FBI warns of threat actors spoofing Bureau domains, email accounts

The U.S. law enforcement agency shares a sampling of more than 90 spoofed FBI-related domains registered recently

The Federal Bureau of Investigation (FBI) has issued a warning about domains designed to spoof the Bureau’s official website, fbi.gov. The alert lists more than 90 such fraudulent websites that have been registered recently.

“The FBI observed unattributed cyber actors registering numerous domains spoofing legitimate FBI websites, indicating the potential for future operational activity,” said the law enforcement agency. The list of fraudulent domains includes somewhat plausible examples, such as “fbihelp.org” and “fbifrauddepartment.org”, as well as more or less bizarre ones like “powerfulfbi.ninja” or “fbigiftshop.shop”.

For context, domain spoofing involves the creation of a website whose domain name has near-to-identical characteristics to the original. However, there will be some subtle differences, such as the threat actors changing a letter, symbol, or adding a word in the domain name. Another telltale sign will be that the website will use an alternate top-level domain (TLD) compared to the original, government-related websites in the United States, for example, use the “.gov” TLD.

The goal of the cybercriminals is to use these webpages to wreak all manner of havoc, such as disseminating false information, gathering sensitive data from unwitting victims who have fallen for their ruses, or spreading malware. The gathered information typically includes account credentials, usernames, passwords, email addresses, and a range of other personally identifiable information that can then be utilized to carry out various forms of fraud and identity theft or be sold on the internet’s dark web bazaars.

And that’s what the FBI is worried about: “Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.”

The Bureau, therefore, urges the public to remain vigilant and scrutinize any websites they visit and carefully inspect the emails they receive, regardless of whether they’re work-related or personal. Moreover, if they are interested in the FBI’s mission or information about its work, they should search for it using verified and trusted sources.

Beyond increased vigilance, you can also take additional protective measures to defend yourself from website spoofing attacks and their consequences.

Do not respond to any unsolicited email requesting any kind of information, even if they seem legitimate. Use a reputable up-to-date security solution, which will protect you from most threats, including blocking known malicious websites and blocking potentially malicious downloads. Make sure that all your programs and your operating system are patched and up to date to prevent black hats from using any security flaws to infiltrate your systems. Use multi-factor authentication to mitigate the chances of hackers gaining access to your accounts even if your credentials get compromised.

SIM swap scam: What it is and how to protect yourself

Here’s what to know about attacks where a fraudster has your number, literally and otherwise

SIM swap scams have been a growing problem, with fraudsters targeting people from various walks of life, including tech leaders, and causing untold damage to many victims. Here’s why you should be on the lookout for attacks where someone can upend your life by first hijacking your mobile phone number.

How SIM swap fraud works

Also known as SIM hijacking and SIM splitting, SIM swapping can be described as a form of account takeover fraud. To make the attack work, the cybercriminal will first gather information on their mark, often through trawling the web and searching for every tidbit of data the potential victim may have (over)shared. The victim’s personal information can also be gleaned from known data breaches or leaks, or via social engineering techniques, such as phishing and vishing, where the fraudster wheedles the information directly out of the target.

With enough information in their hands, the fraudster will contact the target’s mobile phone provider and trick its customer service representative into porting their telephone number to a SIM card owned by the criminal. More often than not, the scammer’s story will be something along the lines that the switch is needed due to the phone being stolen or lost.

Once the process is done, the victim will lose access to the cellular network and phone number, while the hacker will now receive the victim’s calls and text messages.

What makes the scams so dangerous?

Commonly, the point of this type of attack is to gain access to one, or more, of the target’s online accounts. The cybercriminal behind the attack is also banking on the assumption that the victim uses phone calls and text messages as a form of two-factor authentication (2FA).

If that’s the case, the fraudsters can wreak unseen havoc on their victim’s digital and personal lives, including cleaning out their bank accounts and maxing out their credit cards, damaging the victim’s standing and credit with banks in the process.

The hackers could also access their victim’s social media accounts and download sensitive messages or private conversations that could be damaging in the long run. Or even post insulting messages and statuses that could cause major reputational damage to their victims.

How to protect yourself

Start by limiting the personal information you share online, avoid posting your full name, address, phone number. Another thing you should avoid is oversharing details from your personal life: chances are that you included some aspects of it in your security questions that are used to verify your identity.

When it comes to using 2FA, you might want to reconsider SMS text messages and phone calls being your sole form of additional authentication. Instead, opt for using other forms of two-factor authentication such as an authentication app or a hardware authentication device.

