IT Security Newsletter

Is that email really from your real estate broker ? – 06/19/18

 

 

A couple from the US were devastated when they called their broker to find out that the $500 000 they had wired had not arrived. In fact the broker had not even requested funds. Upon further investigation, it was discovered that the email that they had received with the fund request had come from an email address that was just one letter off from their broker’s. The money that they had wired was now sitting in a scammer’s account.

What made the email so convincing was that it included relevant details. The email not only looked like it had come from their broker, but it sounded like it to. So much so, the couple didn’t even pause to double check the email address. How did the criminals construct such a believable email?  They had done their homework. They had gained access to the couple’s email and used information from previous messages to construct the fake one.

The sophistication of this attack goes beyond just sending a fake email. Once the criminals knew the money was on its way, they jammed the couple’s internet access and diverted some phone messages so they couldn’t contact authorities and stop the wire. These are tactics that were once reserved for large organizations but are now being used on the regular consumer. You can no longer sit back and feel assured that your simple little life isn’t a target for criminals. Today, EVERYONE is a target.

To protect yourself, do no rely on being able to identify a fake email.  Scammers are getting better and better at creating emails that look perfectly legitimate. Instead, call the email sender to verify the legitimacy of any email that makes a request for money or personal information.  Even if you are expecting that email, it is better to be safe than sorry. Just remember to use a phone number that you have used before and you know is legitimate . Be safe. Pick up the phone and call.

Adidas is not giving away free shoes – 06/19/18

 

 

From the Too Good to Be True file, comes the Adidas anniversary giveaway.  Messages are  currently circulating in WhatsApp promising a free pair of Adidas shoes in celebration of their anniversary.  Initially messages referred to a 93rd anniversary, however the hacker decided to do some basic math and more recent messages correctly refer to a 69th anniversary.

You might be asking, why on earth would someone fall for this? Well once the scammers sorted out their math, they were clever enough to spoof the official Adidas site. The fake URL is exactly like the legitimate one with only the i replaced with a vertical line with no dot.  This is an easy thing to miss when one is being tempted with free footwear.

In addition the scam is quite sophisticated.  They don’t just come right out and say, give me your personal information and I will give you free shoes. Instead, they give the whole thing a legitimate feel by making the victim qualify first by answering a short survey and requiring them to share the offer with their WhatsApp contacts (just for the record, there is no way for them to determine if you have shared a message or not). Once you qualify, you are told you can claim your shoes for a dollar. Of course as payment is now required (but it’s only a dollar, so it’s nearly free), you are sent to a webpage that collects your payment card information. Having jumped through multiple hoops to claim your prize, you now feel like you have earned the free shoes and all thoughts that this are a scam are gone from your mind.

That is until you see the confirmation of payment web page that includes a line in the footer saying you will be charged $50 per month if you don’t cancel your subscription in seven days.  Of course they now have your payment card information and will charge you what they want for as long as they want until you cancel the card.  Even worse if you fail to read the footer, they will have access to your card until you notice the charges.

Anytime someone is giving something away, assume it is a scam. If you are tempted by the sparkly giveaway being dangled in front of you, visit the company’s website using a bookmark or search engine result. If they are giving something away, it will be advertised on their official site.  Remember if it is too good to be true, it probably is.

Is that app really as popular as it seems? – 06/15/18

 

 

Cyber criminals are getting wise. They have noticed that if an Android app has lots of downloads listed, the odds are pretty good that others will download it as well. They are using this phenomenon to trick people into downloading their malicious apps.

How are they doing it? When you browse the app store,  the only information that you see is the app name, app icon and the developer name. Creative criminals are taking advantage of this by entering their developer names as 100 Million Downloads, Installs 1,000,000,000 + or simply 5,000,000,000.

Criminals aren’t stopping the deception there. They are also using Verified Application or Legit Application as their developer names. Never mind that Google Play doesn’t have a developer account verification service, it looks good anyway.

This is just a reminder that when you are looking for apps to download stick to Google Play and read reviews carefully. Stay away from apps that use deceptive tactics, have few reviews or few downloads.  Happy and safe downloading!

 

 

Watch out for fake vacation deals – 06/14/18

 

 

With summer just around the corner, scammers are setting the bait with deals on cheap flights, huge discounts and hotel bargains. These too good to be true offers are often exactly that. If you receive an unsolicited email or text advertising a holiday deal use your cyber safety skills. Visit websites of companies you know directly and search for reviews on those you do not. If you are tempted to take the bait, pause and make sure:

  • you are dealing with a reputable known company
  • you have read the negative as well as the positive reviews
  • the domain name is correct and typosquatting isn’t being used
  • you read all terms and conditions
  • there is a way to contact the company should things go wrong
  • the site URL displays https before you enter payment information
  • payment is made with a credit card

Messaging stuffed animal a security risk – 06/11/18

CloudPets allows kids to send and receive messages through an adorable stuffed animal. Unfortunately, last year hundred of thousands of kids using CloudPets had their data and voice messages exposed. You would think that after such an incident, the company would take measures to fix the vulnerabilities that allowed that to happen. However, researchers have found that over a year later, nothing has changed. The toys remain full of security flaws that can easily be exploited.

Fed up with the companies clear lack of concern over their user’s privacy, Walmart, Target and Amazon have pulled the toys from their stores. If one of your loved ones has a CloudPet, I strongly recommend that you disconnect it from the Internet until the company addresses their security issues.

Some Google Groups are leaking data – 06/05/18

 

Have you checked the settings on your Google Group lately? By default when you create a group, only group members can post and view messages  and people must ask to join the group. However, researchers have discovered that thousands of Google groups have their permissions set to allow the general public to view the group posts.  This would not be an issue if the people posting information to the Google Group understood that their posts could be viewed by the public. However, sensitive and private information has been found within these group posts suggesting that they really have no idea.

