Twitter Prank Dupes Users Into Locking Their Accounts

Like so many social media sites, Twitter users were recently exposed to a viral prank. Random tweets announced an easy way to unlock color options for dressing up your Twitter account. Those tweets were re-tweeted countless times. The irony? Following directions to unlock color palettes left users locked out of their accounts. This time it’s a harmless scheme that’s more annoying than anything else, but many of Twitter’s 320+ million users continue falling for it.

Social media pranks are nothing new, but there’s a big difference between the harmless and the harmful. The tweets sent out about Twitter’s color scheme required users to change their birth year to 2007 and behold, new Twitter color options would appear! But when users took the bait, they found their Twitter account locked. Changing a birth year to 2007 alerted Twitter that the user was under 13 years of age. The minimum age requirement for a Twitter account holder is 13, and alerting Twitter to an “underage” account resulted in the account being locked.

At the least, this latest Twitter prank was annoying and inconvenient. Those caught in the caper were grateful to escape with only having to change their password and provide their correct year of birth. Twitter responded publicly by sending a tweet warning about the prank and sent affected users an email with instructions on how to unlock their account. A quick visit to Twitter’s Safety and Security web page supplies helpful information for all Twitter users.

With no shortage of mischief on social media, it’s important to know how to avoid being duped, especially when the intent is harmful and not at all fun. People of all ages are targeted by scammers and hackers on social media with offers of contests and prizes. It sometimes takes a cyber-smart user to know a rip-off alert when they see one. Following common sense and some cybersecurity basics means you too can be cyber-safe on social media.

Getting involved in quizzes and games on social media is an open invitation to identity theft. If you find you’re the lucky winner of a contest–especially one you didn’t take part in, beware. Promises of gifts, gift cards, or money, for no apparent reason, or for any reason, are lures hacker’s love to use. Winnings of any kind requiring your bank account number or other sensitive information to get your payload are a ruse that usually ends with financial or identity theft. Hackers also take any opportunity to download malware, especially when it’s done in the background, while you’re happily trolling social media and none the wiser. Remembering the adage “If it sounds too good to be true, it probably is,” along with a healthy dose of common sense can prevent a lot of headaches for social media fans.

Stickley on Security
Published April 17, 2019

Clever Ways Cybercriminals Plant Malicious Links

Are you ready for another article preaching about the risks associated with emails? Well, I will make a deal with you. I will only talk about the stuff you probably already know for just one second and then I’ll spend the rest of the time talking about some crazy new ways on how criminals are having success with malicious links in emails. I know, I know, phishing scams are old news and only your grandparents and Millennials are still falling victim, but you have to remember, criminals are not known for giving up. And just when you think you have it all figured out, they change the game.

First, let’s cover the stuff you have probably been told more than once. According to a recent study conducted by IRONSCALES, over 90% of all successful cyberattacks can be directly tied back to a phishing email. That means that phishing scams are clearly working. That said, the amount of breaches has begun to decline, which seems to indicate that people are starting to figure it out. The most obvious lesson that has been learned is simply when you receive an unsolicited email, don’t click the link and don’t open the attachment. By following the basic advice, you can all but eliminate the risks associated with email. Just to be clear, there can also be risks that are tied back to phone numbers that may be sent in emails as well. In those cases, the criminal may attempt to trick the recipient into giving personal or private information over the phone. So really it just comes down to not trusting anything in an unsolicited email.

Now, the term “unsolicited email” is interesting because it turns out that it can mean many things to many people. For example, if I am a customer of a bank or credit union and I receive monthly statements via email. Technically that is not unsolicited, because even though it was not a response to an immediate request, it was still something that I had expected. LinkedIn is another example where you may receive an email letting you know someone has requested to “Join your network.” This too is technically not unsolicited, as you are expecting to receive these emails from time to time.

But this is where things start to get complicated, because there are literally thousands of examples where you could receive an email that though unsolicited, they still technically make sense that you received them. Unfortunately, criminals are on to this and have begun to really zero-in on these types of attacks.

Now an argument could be made that in order for a criminal to have success with one of these attacks, they would need to know, or at least be able to guess what services and companies you work with. And while that may be true to a point, the reality is that if they send out 100,000 emails pretending to be from main stream organizations such as LinkedIn, Amazon, or a large bank or credit union in your region, they are likely to have a high success rate in finding people that do business with that organization. That said, if you are even a little tech savvy you might be able to look at the link in the emails and realize that they are pointed to domains that are different than where the email claims to be sent from. For example, an email claiming to be from LinkedIn may have a link that goes to something like linkedin.sec-update.com. This would obviously not be a real link to LinkedIn and that might be enough to keep you from clicking the link.

