Nearly 26K Malicious Apps May Have Your Information

A company called Trustlook decided to apply some risk scores to a bunch of apps. In the process of doing this, it found that nearly 26,000 malicious ones are currently using Facebook to gather information about users and possibly the friends of those users. Without getting too technical, these apps are believed to use information from the login Application Programming Interface (API) to collect information such as profile names, locations, and email addresses.

In basic terms, when you use your credentials for a site such as Facebook, Google, Twitter, etc. to login to another application, some information from your profile is likely getting passed on to the third party. You agree to that when you agree to the terms and conditions of the app. However, your friends and connections may not agree to those terms, yet their information is being accessed.

There is some controversy surrounding that, but Trustlook’s point is that a whole lot of apps are using the information that gets passed to them via Facebook in a way that users may not have authorized. Think Cambridge Analytica and all the friends of friends who had information passed from Facebook because users took a quiz put up by a third party.

In a post from Trustlook, it was explained as “When people use Facebook Login, they grant the app’s developer a range of information from their Facebook profile.” They reference a case from 2015, “That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends.”

This is why it’s advised to use unique logins for every site visited on the web. Yes, it’s much easier to just use your Amazon login to also log into your Woot! account, for example, but don’t. Take the time to set up a new profile with a unique password.

And because you’re letting out a big sigh right now trying to figure out how you’re going to remember different passwords for every account, try a trick passed on by Jim Stickley of Stickley on Security:

First, create a base password of at least six characters. In it, include upper and lower case letters, at least one number, and at least one special character (hint: most sites allow a period, @, and ! as your special characters).

Next, take two consistent characters of the website and incorporate them into your base password in the same position every time. For example, the first two or last two letters can be added to bookend your base password. Your base password may be 7*dLeiK# and you’re visiting Amazon’s website. Your new password would become A7*dLeiK#n. Using a strategy like this makes it highly unlikely that you will ever repeat a password.

And just to be clear, these tens of thousands of apps are not necessarily using the information for evil. However, they were given a high risk score from Trustlook. But it does mean they may be doing things such as capturing photos or making an excessive number of network calls. In any case, if you don’t want any of your friends’ information passed on to third parties, avoid using apps that you find on other websites such as Facebook.

Also, keep in mind that if you do use your social media account or others to log into websites, should one of those be breached, your account for the other site is at risk too.

Stickley on Security
August 7, 2018

Scammers Are Watching You And Making Threats

By now, it’s likely that a password to at least one of your online accounts has been stolen and sold as part of a data breach or accidental exposure. Scammers are using these in a newly surfaced scam that tries to scare people out of payment in Bitcoin. And it uses the fear of someone spying via the computer or device’s video camera to do it.

Let’s face it. You’re not doing anything wrong, right? Well, it can still be intimidating to think someone is watching your every move. Possibly enough to scare users into sending Bitcoin. The hope is that by claiming the attackers have video of the victim watching pornographic material or something else potentially embarrassing, they will send money in the form of Bitcoin to them as part of the blackmail scheme. The emails may have the following characteristics:

– The subject line may include a real password you used in the past, or use currently.
– The scammer claims that they actually hacked into your device and installed malware that can record video of you.
– They continue to threaten they will send video of you engaging in watching inappropriate content to your contacts if you don’t pay up about $1,200 to $1,600 in Bitcoin.

However, it’s a good idea (and highly advised) to change any passwords that have been accessed by any breach in the past. And make sure to have unique passwords for each account. If someone has one password, and it’s the same one you use on multiple accounts, then they can potentially reuse it in brute-force attacks and get into not just one, but several of your accounts.

– If you can’t seem to remember your passwords, don’t be afraid to write them down using good old pen and paper and store them in a drawer out of sight. Lock it up when you’re not nearby. This goes even at your house. Lock it in a safe or drawer.
– If you really feel the need to type it on the computer, don’t save your list on the device. Print it and follow the locking up instructions in the previous paragraph.
– If you just cannot come to terms with not having it on the computer, consider using password clues that only would know rather than writing out the entire passwords. Also encrypt it or at a minimum, password protect it.
– Another, but not highly recommended option is using a password manager. There are several companies that provide this service. However, more than one of them have experienced a breach incident within the last few years. That means the hacker not only got one password, he or she got all of the passwords stored with these services. While these companies are making efforts to strengthen security, that risk still exists. Just keep that in mind if deciding to go with one of these services.
– Turn on multi-factor (or two factor/2FA) authentication for all accounts that provide that option. Many email providers do now, as do financial organizations, social media, and several other companies. This will prevent a hacker from using your password alone to get access to your account. They will also need some additional form of authentication, such as a randomly generated one-time use code that is sent via text.

This particular scheme is strictly a scam and it is highly unlikely they actually do have video of anyone doing anything, let alone something with which to proceed with blackmail threats. However, some recipients of the email actually have fallen for it. Bleeping Computer reported that some of these scammers made more than $50,000 based on an analysis of Bitcoin wallets.

Stickley on Security
August 10, 2018

Are Store Cards Worth It?

“Would you like to open an account with us today? You will get 15% off on your purchases!”

