Early Bird Holiday Shoppers Targeted with Fake Apps in Apple Store

Online shopping concept nackground. Mobile phone or smartphone with cart and boxes and bag. 3d

Each year it seems that the holiday shopping season starts earlier and earlier. As soon as the jack-o-lanterns and super hero costumes are put away, the wreaths and sparkly lights seem to appear, as if by the flick of a magic wand. Unfortunately, the fraudsters are at it earlier and earlier too and hundreds of phony shopping apps have been spotted in Apple’s App Store for those in the holiday spirit already to get duped right at the start of the season.

Phony shops such as Dollar Tree, Dillard’s, Nordstrom, Zappos, and Footlocker as well as designer name brand shops such as Jimmy Choo and Christian Dior have been found in the app store without being caught by Apple’s review process.

Always use caution when downloading apps, even from the app store. As more and more apps apply to get into the various stores, it is more difficult for the companies to review and approve all of them. The Apple App Store has over 2 million apps already. That puts more pressure on the consumer to do research and make sure the apps are the real ones. Read the reviews to see what others are saying and if they aren’t so good, perhaps it’s best to skip it. In addition, if there are no or very few reviews, particularly for a large department store, second-guess it. While being an early adopter has its perks for a lot of things, in this case patience is a virtue. Wait a few weeks before trying again. If results are the same, it’s probably one of the fake ones.

Many of the fake apps seem to come from Chinese developers who are paid to write the apps in English. One had a menu with drastically misspelled English words, such as spelling Friday as “Firday.” Keep an eye out for those types of errors too and if there are any, don’t use the app.

Don’t assume that Android apps are safe. In fact, because of the less restrictive policy for getting apps into the Google Play store, there are similar risks of downloading phony apps there.

The recent apps have largely been found to pop up annoying ads rather than do real damage. However, some of them do ask for payment card information and other personal details. Therefore, if there is any doubt about the app’s legitimacy, don’t download it or delete it if you already have.

While you’re at it, make sure your devices are updated with the latest versions of the operating systems and apps, and confirm that anti-malware is installed on them and is updated too. As mobile becomes a preferred way to shop, it’s more likely that malicious apps that do harm will show up.

© Copyright 2016 Stickley on Security

Has Your Data Been Accessed? Yes It Has

Image Graphic Signpost with Data Loss Prevention wording

If you think you haven’t been the victim of a data breach, you are probably wrong. In fact, some experts think that more identities of those in the United States have been compromised than have not. It’s at the point that cyber criminals now may know more about us than companies with which we do business. In addition, Symantec reported that in 2015, additional tens of millions of personal records were stolen by or exposed to cyber criminals that were not reported. This is an 85% increase over the previous year. Security experts find this to be quite a disturbing trend.

Large companies that are targeted will likely be targeted multiple times in 2016. There are a few tips that both individuals and businesses can consider to help lower the risk.

For Individuals:

  • Use strong passwords that are at least eight characters and contain upper and lower case letters, numbers, and special characters. Use a unique password for each online account and change them every three months if possible.
  • Be certain that any links or attachments clicked are safe. Confirm those that are unexpected before taking any action to view them.
  • Use anti-virus and anti-malware software on all devices. Keep it updated at all times. Make sure that all software products are kept up-to-date with the most current security and critical patches and that firmware is updated as well.
  • When deciding on what software or apps to use, do the research on the products. Read the reviews and make sure they are from reputable companies. Don’t be afraid to pay for them and be wary of freebies. Those should be researched even more thoroughly. When downloading apps, use the official app stores for your devices. Sideloading adds additional risk.
  • Limit what information you put on social media or disclose to anyone. The more you share publicly (even if it’s just to your friends, it’s still technically public), the more it may be used against you. This is particularly important on professional networking sites where you list your job title and function. Scammers often use that for business email compromise (BEC) scams.