But things are starting to get even more complicated. Recently criminals have begun using legitimate third-party services to send malicious emails. For example, if a criminal is targeting employees at a specific organization, they will do some research to get a list of the employees at that organization. Often this can be done through LinkedIn. Now, with the help of Facebook or one of the many other social networking sites, it isn’t so difficult to find an employee who has an upcoming birthday. Next, they go to the website evite.com, a service designed to send out invitations to parties and events, and create a new invitation. They will make the invitation look like it is being sent from one of the employees at the organization and announce that there is a surprise birthday party for the employee who has an upcoming birthday. Because real names are being used and because a real service is being used, the email sent is technically 100% legitimate.

Now, to pull off the scam, the criminal will add one more small detail in the message of the evite. They will include a link to either a blog about the upcoming birthday party or perhaps a link to a funny video about the birthday boy or girl. Obviously there are a number of reasons one may want to include a link and the evite.com company will send that link as part of the evite. So, to complete the attack, the criminal sends the email to as many of the employees of that organization as possible.

Please note that getting email addresses to employees is incredibly easy and no longer a deterrent of any kind for most cyber criminals. So when an employee receives the email, it is actually sent from evite.com; a legitimate company. This means that technically it is a legitimate email that will make it past any spam filters and other security that’s designed to screen emails. In addition, the email will be talking about a specific employee that is known within the organization and ultimately it will contain a link to more information. If the user follows the link in the email, they are taken to the evite.com website, which is safe and completely ok. The problem is that once there, if they follow the link inside the message, they will be compromised.

While this may sound a little complicated, the reality is that it is very simple for the cybercriminal to pull off and very difficult for the potential victim to detect. Simply put, it means that even legitimate organizations like evite.com can be manipulated into becoming malware-spreading websites.

So, what can you do? Well, first you need to continue to be cautious about clicking links, opening attachments, or calling phone numbers that you receive in unsolicited emails. Next, you need to make sure you understand the concept of an unsolicited email. It is important to remember that emails sent as part of mailing lists, online bills, account status updates, social media notifications, etc. can all be forged by a cybercriminal and therefore need to be viewed with an additional level of scrutiny. Before ever clicking the link or opening the attachment in these types of emails, stop. Be extremely cautious about opening any attachment and if there is a link attached, confirm the domain that the link is directing you to is legitimate and truly goes to a website that you trust.

And last but certainly not least, if you receive an email from a legitimate organization such as evite, PayPal, Amazon, or eBay and it contains a message that can be provided by a third party, be extremely cautious about following the links in those messages. Again, to be clear the email itself will contain a legitimate link to the sender’s website, but once at the website, there will be a message with an additional link. That is the link that you should avoid.

As usual, when in doubt stop and pick up the phone and contact someone in your organization. Detecting malicious emails can be difficult and unfortunately it seems to be getting harder. It’s up to you to remain vigilant to stay one step ahead of the cybercriminals.

Stickley on Security
Published April 19, 2019

How to Use a Gift for a Down Payment on Your Mortgage

If you’re looking to purchase a home, you probably already know that there is generally a down payment required before you can move forward with the buying process. You probably also know that there is a specific percentage of the overall amount of the loan the lender needs to receive for the down payment. What you may not know, though, is that there can be rules about where that money comes from. Different lenders and guarantors have their own criteria, but watch out for these restrictions:

Gift Status

If mom and dad want to help out by making up the difference between what you have saved and the total down payment required, be grateful. But also understand that this money normally needs to be given as a gift and not as a loan. It’s understandable that lenders wouldn’t look kindly upon potential borrowers who need to take out a loan to qualify for a loan.

Source of Gift

Lenders tend to raise an eyebrow and lower the big red “denied” stamp on you if a gift you have received is from a friend or associate. The reason is that they see it as far less likely that the money you have received is actually a gift. It’s more likely–at least in the lender’s eyes–that this person is lending you the cash. You will be much better off getting money from a direct family member.

Paper Trail

Documentation—like a copy of a check or money order—makes lenders feel warm and fuzzy. If suddenly a large cash deposit comes out of nowhere and ends up in the account from which your down payment will come, your lender can be spooked and think something fishy is going on. Even better than just a copy of the transaction is to get a “gift letter” from the person who has given you money for a down payment that stipulates the money is not expected to be repaid. The letter should also contain the total amount of the gift and the source of the gift to show the giver’s ability to simply turn over a large amount of cash without ever getting it back.

Size of Gift

Some lenders restrict the percentage of your down payment that can be gifted. For example, they may require that at least 25% of the down payment amount come from your own account. As with each of these criteria, it is important to ask your lender what their particular policy is.

You may be asking yourself: What about funds that were given a while ago? Generally, if you have had gifted money in your own account for more than three months (though some lenders will do 1 or 2 months), it is considered “seasoned.” In that case you generally don’t need to provide the documentation listed above and a lender or guarantor is much less likely to question the source of the funds.