When you are standing at the cash register at a chain store, it is almost inevitable that the salesperson will make a pitch for you to sign up for a store card. It is easy to be tempted by the discount, but a store card is not a coupon. Before you get one, it is a good idea to consider the following factors:

What are the benefits?

Beyond the same-day discount, what are the perks you get for having the store card? Points that can be used for purchases? Coupons? Future discounts for using the card? If the cashier cannot tell you what the perks are, you can probably find some information about the card online. Also, consider what discounts are offered to regular customers. If you can get extra coupons by signing up for the email list, it may not be worth it to get the store card.

What is the interest rate?

One of the downfalls of store cards is that the interest rate tends to be higher than for regular credit cards—20% or higher is common. The interest rate is irrelevant if you pay off your balance in full each month, but if you frequently carry a balance, the interest that you have to pay could very well exceed any discounts you get. Also, be careful with cards that offer you a 0% interest rate on a large purchase. You are typically required to pay off the balance completely within a specific time period, and if you fail to do so, you will retroactively be charged interest on the whole purchase.

How often do you go to the store?

True store cards can only be used at that company’s stores. (This is different from co-branded credit cards, which can be used anywhere and provide rewards from the company sponsoring the card.) It does not make sense to get a card from a store you only shop at once a year. On the other hand, if you go to the store all the time and have difficulty controlling your spending there, getting a store card may only add fuel to the fire.

How good is your credit?

Generally speaking, store cards have many downsides compared to credit cards, such as higher interest rates, lower credit limits, and limited places where they can be used. However, because it is typically easier to get approved for a store card than a credit card, it can be a good option for those trying to establish or reestablish their credit.

How many cards do you have currently?

If you already have a significant number of credit store cards, it may be best to pass on another one. Having ten cards means you have to remember ten different due dates. Also, applying for credit frequently can lower your credit score.

Revised January 2016

Is Credit Monitoring Enough to Keep Your Identity Safe?

Identity theft can be a time-consuming and costly hassle, but there are measures you can take to protect your personal information and avoid the headache. One tool that can help is credit monitoring. But what exactly does credit monitoring do? And more importantly, is it enough to keep you safe?

What is credit monitoring? There are a three primary national consumer credit bureaus, and you may have a credit report with more than one. Although the reports are often similar, they’re not necessarily identical because some financial institutions only report data to one or two of the bureaus, and some don’t report data to any of them.

At their simplest, credit monitoring services will look for potentially suspicious changes in your credit reports based on your prior activity and send you an alert if they detect an issue. These could include a new hard inquiry (when you apply for credit and a creditor checks your report) or a new account. Either could be an indication that someone is using your information to fraudulently open financial accounts.

They may also alert you to new public records, such as a bankruptcy, and to changes to the personal information section, such as a new name or address on your report.

Credit monitoring services can range in price and function. You can find the basic monitoring and alert services for free. However, they may only monitor one or two of your credit reports, so you could have to sign up for several to get full coverage.

Services that have a monthly or annual subscription fee may monitor your credit reports from all three bureaus. More robust identity monitoring services include additional features, such as fraud resolution assistance, reimbursements for lost funds or expenses related to identity theft and scanning the internet for your personal information. They may alert you if your info is used to open financial accounts that aren’t generally on the major three consumer credit reports, such as a bank account or payday loan.

An alert may be too late, but it can still be helpful. Credit monitoring services are reactive by nature. If you’re alerted that someone has tried to use (or successfully used) your personal information, then in a sense it’s too late – you’re already a victim of identity theft.

However, being able to react right away can help limit the damage because you can contact the companies to have the fraudulent accounts shut down. Additionally, there are steps you can take to help minimize your risk of identity theft.

Ways to protect yourself before something happens. Unless you decide to live off the financial grid, you may not be able to completely protect yourself from large data breaches. But here are a few things you can do to help keep your personal information secure:

  • Don’t carry your Social Security card in your wallet, and only carry other documents with sensitive information (such as a Medicare card) when you know you’ll need them.
  • Generally, don’t share your personal information if you receive an incoming call, even if the person claims to be from your bank or a government agency. Instead, tell the caller you will call them back and use the entity’s actual number (which can usually be found on a bill, statement of account or website) to do so.
  • Learn how to safely and properly dispose of computers, mobile phones and other electronics that may have your personal information on them.
  • Place fraud alerts or credit freezes on your reports to make it more difficult for someone else to open an account in your name.
  • Before throwing it out, shred or cut up material that has personal information, including old bank statements, credit cards and insurance forms.
  • Install antivirus software on your computer and keep it up to date.
  • Avoid logging into financial accounts while using public Wi-Fi networks, including those at cafes or airports.
  • Set and regularly update your password for your phone and computer.
  • Use different, long passwords for your online accounts.

The Federal Trade Commission also has helpful articles and resources that you can explore to learn more about identity theft prevention and recovery.