Phishing emails are also a popular way for cybercriminals to obtain sensitive information. They do so by impersonating a trusted institution, relying on the assumption that you won’t hesitate to answer their questions or scrutinize the emails too closely. While many of the phishing emails will be caught by your spam filters, you should also educate yourself on how to spot a phish.

Telecom companies are also working towards protecting their clients. Verizon, for example, launched a feature called ‘Number Lock’ that should protect its customers against potential SIM-swapping attacks, while AT&T, T‑Mobile, and Sprint offer the option of additional authentication in the form of PIN codes, passcodes, and additional security questions. You should check with your provider to learn how to enable such features, should they offer them.

In summary

While SIM swap scams are ever-present and a threat to everybody, there are ways to protect yourself. Taking one or more of the several steps outlined in the article can help you lower your chances of falling victim to such an attack. Additionally, you can contact your bank and telecommunications providers to inquire about any supplementary security services you can enable to lock down your accounts.

Up to 350,000 Spotify accounts hacked in credential stuffing attacks

This won’t be music to your ears – researchers spot an unsecured database replete with records used for an account hijacking spree

Researchers have found an unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.

The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered by vpnMentor. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.

For context, credential stuffing is an automated account takeover attack during which cybercriminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access. Usually applying some form of multi-factor authentication mitigates the chances of accounts being compromised, but Spotify doesn’t support the option.

The team contacted the Swedish audio streaming giant on July 9th and received an almost immediate response. Within a period of eleven days between July 10th and 21st, Spotify addressed the issue and deployed a rolling reset of passwords for all users affected by the issue.

“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers explained.

The continuing success of credential stuffing attacks can, in large part, be attributed to users having poor password hygiene. People often commit many of the common cardinal sins of password creation and use, such as password recycling or even sharing their access credentials with others. To illustrate the questionable choices people make when it comes to their passwords,  you need not look any further than the list of the most common passwords of 2020, which is topped by veritable gems like “123456” and “123456789”.

To protect the sensitive data stored in your accounts, you should start by opting for a strong and unique password, or even better passphrase. For convenience’s sake, you can also use a password manager that will do all the heavy lifting for you, including generating and storing all your tough-to-crack passcodes, so you’ll only have to remember one master password. For an extra layer of security, also activate multi-factor authentication where possible.

Security flaws in smart doorbells may open the door to hackers

The peace of mind that comes with connected home security gadgets may be false – your smart doorbell may make an inviting target for unwanted visitors

Smart doorbells commonly found on marketplaces such as Amazon and eBay contain serious vulnerabilities that expose their owners to a host of security and privacy threats, according to an investigation led by the British consumer watchdog Which?.

Together with NCC Group, Which? looked into 11 internet-connected video- and audio-equipped doorbells, finding disconcerting vulnerabilities in all of them. A number of the gadgets are designed to have the look and feel of Amazon’s Ring and Google’s Nest Hello and are sold either under their own brands or have no discernible branding. Some devices were promoted with the “Amazon’s Choice” logo and received rave users reviews.

Notably, this includes the Victure VD300 smart doorbell, listed as “the number one bestseller in ‘door viewers’”. The device was found to send a Wi-Fi network password to servers in China unencrypted. If stolen, the login details might not just give crooks access to the victim’s Wi-Fi network, but also to other devices connected to it and exposing people’s sensitive data in the process.

The lack of data encryption was overall a common find in the test and also affected video footage, which was often stored unencrypted.

RELATED READING: These things may be cool, but are they safe?

Other flaws had to do with poor password protections, since the units came with basic and easy-to-guess default passwords or their passwords were easy to reset by unwanted guests. Some devices were vulnerable to being readily switched off or stolen, paving the way for burglars to do their ‘job’ and be gone while nobody is watching. One gadget was susceptible to a critical exploit taking advantage of the Key Reinstallation AttaCK (KRACK) vulnerability in Wi-Fi authentication that could ultimately leave Wi-Fi networks wide open to compromise.

Unsurprisingly, most units gathered more customer data than they actually needed for their operations. Overall, the test’s findings are by no means unique as similar probes have been conducted before and also brought unflattering results.

RELATED READING: IoT security: Are we finally turning the corner?

Amazon has since removed the listings for at least seven products. Meanwhile, eBay had this to say: These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer,” said the company.

If you’re in the market for any connected gizmo, you want to do your homework and choose a reputable manufacturer with a proven track record of securing their devices. Then, when you first set up your new smart device, at the very least make sure you protect it with a strong and unique password or passphrase as well as with two-factor authentication.