For Businesses:

  • Implement multi-layer security including firewalls, reputation-based technologies, multi-factor authentication, and strong password policies.
  • Create an incident response plan (IRP). Practice what is included and review it annually and when response team members change or their information changes.
  • Provide ongoing training and education on security practices, procedures, and threat prevention. Make sure to include training on what is sensitive data, how to protect it, and what to do if a compromise occurs. Then make sure to test your users and address weaknesses appropriately.

Attributing to all the data exposure were several large breaches including Anthem (80 million), Premera Blue Cross (11 million), Avid Live Media (37 million) and the OPM breach (21.5 million at last count).

© Copyright 2016 Stickley on Security

Top Five Lines Used to Bait You

Three frustrated young business people in smart casual wear looking at the laptop and expressing negativity

For those working in receiving departments, it’s normal to see email messages regarding package deliveries. In fact, even if you order items off of the Internet to be sent to your home, you may be familiar with the messages letting you know your package is on the way. And if you work in accounting and financial departments at any company, it’s not unusual to see email messages with invoices attached.

The cyber criminals know this occurs often and spear-phishing that targets people working in these departments is incredibly common. According to Proofpoint, fake invoices are by far the most used lure for phishing. The company released a list of the top “lines” used in phishing scams.

1. “Please see your invoice attached” tops the list and accounts for nearly half of all the phishing campaigns that Proofpoint observed. Often a document is attached that executes various malware such as the banking Trojan Dridex or Locky, which is ransomware that will encrypt the information on your computer.

Avoid this by confirming with the sender of the document’s legitimacy first. Either call the sender on the phone or send a new email (as opposed to replying) asking for confirmation before opening the attachment. In addition, ensure regular backups of important information on your computer are completed. This way, if ransomware does strike, the data can be quickly restored and no ransom need be paid as happened to a company that manages hospitals in the Washington DC area as well as Hollywood Presbyterian Medical Center. Even a police department paid for an encryption key.

2. “Click here to open your scanned document” is second on the list and accounts for one in 10 phishing campaigns. While it is perhaps less common to scan documents these days, organizations such as financial institutions often still rely on them as well as the ever-aging fax.

The same rules apply here as for any other document. Don’t open them unless you are expecting them and/or are 100% certain they don’t contain malware.

3. “Your package has shipped – your shipping receipt is attached” comes third and often looks very similar to one you might receive from the various shippers. However, they also may appear to come directly from a vendor. Proofpoint found that these often include automated exploits or will install malware after an “enable content” button is clicked.

Obviously if you did not order from the listed vendor, just put it right in the trash. However, if you did or don’t remember, go into your online shopping or shipper account directly to see the details. No need to open the attachment at all. In addition, make sure your devices are always updated with the latest patches and that anti-malware is installed and kept up-to-date too.

4. “I want to place an order for the attached list” ranks at number four. These are not all that different form the invoice or order confirmation emails, but appeal to those who may benefit from a sale. Again, these rely on the recipient opening an attachment, which will unleash malware.

5. “Please verify this transaction” may appear to be from a financial institution hoping to lure the recipient into thinking a fraudulent transaction occurred.

Instead of opening any attachments or clicking links,go directly into the account associated and verify charges that way. If you accidently do execute some malware on your computer or device, report it to your IT department immediately. The sooner it is reported, the faster it can be corralled and the less damage it can do.

 

© Copyright 2016 Stickley on Security

 

Fashion Divas Are the Latest Data Breach Victims

vera

Fashion divas be aware! Joining Eddie Bauer, the handbag and luggage designer Vera Bradley has informed customers of a data breach of its retail locations that occurred sometime around October 12. Information on the magnetic strips from payment cards was accessed as a result of a malicious program that was installed on its payment processing system.  Specific data that may have been accessed included names, card numbers, verification codes, and expiration dates. In other words, all the data needed to use the card for fraudulent transactions.

The company warned that any fraudulent activity on the cards likely took place between July 25th and September 23rd. Online shoppers were not affected.

