to travel again while adhering to the preventive measures that countries have in place regarding the COVID-19 pandemic. And traveling, of course, means looking for accommodation as well. While some are fans of going through travel agencies and booking hotel rooms, others like to experience cities through accommodations located in hip, authentic neighborhoods that can be booked through services like Airbnb. However, before you rush to book that comfy adorable stay, you should be wary of scams that you might encounter along the way. 

    Paying outside of the Airbnb platform 

    You’ve finally stumbled upon your dream vacation place that you’d like to book. The photos look good, it’s near the landmarks you’d like to visit or located in a hip local neighborhood and everything seems to look great in general. However, once you connect with the host, they try to persuade you into communicating and paying outside the confines of Airbnb’s platform. That should immediately be a red flag since everything should be done through the app itself, if for no other reason than that the service provider has no compulsion to refund fraudulent charges paid outside its platform. In some cases, some additional charges may have to be paid in person, such as resort fees, security deposits (for example in hotels), or local occupancy tax, but most of the time you’ll pay the entire price of the stay during the booking process on Airbnb. 

    Even Airbnb itself warns against such scams and urges clients  to immediately report any hosts who request off-site payments. So, in case that happens, refuse to deal with the host and contact Airbnb so it can sort out the issue. 

    Here is a great offer, click on this link! 

    Most people travel, be it for business or pleasure. And traveling is even more attractive now than ever with COVID-19 restrictions being lifted, something scammers are very aware of. Therefore, it won’t come as a surprise that they will try to dupe unsuspecting victims into parting with their access credentials and personal information using phishing campaigns where they will try to impersonate Airbnb. You might receive an email that, for all intents and purposes, looks like a legitimate email touting a great offer. However, if you click on the link, it either will redirect you to a fake login page and once you type in your credentials the scammers will have them, or it might download malware onto your device. 

    While most email services are now more than capable of filtering out these kinds of scams, some may make it through the cracks. So, if you ever receive an unsolicited email, especially one containing a link or attachment, don’t click on it. To see the full URL you can hover your cursor over the link to see where it redirects to, and to remain safe it’s better to visit the official website directly by typing it out in the address bar of your browser. 

    Apartments that sound too good to be true 

    While you’re perusing the Airbnb platform for the perfect summer rental home, you might stumble upon offers that at first sight might blow your mind. Usually, that involves luxurious residences, at upscale locations for ludicrously low prices – imagine a villa on the French Riviera for a couple of hundred dollars a night. Sounds too good to be true? Well, it probably is – you will most likely have stumbled upon a scam and you should definitely avoid booking the place. 

    However, if you still decide you want to scratch that itch, it’s best to do your due diligence. The first thing you could do is to look at the general area where the apartment or house is located and analyze the average rental prices to see if it is unusually low. Another handy option is reverse-searching the image to see what comes up – you might find that the images have been pilfered from another website, which means that the offer or property is probably fake. If your suspicions are confirmed you should immediately report it to Airbnb.  

    Beware of fake reviews 

    As you are on the hunt for your accommodation of choice, you’ll probably be looking for the combination of best price, location, and comfort. That usually entails a lot of searching and doing your due diligence by browsing through the reviews left by previous tenants. While you’re searching for a place that has a series of great reviews, you’d best be on the lookout for anything suspicious. For example, rather fresh listings that already have a curiously large amount of good reviews, or if the reviews look too much alike; these can all be signs that a scam is afoot. 

    The best course of action would be to look for hosts that have gone through Airbnb’s verification process. Scammers probably aren’t going to use real documents to get themselves verified if they’re planning to scam folk out of money. Another thing you might want to look for is hosts who have achieved Superhost status, since they have a history of providing stellar service and a low cancelation rate. 

    In summary 

    It has been a long year, or more, and most of us are looking towards having a bit of R&R. While well deserved, we shouldn’t let our guard down and should remain wary of any signs of scams while we go in search of amazing deals for glorious holiday stays. To sum it up: remain vigilant when it comes to spectacular offers, run a background check and review the accommodations you are looking to book, and be especially wary of unsolicited emails with links to amazing deals. 

    Apple releases patch for zero‑day flaw in iOS, iPadOS and macOS

    The vulnerability is under active exploitation by unknown attackers and affects a wide range of Apple’s products.

    Apple has released an update for its iOS, iPadOS, and macOS operating systems to patch a zero-day security flaw that is being actively exploited in the wild. The vulnerability affects a wide range of its products including the iPod touch and various models of the iPhone and iPad.

    “Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing the security loophole that is being plugged with the release of iOS 14.7.1 and iPadOS 14.7.1.

    The list of impacted devices includes iPhone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation of iPad and later, iPad mini 4 and later, and the 7th generation of the iPod touch. The same security flaw also affects the macOS operating system, so the Cupertino-based tech titan also issued a security update for macOS (Big Sur 11.5.1) to address the issue. As is usually the case, there is no word about the perpetrators and targets of the zero-day attacks.

    Indexed as CVE-2021-30807, the vulnerability resides in the IOMobileFrameBuffer, a kernel extension that is used for managing the screen framebuffer, and is described as a memory corruption issue.

    According to CyberSecurityHelp, the vulnerability could allow a local application to escalate privileges on the affected systems. “The vulnerability exists due to a boundary within the IOMobileFrameBuffer subsystem. A local application can trigger memory corruption and execute arbitrary code on the target system with kernel privileges,” reads its description of the security flaw.

    The United States’ Cybersecurity and Infrastructure Agency (CISA) also took note of the release and issued a security advisory urging both users and administrators to apply the patches and update their devices. “Apple has released security updates to address a vulnerability in multiple products. An attacker could exploit this vulnerability to take control of an affected device,” said the agency.

    Indeed, you would be well advised to apply the updates as soon as practicable. If you don’t have automatic updates enabled, you can update your iPhone and iPad manually by going to the Settings menu, then tapping General, and going to the Software Update section. To manually update your Mac devices, go to the Apple menu, click on About This Mac and then click on the Software Update button.