Week in security with Tony Anscombe

Lazarus takes aim at South Korea via an unusual supply-chain attack – The harsh reality of poor passwords – Bumble bitten by bugs

ESET researchers have uncovered a novel Lazarus supply-chain attack that, in order to deliver malware, abuses legitimate South Korean security software and digital certificates stolen from two companies. A list of the 200 most commonly-used passwords on the web in 2020 this year demonstrates again that various easy-to-guess combinations remain as popular as ever. Security flaws in the popular dating app Bumble put the data of its almost 100 million users at risk. All this – and more – on WeLiveSecurity.com.

5 takeaways from the 2020 (ISC)2 Cybersecurity Workforce Study

From the impact of the pandemic on cybersecurity careers to workers’ job satisfaction, the report offers a number of interesting findings

For the first time on record, the cybersecurity workforce gap has shrunk, the 2020 (ISC)2 Cybersecurity Workforce Study has found. While companies have been facing a plethora of new security challenges due to the COVID-19-powered shift to remote work, the shortfall of IT security practitioners has decreased from 4.07 million to 3.12 million on an annual basis. Here are some other key takeaways:

As the talent shortfall eased, the number of security practitioners rose – by 700,000 professionals year-on-year to 3.5 million. The supply of workers increased especially thanks to industry migration and companies investing in their own talent. Nevertheless, the workforce gap is still there and, in order to fill it, employment levels would need to grow by approximately 41% in the US and 89% worldwide. The COVID-19 powered shift was quick but managed well. 30% of professionals reported that their company made the transition to online work within a single day. Meanwhile, almost half reported they were afforded several days and up to a week to make the shift and to secure newly transformed IT environments. Although the transition was rapid, 9 in 10 infosec experts felt that their organizations were somewhat or very prepared for the shift. Job satisfaction among cybersecurity professionals is higher than ever. While there is a popular notion that the job carried out by cybersecurity professionals is stressful and often underappreciated, the study found otherwise – the overall satisfaction of workers worldwide with their job is at 76%. Almost half responded that they were somewhat satisfied while a third said that they were very satisfied with their positions and the work they do. Certification still matters, with 63% of professionals pursuing or planning to pursue a certificate within the next year. Certificates are considered key to professional and career growth both by professionals and their employers. Almost 8 in 10 professionals worldwide said that they are required to hold some kind of certification. The value of certifications to employers can be highlighted by the fact that five in ten respondents said that courses and exams are paid for completely by their organizations. Certification also has an impact on wages, with employees with certification earning an average of US$85,000 while those that don’t hold any earn much less with an average of US$67,000. Salaries are competitive but vary according to the employee’s title and seniority. For employees that are just starting on their cybersecurity career paths such as millennials, the average salary can be around US$67,000; however, for those with greater experience in the field like the baby boomer generation the reported average salary is US$112,000. The salary is also influenced by whether the role the employee holds is security-focused or a general IT role, with the former being rewarded with a higher average salary of US$91,000 while the latter has an average salary of US$79,000.

A bonus takeaway? The cybersecurity sector remains an attractive industry to join. Why not consider whether it might also be a good fit for you or look at some of the career paths you can choose from?

The worst passwords of 2020: Is it time to change yours?

They’re supremely easy to remember, as well as easy to crack. Here’s how to improve your password security.

Cybersecurity experts often share advice about the do’s and don’ts of passwords as a vital part of good cyber-hygiene practices. And yet, annual roundups of the most common passwords show that many of us continue to prioritize convenience over security, putting our accounts and data at risk of theft.

NordPass has just revealed the 200 most commonly used passwords on the web in 2020, showing yet again that various easy-to-guess combinations of numbers remain as popular as ever. Seven out of the top ten worst passwords were made up of various numerical combinations, with “123456”, “123456789” and “12345678” occupying the first, second and fifth places, respectively. The third spot went to “picture1”, a new addition to the list, and was followed by, well, “password”.

If that isn’t a cause for worry, then perhaps these two facts should be –  the top five passwords have over 4.5 million users among them and they account for more than 38 million combined exposures in data breaches. Moreover, all of these passwords, except “picture1”, could be cracked in less than a second.

The chart is mostly made up of entries that also made it onto the lists of the most common passwords last year and the year before. But there have also been 78 new additions to the list, such as “senha” (Portuguese for “password”), “Million2” or “aaron431”. Part of the last one is also the most popular name used as a password.

You can browse through the whole list on NordPass’s blog, but here are the 25 that topped the list this year.