The moral of the story? If you need a little help with your down payment, it helps to plan ahead. However, if you have a shorter time frame, you can sail through the down payment process by taking just a few key steps.

BALANCE

Nine Steps to Getting the Car You Want

A vehicle is likely to be one of the largest purchases you will make in your life. By taking the time to properly plan and prepare for buying a car, you can save yourself hundreds or thousands of dollars. Check out these steps to set yourself up for a more secure financial future:

#1 Figure out what you can afford.

Complete a spending plan. As you create your spending plan you can adjust the numbers to see how different transportation expenses would fit into your monthly expenses. You can then plug that monthly number into an auto payment calculator to see how much you can afford.

#2 Monitor your credit.

Review your credit reports. To ensure the accuracy of the reports and pinpoint areas that may need work, use the credit bureaus’ annual credit report service to get free copies of your reports at www.annualcreditreport.com or by calling 877-322-8228. If you would like a certified credit coach to review your reports with you, call BALANCE at 888-456-2227.

#3 Find the right car for you.

Think about how you will use the vehicle. Will you be using it to cross snow-covered mountain passes with hairpin turns and thousand foot drops, or will you be using your vehicle for something more challenging, like chauffeuring your children?

Pay special attention to the safety and reliability ratings. No car meets your needs when it’s up on blocks next to the garage or puts you in harms way.

Check with your insurance provider. That cherry-red sports car might sound like the key to your eternal happiness, but you might not be as thrilled when you get your car insurance bill.

#4 Consider new vs. used, buying vs. leasing and down payment amount.

Decide whether you will buy a new or used vehicle. Do you prefer the negligible wear-and-tear and increased reliability of a new vehicle, even if it means the value may drop sharply in the first few years? Or would you rather let someone else take on that depreciation by going with a used vehicle, but take the risk of not fully knowing the condition and history of the vehicle?

Figure out if you would rather buy or lease the vehicle. If the idea of always driving a new car matters more to you than likely saving money in the long-run, leasing might be an option to consider.

Think about how large of a down payment you can make. Making a down payment can help you get qualified for a loan, get a better interest rate, get a lower monthly payment, get a more expensive car for the same monthly payment, or build equity (owing less on the vehicle than it is worth) more quickly.

#5 Get financing.

Arrange your vehicle loan before you go to the dealership. You will have a lot to think about when you are at the dealership looking at cars: different vehicles available, test-driving, negotiating a price, etc. Just like you shop around for a good deal on a car, shop around for the best deal on financing.

Avoid subprime lenders. If you can’t qualify for an auto loan with a credit union or bank, consider working on your credit standing first or maybe getting a co-signer and then reapplying for the loan instead of accepting the unfavorable terms provided by a subprime lender.

#6 Determine favorites, contact dealers and check quality.

Find the vehicles that best fit your needs. Websites like cars.com, Consumer Reports, Edmunds, and Kelley Blue Book regularly publish articles on the best vehicles to meet particular needs, so take advantage of these free resources. Create a comparison chart to keep track of all the attributes that matter most to you and how each vehicle stacks up.

Use the Internet or trips to dealerships to comparison shop. Once you know which vehicle will suit you best, start looking at particular models and add the prices of each to your comparison chart. Also, do test drives and check vehicle histories. During the test drive, pay special attention to the transmission, shocks, brakes and alignment. If you aren’t sure what to look or listen for, invite a more experienced driver along on the test drive. Write down the Vehicle Identification Number (VIN) and use it to get a vehicle history report from a company like AutoCheck or CARFAX if you are shopping for a used vehicle.

#7 Get the best price on the car.

Know what your preferred models are selling for. Companies like Kelley Blue Book, TrueCar and Edmunds specialize in tracking the average price of vehicles and rebates or incentives available.

Negotiate each piece of the deal separately. Beware of salespeople who roll the different components of the transaction (purchase price, financing, trade-in, extras) into one deal or who make an offer in one area of the deal that sounds too good to be true.

Walk away if you are not happy with the deal. You know what you can afford and ultimately you control this transaction, so let the salesperson know you know where the door is and that you won’t hesitate to use it if they can’t meet your number.

#8 Know your legal responsibilities.

Find out the insurance necessary for your state. The Insurance Information Institute’s website at www.iii.org has a list of the minimum insurance requirement for each state.

Learn what the DMV requirements are for your area. Contact your state’s Department of Motor Vehicles (DMV) to make sure you have the proper license plate stickers or any other items that might be necessary to register your vehicle.

Know what to do if you can’t make your car payment. If you find yourself in a situation where you are struggling to make a car payment, the worst possible thing you can do is to avoid your lender. Instead, work to avoid repossession by staying in contact and asking about hardship programs.

#9 Put yourself in position to succeed long-term.

Establish an emergency savings account. Unexpected expenses have a way of popping up in life and vehicles can be a major source of these.

