Cybersecurity Blog

Academic institutions targeted with malicious Chrome extension – 12/06/18

 

 

A phishing campaign has been targeting academic institutions. The phishing emails appear to come from a post secondary institution and contain a link to a web page that hosts a harmless PDF. When the link is clicked, the user is asked to download the Font Manager extension in the Chrome Web Store.

Users that checked the reviews for the extension found lots of good reviews as well as a few bad ones. It turns out, the clever criminals copied reviews from other extensions to make the Font Manager look more legit and increase the chances people would download it.  The funny thing is they copied the bad reviews as well as the good ones.  For the most part the ruse worked with the extension being downloaded hundreds of times. Once downloaded the malicious extension logged keystrokes and allowed hackers to gain access to the network and desktops remotely.  Several universities have been compromised as a result.

The malicious extension was only discovered because the criminals blew it. University employees arrived in the morning to find their computers’ browsers opened to English-Korean translators and their Keyboard switched to Korean. As the employees weren’t conducting research on Korean websites, they knew something was up.  Had the hackers been more on the ball, who knows how long they would have retained network access.

The Font Manager has been removed from the Chrome Store.  However, this a gentle reminder to only download extensions that you know are safe and you absolutely must have.

 

 

Browser extensions cause of Facebook data breach – 11/05/18

 

 

The BBC Russian Service has found  data from 81 000 Facebook profiles sitting on the web. The data is apparently just a small sample of what was taken from 120 million accounts by a hacker selling his haul.  It is hard to know if 120 million profiles were indeed hacked or if the breach is limited to what is currently on display.  One would think that Facebook would notice 120 million profiles being accessed, so my guess is they don’t have much more than the small sample. After all, criminals aren’t known for their honesty.

Facebook is blaming malicious browser extensions. They are reporting that the extensions were monitoring user’s Facebook activity while shuttling personal information as well as private conversations to the hackers.  The majority of information taken was from Ukrainian and Russian users, however profiles from all over the world were also pilfered.

This is a reminder to be wary of browser extensions. As with apps, only download ones that:

  • You really need
  • Have good reviews
  • Have lots of downloads
  • Come from reputable sites

Malicious browser extensions can be very difficult to detect as extensions update automatically.  This allows hackers to create extensions that are harmless, until their first update. After that your handy extension starts doing all sorts of nasty things.

To reduce the risk, if you really need a particular browser extension consider disabling it when you aren’t using it.  Lastly once you no longer need the extension, remove it from your browser.

 

Adobe Flash update also installs malware – 10/17/18

 

 

Criminals have been disguising Adobe Flash updates as malware for a while now.  They are quite fond of compromising a legitimate website with a fake update pop up. Now there is a new twist on this old tactic.  If you choose to install the fake update it actually does update Adobe Flash. however a cryptominer comes along for the ride.

Because the software does what it says it will do, most people don’t notice what is going on in the background. This allows the malware to go undetected. It isn’t until a few days or weeks have passed and the user finally gets fed up with their slow machine that the malware is discovered.

To avoid fake software updates, remember to visit the application’s site directly for downloads or select check for updates from the software’s menu. Those popups that appear while you are browsing are often loaded with malware.

 

Fake sites use HTTPS too – 10/04/18

 

 

As the holiday season approaches, people around the world are getting ready to cruise the internet looking for great gifts at bargain prices.  As you do your online holiday shopping, keep in mind that sites labeled HTTPS guarantee your data is encrypted as it is transmitted between your computer and the web.  It does not guarantee that the site is legitimate.

Criminals have gotten wise. They are now registering their fake web sites so they are tagged as HTTPS.  So now instead of having to worry about your credit card information being intercepted as you purchase the iPhone XS Max for the unbelievable price of $300.00 USD, you can be confident that only the scammer is receiving your data.

So how do you know that a site is legitimate? Stick with retailers that you have used in the past and access their web sites using a bookmark or search result.  If you receive an email with an offer, don’t use the link in the email.  Visit the website directly.

If you are using a new retailer:

  • Check reviews first.  Avoid retailers with large numbers of complaints that haven’t been resolved.
  • Always pay with a credit card or PayPal so you have a method of recourse should things go wrong.
  • Remember to read all the terms & conditions of sale.  Know if they have a return or exchange policy.

Lastly, remember…if it is too good to be true, it probably is a scam.

 

Hurricane Florence Relief Scams – 09/27/18

 

 

It is a sad reality, but when there is a disaster it doesn’t take long for criminals to find a way to profit.  Hurricane Florence is no exception.  There are numerous websites for hurricane Florence relief that have popped up in the last week.  All have very professional looking graphics and legitimate sounding names.  All of them allow you to donate directly from their web site. However, many of them are simply collecting money and putting it into their own pockets.

In addition to the “charity” websites, the bad guys are sending out phishing emails tugging at your heart strings and asking you to donate to hurricane Florence relief.  Just as you would with any other unsolicited email, don’t click on links or open attachments in these emails.  If you wish to donate, visit a charity’s website directly.

Not sure where to donate? Make sure you do your homework first. Charity Navigator is a terrific organization which investigates and rates charities.  They have hundreds of charities listed on their website.  You can see if the charity is legitimate and how much of their raised funds are given away and how much are used for administrative costs. With a little research you can make sure your good deed doesn’t turn into it’s own disaster.  Happy donating!!