Position Password Position in 2019 1 123456 2 2 123456789 3 3 picture1 – 4 password 5 5 12345678 6 6 111111 17 7 123123 18 8 12345 1 9 1234567890 11 10 senha – 11 1234567 12 12 qwerty 10 13 abc123 16 14 Million2 – 15 000000 28 16 1234 15 17 iloveyou 14 18 aaron431 – 19 password1 29 20 qqww1122 – 21 123 199 22 omgpop – 23 123321 39 24 654321 36 25 qwertyuiop 22 Mine is on the list! What do I do?

If you use any of these choices to “secure” your accounts, then you should get straight to fixing them. First of all, consider using a unique passphrase for each of your online accounts; if done right, it will be far harder or even impossible to crack. While you’re at it avoid other pitfalls of password creation and use, including password recycling.

If you’re more of a video person, then we have you covered, too:

[embedded content]

If you’re looking for a practical and convenient solution for your password woes, then a password manager could be the answer. Most reputable security products also offer some form of password management.

To complete your security review, you should also enable multi-factor authentication on all services that offer the option. And as many login credentials are stolen in data breaches these days, it also won’t hurt to sign up for a service that checks if your password has been caught up in any such incident.

Bumble bugs could have exposed personal data of all users

The information at risk of theft due to API flaws included people’s pictures, locations, dating preferences and Facebook data

Security vulnerabilities in Bumble, one of today’s most popular dating apps, could have exposed the personal information of its entire, almost 100 million-strong user-base.

The bugs – which affected Bumble’s application programming interface (API) and stemmed from the dating service not verifying user requests server-side – was discovered by Sanjana Sarda and her team at Independent Security Evaluators. In addition to finding a way to bypass paying for Bumble Boost, the platform’s premium tier that gives users a host of advanced features, the researchers uncovered security loopholes that a potential attacker could exploit to steal data about all of its users.

Having found a way to bypass the platform’s checks, it was possible for the researchers to access data about all Bumble users and retrieve a treasure trove of information about them. If a user logged into Bumble using their Facebook account, a cybercriminal would have been able to create a comprehensive picture about them by retrieving various data concerning their activities on Facebook.

With Bumble being a dating platform, an attacker could also potentially gain access to data such as what kind of person the user is looking for, which could prove useful in creating a fake persona for a dating scam. Also, they’d have access to information users share on their profile such as height, religious beliefs and political leanings. The black hat could also find out people’s locations and see whether they were online. Interestingly, the researchers were able to retrieve further user data even after Bumble locked down their account.

ADDITIONAL READING: When love becomes a nightmare: Online dating scams

The team also circumvented the limit of 100 right swipes within a 24-hour timeframe. “On further examination, the only check on the swipe limit is through the mobile front-end which means that there is no check on the actual API request. As there is no check on the web application front-end, using the web application instead of the mobile app implies that users won’t ever run out of swipes,” said Sarda.

The researchers also took a swing at the app’s popular Beeline feature. Using the developer console, they found a way to see all of users in a potential match feed. “What’s interesting to note, though, is that it also displays their vote and we can use this to differentiate between users who haven’t voted versus users who have swiped right,” Sarda said.

It took Bumble six months to plug (almost) all holes; on November 11th, Sarda and her team found that, in fact, there might be some more work to do. “An attacker can still use the endpoint to obtain information such as Facebook likes, pictures, and other profile information such as dating interests. This still works for an unvalidated, locked-out user, so an attacker can make unlimited fake accounts to dump user data,” said Sarda.

Bumble is expected to resolve the issues over the upcoming days.

Week in security with Tony Anscombe

ESET research uncovers a backdoor targeting POS systems – Why you shouldn’t share your Netflix password – Data of millions of hotel guests exposed

ESET researchers have discovered ModPipe, a modular backdoor that targets POS software used in the hospitality industry and provides its operators with access to sensitive information stored by the software. Also this week, we looked at why you shouldn’t share your password for Netflix, Spotify and other media services with your partner or friends. Millions of hotel guests worldwide have had their personal data exposed after a booking software provider left the information on an unprotected server. All this – and more – on WeLiveSecurity.com.

Cybersecurity careers: Which one is right for you?

Looking for vulnerabilities, securing systems or dismantling them, these are all viable career paths in the cybersecurity industry. Could one of them be right for you?

The abundance of cyberthreats and shortage of skilled professionals, as well as competitive salaries and interesting job descriptions, are some of the reasons why a career in cybersecurity remains an attractive option. We discussed some of these finer points in our recent article that was aimed especially at those of you who wonder whether to join this growing industry.