Save on gas. Consider ways you can get more out of the gas you buy, like using the air conditioning sparingly and removing heavy items from the trunk.

Save on your insurance. Shopping for the best insurance deal is always a good idea, but think about all the ways you could get a better deal, like improving your credit score, buying a used car instead of a new one and avoiding 4-wheel drive and high performance cars.

BALANCE

Using Airport Wi-Fi May Take You For An Unexpected Ride

Flying those friendly skies may not be as friendly if you use free airport Wi-Fi. An increase in e-ticket hacking has many unsuspecting travelers wondering what went wrong with their plans. Leaving no stone unturned, hackers find that it pays to intercept passenger check-ins to their benefit. Recent revelations find that many airlines using e-ticketing and the check-in processes do not encrypt those Wi-Fi transactions. That’s great news for hackers who easily gain access to the same networks as passengers using public Wi-Fi. Not only can hackers see a ticket-holder’s information, in some cases they can change booking and boarding passes for their own benefit.

Despite endless warnings about how hack-able public Wi-Fi is, many still choose to use it. Researchers from Wandera found that hackers who gain access to public Wi-Fi can find out a lot about a traveler. The PII (Personally Identifiable Information) available to hackers are things like full name, frequent flyer points, confirmation number, passport ID, email, and mobile phone number. In other words, everything needed to book another flight and a boarding pass. For those who had their Wi-Fi hacked, it may not be until they try to board their flights that they find they may no longer have a ticket.

Wandera researchers alerted impacted airlines and government agencies after finding the flaws in December of 2018 with their processes. Worldwide, there are currently eight airlines involved with this particular Wi-Fi vulnerability and all have been notified. It’s not the first time airlines have had security vulnerabilities. Last year, British Airways and almost 400,000 of their customers had their credit card payments compromised. Air Canada and Delta also saw thousands of customers and their PII gone with the wind.

Keeping your PII safe while traveling takes a commitment, especially since PII is also under siege with phishing and malware attacks. Staying off public Wi-Fi, particularly when checking-in, is a great start. Security researchers strongly recommend performing all necessary communications, including check-in and printing your boarding pass, from home or another secure site before arriving at the airport. If you’re not able to connect from a secure site, use the cellular data from your device. It’s a small price to pay to know your PII and your seat on the airplane remain undisturbed. Remember, as stressful as airline travel can be, navigating your trip safely online can help make those skies much friendlier.

Stickley on Security
Published April 7, 2019

A Case Study In The Importance Of Strong Password Enforcement

Two months before it was breached, a popular Taiwanese computer company ignored warnings from security researchers about employees with leaky password use habits. Asus chose to ignore the alarm bells and continued with business as usual. Two months later, the result of Asus’ network weakness and their desire not to address it resulted in a massive, socially engineered phishing attack–all started by poor password hygiene.

Specifically, Asus maintained a GitHub site providing a place for programmers to deposit and get code. Several of the Asus GitHub users left email account passwords and usernames on the site, publicly exposing the data to anyone who looked. One engineer who had access to the company’s nightly builds, patches, and development tools, left a password unprotected for over a year.

Asus publicly acknowledged the breach and announced a security patch for the problem. The patch was easily found on the company’s own LiveUpdate tool. Little did Asus know, their LiveUpdate tool had been compromised by hackers waiting to pounce with malware. But that is only one of the problems.

The patch held a malware-laced security update that looked like the real deal. There were no red flags, and no one expected a thing. Hackers dedicated to digging deeper into the Asus system injected malware called Shadow Hammer into the security patch. The Shadow Hammer malware is believed to be an APT (Advanced Persistent Threat), often used by one nation to attack another. These hacks typically target organizations and not everyday users. The malware was designed to target approximately 600 specific user’s devices. When it found them, it deployed.

The ongoing problem of corporations not responding to security weaknesses–especially after they’ve been warned about them—is a risk to users and customers everywhere. Combine a lack of cyber-resilient systems with employees having no cybersecurity training, and you have a recipe for disaster like Asus. They’re far from the only corporate culprits–similar password problems ended with Uber having data stolen from 57 million of its users.

Common sense dictates the corporate world should be more aware and heed warnings about security weaknesses–and pronto. There’s a vital need to provide security patches and system updates as soon as available and in a malware-free, safe setting. Keeping systems updates is not an option. Zero-day exploits are the real deal and leaving systems vulnerable, when patches are available is indeed taking a risk that doesn’t need to be taken.

Of course threats will never be completely eliminated. However, threats with network security can and should be countered with well-trained staff. Ongoing and continuous employee cybersecurity education is vital to secure internet navigation and it provides a desperately needed one-two punch for hackers. Do some research, ask colleagues in your industry and find what works best.

Stickley on Security
Published April 11, 2019