 

Just because a link looks safe, doesn’t mean it is – 09/07/18

 

 

For many of you, not clicking on email links is an obvious choice.  You wonderful folks are the ones who follow best practices and use a bookmark or browser search to access information given to you in an email.  However, there are braver souls out there who prefer to live on the wild side. They hover over links and then determine whether or not it is safe to click.

The argument I hear is…”I know the URL is correct, I have it memorized”. Here is the problem.  Unicode  is used to determine what character should be displayed in a field. It incorporates tons of different writing systems from various languages by giving each character of each language a different code. This is done even if they look the same to the naked eye. So an English “a” is considered to be a different character than a Cyrillic “a”, even though they look identical.  This allows hackers to create fake websites with domain names that look official right down to the domain name.  There is no way to tell by looking at them, which one is legitimate.

The fun doesn’t stop there.  Even if our hacker isn’t sophisticated enough to use the Unicode trick, there are several letters on a keyboard that are extremely similar and can be confused for one another. For example, the letters “I” and “l” are two different letters on the keyboard but look almost identical on the screen.

As clever as the hover trick is, if your hacker is using any of these techniques, you will end up with a data breach.  To truly make sure you aren’t going somewhere you would rather not, stick with the bookmarks and browser search results. Those will take you to the right website every time.

 

 

Scam pretends to lock your phone – 08/10/18

 

 

Windows users have heard about the tech support scam that informs them their computer has a virus and they need to call a 1-800 number to unlock it. Creative criminals are now using the same tactic with iphone users. They have seeded several porn sites with malware.  After your visit, a large dialog box appears on your phone informing you that your phone has been locked because you visited an illegal porn site. It all looks very official as it correctly displays the model of your phone and the URL of the porn site. It then gives you a hyperlink to a number to call to get your phone unlocked.

In reality, your phone isn’t locked at all. If you call the number you get connected to a hacker who then attempts to get information and money from you.  Although this scam leverages a visit to a porn site, a similar scam can be set up with any type of website.  It can also target any kind of phone.  It may be iphone users that are currently targeted, but it won’t take long for this scam to show up on Android phones as well.

Never call a number that shows up in an alert or notification on your phone.  Never click on security warning links either. If you do connect to a call center and start to feel uncomfortable, hang up. Apple will never lock your phone and then ask you to call a number to get it unlocked. Come to think of it, neither will Google or Android.

 

New twist added to the tech support scam – 05/09/18

 

The latest round of tech support scams compromise legitimate websites, sending the site’s visitors to a web page that locks their browsers and displays a fake virus warning. However, the cyber criminals have decided fake virus warnings on their own are not threatening enough. They have added an additional warning that your hard drive will be wiped out for security reasons if the 1-800 number isn’t called before the count down timer runs out.

To make things extra fun, some of these fake warnings have a fake close button that either shifts the browser window to full screen when clicked or creates a popunder that constantly refreshes the main open tab.

As with other tech support scams,  use the Task Manager to shut down the locked browser. When you restart your browser, you will be good to go. That is unless you have your browser set at startup to display the pages you last viewed.  Then you will be redirected to the same compromised web page and have your browser locked up all over again.  At that point your only option is to uninstall and then reinstall the browser.

 

Misspelling a URL can load your computer with malware – 04/24/18

In today’s world of brand recognition, nothing is more important than your domain name. Whether you are Coca-Cola, ESPN or Freds Furniture, you need a web page that people can find just by typing the name of your business.  What happens though when a consumer gets the name wrong? On-the-ball businesses buy the domain names for common misspellings of their name and redirect consumers with fat fingers to the correct web site. Those that don’t, leave consumers and their business exposed.

Criminals are buying up the misspelled domain names of popular web sites and loading them with malware. This practice is called typosquatting. It costs businesses millions in sales and untold grief for consumers.  In the best case scenario, visiting one of these sites will result in your anti-virus going spastic with pop-ups and alerts. At the worst, malware too new for your anti-virus to recognize will be quietly and efficiently deposited onto your machine. Many of these web sites can only be visited once. A repeat visit results in a 404 web page not found error, making it difficult to shut the site down.

The easiest way to protect yourself from typosquatting is to use bookmarks to visit your favourite sites. When looking for new ones, read and re read the search terms you have entered and then read them again.  Don’t let a slip of a finger deliver you into the hands of a hacker.

Fake software updates installing malware – 04/19/18

 

Legitimate websites are being infiltrated by hackers who inject malware that looks like a software update into the site’s code.  The malware detects which browser you are using and displays an authentic looking update notification that matches.  The malware is very stealthy as it only displays the fake update notification once.  This has allowed it to avoid detection until now even though researchers believe it has been in place since at least December 2017.

How do you know the difference between a legitimate update notification or malware disguised as one? You don’t.  The criminals are getting just that good. If you receive a notification that an application or browser needs updating:

  1. Close your application/browser.
  2. Reopen the application/browser.
  3. Go to your application/browser settings.
  4. Locate and select the Update command.

Note that the Update command is sometimes found with the About this application information instead of with the settings. Updating the application or browser within the application itself  is the only safe way to ensure your application or browser is up to date.