However, choosing which career path to pursue may prove to be a daunting task, not least because there are so many careers to choose from, each with its specific requirements and skill sets. It’s also important to note that not every cybersecurity career needs a university degree, although having one won’t hurt.

If you’re aspiring to join the swelling ranks of infosec professionals, you’ll have to assess what skills you have and what skills you’ll need in order to apply for the position you want. In our second article dedicated to celebrating Antimalware Day, we look at some of the steps you can take while climbing the cybersecurity career ladder.

System administrator

System administrator is actually one of the stepping-stone professions on the way to a cybersecurity career. CyberSeek, a site providing a range of cybersecurity career planning information, classifies the role as a member of the Networking family of feeder roles. This means that system administrators aren’t strictly described as cybersecurity professionals. Sysadmins, however, do need to have stellar knowledge of cybersecurity topics to perform their jobs properly; these ten commandments illustrate just how much cybersecurity impacts their work. While a degree isn’t required, CyberSeek indicates that a Bachelor of Science (BSc.) in network administration is recommended for the role. People who lack the degree but are interested in pursuing these careers can do so by completing various certifications from reputable organizations.

Sysadmins are indispensable for most companies, since they are responsible for the configuration, upkeep, operation, and security of computer systems and servers, as well as troubleshooting problems and providing support to other employees. If you’re seeking to become a system administrator, then some of the top requirements are knowledge of Linux and of major networking hardware, network engineering, and tech support. To be able to transition successfully into cybersecurity, you’d be well advised to add information security and systems, network security, and security operations to your arsenal of skills. Per data from cyber.org, the average annual salary in the US for a sysadmin is estimated to be around US$62,000.

Incident responder

Cybersecurity or cyberdefense incident responders are responsible for investigating, analyzing, and responding to cyberattacks or cyber-incidents. However, their position isn’t only reactive – they also have to actively monitor systems and networks for intrusions, perform security audits, and develop response plans, as well as be knowledgeable in the company’s business continuity plans if a successful attack occurs. After an attack is over, an incident responder also has to be able to write up an incident report to detail how the attack happened and what can be done now to avoid it in the future. To become an incident responder, you don’t need a degree; however, having one in cybersecurity or computer science is considered a benefit. Information security, knowledge of Linux, network security, information systems, and project management are among the top skills requested by employers. The position is classified as entry-level and, according to CyberSeek, offers an average annual salary of around US$85,000 in America.

Cyber-forensic analyst

Cyber-forensic specialists can be described as the sleuths of cyberspace. They are responsible for investigating various data breaches and security incidents, recovering and examining data stored on electronic devices, and rebuilding damaged systems to retrieve lost data. Forensic specialists are also expected to help the authorities with assessing the credibility of data and providing expert counsel to legal professionals when electronic evidence is used in a legal case.

RELATED READING: How to catch a cybercriminal: Tales from the digital forensics lab

To become a cyber-forensic specialist, a bachelor’s degree in cybersecurity or computer science is a must; moreover, having a master’s degree in computer forensics is considered an additional benefit. Some of the skills requested by employers include proficiency in computer forensics, knowledge of information security, and the ability to analyze consumer electronics and hard drives. Although the position is classified as entry-level, the salary in the United States is rather competitive, with an estimated annual average of US$93,000.

Penetration tester

Penetration testers are, for all intents and purposes, the antithesis of black-hat hackers. The bread and butter of pentesters is to target systems and find vulnerabilities that can be exploited to gain access into computer systems. However, what sets them apart from their criminal counterparts is that they do this legally (at the behest of their employers) to identify any weaknesses that need to be fixed and strengths that need to be maintained. This allows companies to adjust their cybersecurity accordingly.

The pentester is a mid-level role and requires the prospective candidate to be well-versed in information security and be able to use an assortment of coding languages, such as Java or Python. Per CyberSeek, the average annual salary a pentester can expect is around US$104,000, based on their knowledge and experience. It’s worth mentioning that pentesters can supplement their income by moonlighting as bug bounty hunters; some may even choose to pursue bug hunting as a fulltime career.

Cybersecurity engineer

The reason why the cybersecurity engineer position brings up the rear of this list is that it is the most advanced of the bunch. This role requires at least a bachelor’s degree in either computer science or cybersecurity and the prospective candidate has to have a high level of competency in threat detection, analysis, and protection.

Cybersecurity engineers need to be creative as well as technical, since some of their responsibilities include creating processes that solve production security issues, performing vulnerability tests, and even developing automation scripts that will help