Anyone shopping at the retail locations should monitor payment card charges for potentially fraudulent activity. Don’t wait till the statement arrives, if possible. Check it often for at least the next year. Report anything out of place to the card issuer right away. The sooner this happens, the better for both parties.

Card fraud costs financial institutions nearly $2 million each year and the costs to retailers are approaching $600 million. That is not good for the consumer either. So keeping your information safe and identifying fraud early is better for everyone.

The malicious program has since been removed, but the cost to the company may run deeper than only the loss of revenue. According to Reuters, the company has already delayed upgrades to its website until 2017 and it is difficult to put value on loss of customer loyalty.

© Copyright 2016 Stickley on Security

Facebook and Twitter Contain Sneaky Vulnerability Within Links

MALAGA, SPAIN - NOVEMBER 10, 2015: Facebook login page in a laptop computer screen. Man typing on the keyboard. Facebook is the most famous social website all over the world.

There is a sneaky vulnerability in Facebook and Twitter that is difficult to detect and hackers may use it for phishing for your credentials. It is within the URL address that either opens a new window or tab after you click a link in either of the social media sites.

It happens when you click a malicious link that you see in your feed or elsewhere while you are logged into your account. After it opens the window, it logs you out. When you go back to visit your Facebook or Twitter page, you have to log in again. You may think nothing of it, but that is actually when the hackers grab your credentials.

fakepage

Unfortunately, it’s really difficult to know if or when this may be happening. The best advice is just to be 100% sure you want to click that link and that it won’t cause harm to your device.

In addition, make sure you have the anti-phishing features enabled on your browsers and that anti-malware is installed and up to date on all of your devices. There is no guarantee these will stop this attack, but you are certainly in better shape.

The technical details have to do with how the link is written, but suffice it to say that the reason these links are written in such a way is so that the referral information to the new site records from where the link was clicked. For example, if you click an ad on any social media site or browser, there is an indicator in the link that gets sent to the advertiser for reference. Advertisers want this information. It helps them know where their advertising dollars are being best spent.

Facebook has taken steps to help mitigate this, but their action will not eliminate the threat. It just diminishes the probability that a large-scale attack will occur.

Just be sure that whatever you are clicking on at all times is really what you want to do. If you cannot be certain without a doubt that it isn’t harmful, then just don’t go there.

© Copyright 2016 Stickley on Security

Music Lovers “Spotted” Downloading Malware Via Spotify

spotify

Users taking advantage of the free version of the Spotify music service have recently been the targets of those wishing to do harm using malicious advertising. Some users have complained that even when performing no action at all, ads on the site were launching their default web browsers. It is not known at this time what actions the ads do once the new popup is open, but that may just be because no one has figured it out yet.

Malicious ads can do a lot of damage. They can launch attacks such as hijack users’ traffic, install key loggers, or simply inject malware on to the computer; and no one has to click or open anything for these things to happen. That is why making sure your devices are updated with the latest operating system versions and patches is so important. If these attacks are taking advantage of a known issue, having the patches applied will prevent them from hitting you.

In addition, install anti-malware products on all devices that connect to the Internet. This includes all mobile devices. Mobile malware infections are on the rise and because of the increase in use of these to do financial transactions and access accounts that store sensitive information, they are not expected to decline any time soon.

Spotify has taken action and is blocking the suspect ads. If you use the free service and notice a black bar on the web page, that is possibly one such ad. However, because of the ease of getting malware into those ads, Spotify likely has not found them all. So update your computers and devices and make sure your anti-malware products are all updated and running.

This is not the first time Spotify has been in the cyber security news. In 2014, it was the victim of a data breach that the company believed was a “proof of concept” attack intended as a test for a larger attempt. Earlier this year, the company blamed password reuse for strange activity some users were complaining about with their accounts and forced Android users to change passwords. It also isn’t the only music service under attack. Pandora also experienced a security incident, as did spin.com and more recently, Last.fm found data of its customers from 2012 for sale on the Dark Web.

© Copyright 2016 Stickley on Security