If you are the owner of a Google Group, please take a moment to check your permissions. To check permissions:

  1. Open the Google Group.
  2. In the title bar of the Google Group,  click Manage. The left menu changes.
  3. In the left menu, click Permissions. A list of permissions appears.
  4. Click to select each permission type and review its settings.

Please note that if you have selected All organization members, to View topics or Post anyone with an @mtroyal.ca email address may do so. This includes students, staff and faculty. If you have selected All members of the group, users must actually join the group to be able to post or view emails/topics.

If you wish to email/post to a Google Group, check the settings of the group to see who can see the messages you send. To check the settings:

  1. Open the Google Group.
  2. In the title bar of the Google Group, click About.
  3. Scroll down to find the Access section. The posting and viewing permissions of the group are listed here.

If you have questions or concerns about setting permissions, please contact Bernadette Pasteris at bpasteris@mtroyal.ca.

Your router may be infected with malware – 05/30/18

A type of malware called VPNFilter could be sitting on your router at home.  It steals data passed through the router, can make it non-functional and is very hard to detect. The threat is so concerning that the FBI has issued an advisory asking everyone to reboot their routers.  Although there is a list of routers that are known to be affected, everyone is being asked to reboot all routers as a precaution. A reboot will not remove the malware from the device, but it will make it ineffective.

To ensure the malware is completely removed from your router:

  1. Reset the router to its factory defaults. Check the owner’s manual for instructions.
  2. Update the router’s firmware (software that runs the router).
  3. Change the default admin password (usually found on the sticker at the bottom of your router).
  4. Create a new wifi password.
  5. Make sure Remote Administration is disabled.

You can find your owner’s manual online by Googling the make and model of the router. To change the router settings on most devices, you enter a URL containing a bunch of numbers and dots into your browser’s address bar. This takes you to a login page.  Your username and password are usually found on a sticker at the bottom of your router along with the URL. Once you have logged in to your router you can change the default admin password, create your wifi password, disable Remote Administration and update the firmware.

The good news is this process will completely remove the VPNFilter malware from your router. The bad news is once you reset it you will have to create a new wifi password and reconnect all your devices.

 

 

 

Chinese Consulate General warns about phone scam targeting Calgary- 05/28/18

 

 

Got a call from someone speaking Mandarin and the call display says it is from Calgary? There is a an aggressive phone scam making the rounds. Currently their target is Canadian Chinese but there is concern it could spread.

Fraudsters are impersonating government agencies calling victims and telling them their personal information has been compromised and as a result they are suspected of laundering money or extortion. The victims are told the only way they can clear their names is by transferring money to a special account for financial review. In two cases, the criminals were able to convince Calgary college students to cut off all contact with everyone except the fraudster and call family telling them they had been kidnapped and ransom needed to be paid. Fortunately, the Calgary Police Service were able to locate the fake kidnapping victims, however a large number of resources were consumed at tax payers expense.

If you receive a phone call threatening you with arrest or legal action get the name of the individual and the agency they are calling from, then tell them you will call them back and hang up. Do a Google search to find the contact information for that agency and call them asking for the individual who called. Do not use a phone number that someone on the phone has given you. If they are a legitimate agency, you will be able to contact them from the information you find in a Google search.

Source:

  • (2018, May 28) Lu Xu,  ‘ Calgary being haunted by “virtual kidnappings”‘
    The Calgary Herald, A9

 

University of Regina breach due to weak passwords – 05/28/18

 

Last year when a University of Regina engineering professor was checking grades, he noticed the class average had changed.  When he investigated he found that some students’ grades had been changed and it appeared as though the Dean had done it.  When the Dean was questioned, it was determined that his account had been compromised.

The University has conducted a thorough investigation into the hack over the last year and have determined that weak passwords and the faculty use of default passwords were responsible for the security breach.  The student responsible was expelled.

As a result of the breach, the University has made several changes to their systems and have recommended mandatory training for all employees.

This a reminder to keep your accounts secure with strong passwords that are unique for each account.   If you would like to learn how to create strong passwords that are easy to remember or learn how to easily and safely store passwords, sign up for a workshop, complete the online training or contact me at bpasteris@mtroyal.ca and I would be happy to help.

Alexa secretly records and messages a private conversation – 05/28/18

 

 

A couple in Oregon thought Amazon’s Echo was just the thing to make their life easier.  They purchased the device and then connected it to their environmental controls, lights and security.  With Echo, they could use the Alexa voice assistant to control their whole home with voice commands. Everything was wonderful until they received a panicked phone call from someone on their contact list telling them to unplug their Alexa device.  Without the couple’s knowledge, a message had been sent to him containing a recording of their private conversation.  He was sure they had been hacked.

Unfortunately, that wasn’t the case.  No hack had occurred. In fact, Alexa had become ‘confused’. According to Amazon, the voice assistant ‘heard’ a word similar to Alexa that caused it to start recording. It then ‘heard’ a string of requests that resulted in the recorded conversation being sent to the panicked caller. Amazon has since assured the public, that occurrences such as this are very rare and that they are working to reduce the odds even more.

For this Oregon couple though, the trust has been broken.  Feeling violated, they will never be plugging the device in again. They are choosing the privacy of their home over the convenience of a voice assistant.

Sources:

  • (2018, May25) ‘Alexa are you recording this?’ The Calgary Herald,  NP6
  • http://business.financialpost.com/technology/personal-tech/amazons-alexa-eavesdropped-on-a-couples-conversation-and-then-sent-the-recording-to-someone-else