Bottom line: At a minimum, having some form of free credit monitoring or making a practice of regularly checking your credit reports for suspicious changes could help you avoid major problems down the road. If you’re concerned about identity theft, taking steps to secure your personal information and paying for a service that includes resolution assistance and reimbursements could be a good idea.

by Hugh Norton
August 3, 2018

PayPal Phishing Scams Gaining Sophistication

PayPal phishing schemes are fairly common these days. Many, or even most of them are generic in nature. In other words, they don’t target a specific person or group. They are merely crafted in such a way that they can be sent to a large number of people at one time as spam. However, sometimes they arrive as if they could actually be from PayPal and are specific or somehow related to the recipient. This is called spear-phishing, because the attacker has some information which he can spear his target specifically. This tactic is more likely to result in success for the phisher.

Spear-phishing campaigns are on the increase and the use of PayPal as the bait is increasing in sophistication with each new campaign. Cisco researchers have found several versions of imposter PayPal web sites that are so well done, they can trick even the most phishing-savvy person into falling for the scams behind them.

What is making it even more problematic is that these phony websites are actually legitimately registered, sometimes even with actual security certificates attached. Many, such as one of the primary ones used –– are registered through a site called Wix. A list of many of the other fake ones is listed here:

– helpcenter-paypal-rosolution[.]pepitoheyashi[.]ga
– paiiypal[.]com
– paypal-secure-account-information[.]reikitrainingjourney[.]com
– paypal[.]com[.]user[.]accounts[.]lwproductions[.]net
– paypalupdate[.]uploadppl[.]com
– update[.]paypal[.]com[.]kgreendesigns[.]co[.]za
– www[.]paypal[.]com-webapps-cgi-bin-webscr-login-access[.]com

Unfortunately, the fake sites use the color schemes, text styles, and images from the actual PayPal site, making them nearly impossible to detect. Some have also registered with very popular and legitimate hosts, such as CyrusOne LLC, which also hosts CarFax and Dell. However, there are some ways to tell if one is trying to trick you:

– Check the website name in the address bar. It should be “” and have the “https” in front, as well as the secured site text and lock icon. If you’re using the U.S. site, it may even display as “” and the “us” may be changed to the country for the site you’re using. For the German site, the “us” in that URL is replaced with “de,” for example.

– Check for the little country flag in the lower corner of the site. As of time of writing, it’s in the lower right corner as you scroll down the site. If the site is in the U.S., that flag will be the U.S. flag.

– If you see anything prior to the “.com” other than the word “paypal,” or anything prior to the word “paypal,” it is likely fake. In other words, the only thing that should be between the dots is the word “paypal,” followed immediately by the “.com.”

– The green text, the lock, and the “https” are all positive, though not always definitive indicators of the legitimate site.

Some of these phishing sites actually try to get users to enter credentials other than the ones for PayPal. A common one attempts to spoof an Apple credential verification page. However, Apple and PayPal are not related, so an Apple login page should not show up.

Another site uses Spanish language but targets English speakers. If the text is in another language, those behind it are most definitely up to no good.

It’s likely more of these sites and those using other well-known companies will be popping up in the future. If you need to verify credentials or check something in your account for any online account, go directly to a bookmarked link or type in the address manually, being careful not to make typos. Then login there to do your sanity checks or to make changes. Don’t click on links in email messages to do this, even if you think they may be real. It’s just safer not to.

Stickley on Security
Published July 29, 2018

Misconfigured LifeLock Database May Lead To Targeted Phishing

Some days you win and some days you lose. One particular day this July, the identity theft protection company, LifeLock lost…big. A researcher found that a misconfigured server allowed him to download email addresses of LifeLock customers. He only accessed a small number of them, but that was enough for him and others to realize that this server was a problem. If a cybercriminal found the same issue, the entire customer base of LifeLock is at risk of receiving targeted phishing emails.

As reported by Brian Krebs and Krebs on Security, the researcher received an email to an address he’d used when he was a LifeLock member. When he clicked the “unsubscribe” link in the email, it took him to a page with a peculiar URL. That email very well could have been a phishing email in another scenario and he wouldn’t even have had a second thought about clicking it. That’s the real danger of this situation.

In that URL was his specific customer ID number. With a little bit of poking around, he found that those numbers are sequential, and he was able to pull the email addresses that were linked to those ID numbers. After retrieving 70 of them, he stopped and reported it to Krebs.

LifeLock subscribers, current and former should be on alert for phishing email messages, SMS messages, and all other types of phishing that may trick them into clicking links or attachments. With just the two pieces of information retrieved in this—email addresses and the fact they are LifeLock subscribers– a scammer can do a lot of damage. Instead of clicking on any links, especially those that are asking for sensitive information, go directly into your account using a trusted link. There are typically unsubscribing options in there as well as ways to modify other account details. There’s no need to click a link from an email or text message to do this.

Symantec immediately took the page down when Krebs contacted them. He was subsequently told that the issue was due to a third-party managed page that was misconfigured. That may be true, but it was obviously not handled with care. Third parties can be great partners, but it’s up to the company whose data they’re managing to stay on top of them and ensure their customer data isn’t being accidently exposed. This is true no matter what the business does. In this case, it’s not only worrisome; it’s also embarrassing for Symantec. Business owners and managers…don’t let it happen to you.

Stickley on Security
Published August 2, 2018