Hackers Using Your Stolen Credentials Against You in Latest Attack

Hacker With Log-In Screen,Computer Fraud Concept Background

You might be wondering what happens when all those millions of credentials are stolen and sold on the dark web. You might be one of the 117 million LinkedIn users who was a victim recently. Cybercriminals are using the information in various ways. One of them is posing as legitimate colleagues in phishing emails.

In some cases, they send a message with the subject line of “unpaid invoice” or something similar. Inside is a Microsoft Word document that includes common malware like the PandaBanker Trojan that will infect your computer and steal your online banking credentials.

To avoid this, watch for some red flags that the message is indeed phishing:

  • Unexpected attachments or links included in the message.
  • A supposed invoice is included.
  • A dialogue appears asking you to enable macros.
  • Information from your LinkedIn or other social media or networking profile is included in the message.

Be cautious about the information you post on social media or professional networking sites. This is often used for targeted phishing attacks (spear-phishing) and are so well done in many cases, that if you are not paying attention, you could fall victim. Beware of popup or warning fatigue. This happens when a user gets inundated with dialogue messages whenever browsing the web. The hackers count on this happening and will implement malware behind those buttons. If you click the wrong one, you may lose a lot more than patience, especially if the malware is PandaBanker or others like it.

In addition, never enable macros unless you are 100% certain that it is necessary or that you created them yourself or someone you know created them. Macro malware is on the rise these days and has been seen in a lot of the newly created versions of older malware such as Dridex, which is found in 15,000 messages per day and is responsible for an estimated $15 million in corporate account takeover losses alone.

© Copyright 2016 Stickley on Security

Scam Tries to Ruin Your Night Out


Lifehouse performing live at the San Diego County Fair on July 1, 2010. Photo taken at the Del Mar Fairgrounds.

If you have ever tried to buy concert tickets, you know it can sometimes be very difficult. They sell out quickly. But there is always a way to get there, if you really want to go. Concertgoers and fans of other live entertainment will turn to resellers for those tickets if necessary; and scammers know it. Recently, one unlucky theater fan found out that Craigslist might not be the best place to buy tickets to a popular sold-out Broadway show. She paid $350 for tickets to see the show, but when she arrived at the door months later, she found out her tickets were counterfeit.

The best way to avoid being scammed in this way is to always buy tickets from a reputable and well-known service that specializes in selling entertainment tickets. Sites like this have better fraud prevention measures and most of them do allow transfer of tickets. If possible, skip the online purchase and go to the venue directly and get your tickets at the box office.

If the online seller asks you to do a wire transfer or pay with gift cards, move to the next one. That’s a red flag that it may be a scam.

Scammers are getting better and better at making fake tickets look authentic and sometimes it is impossible to tell until you get to the venue and they turn you away. And in some cases, the scammers try a different approach from selling them for what you may feel is highway robbery; they buy a bunch of real tickets, post them for sale at bargain prices, then cancel the transaction or re-transfer them after they receive money. This allows them to either get their tickets paid for or rip off multiple people using the same tickets.

Now, go put on that favorite concert t-shirt, grab those legitimate tickets, and head out the door. When you get to the venue, you will be able to scream for your favorite act rather than run to the hills back home.

© Copyright 2016 Stickley on Security

Flaws in Samsung Smart Home Let Criminals Walk Right Through Your Front Door

Open House Sign in Front of A Brand New Home. Room for your own message at the top of the sign.

Samsung is in the news again, but this time it isn’t with their smart TVs. Security researchers at the University of Michigan found several issues with the Samsung Smart Home automation system. One of them includes allowing a hacker to essentially make keys and walk right in through the front door of your home.

Specifically, the vulnerabilities are with the SmartApps that are used to control the automation system. Two intrinsic design flaws may give someone extended privileges in the apps in that the SmartThings event subsystem doesn’t protect sensitive information that is passed through, such as lock codes. Several proof-of-concept attacks were performed and the most dangerous one, called “backdoor pin code injection attack” is essentially remote lock picking. It captured the unlock PIN and sent it to attackers via text.

How it all started was by sending a link to a user that brought them to the actual SmartThings login page. After entering the user name and password, the flaw in the app allowed the link to redirect the actual credentials to an attacker-controlled address. That gave them the same access as the homeowner.

As so often happens, phishing is how the attack began. So always avoid clicking on links and attachments in email messages, regardless of who it appears sent it. Instead, use a previously bookmarked link or type in the web address manually. It is very easy for a hacker to make an email look like it came from a legitimate source, so always be 100% certain it is safe before clicking. It really is better to get into the habit of typing addresses in separately or using bookmarks.

Samsung has not indicated any timeframe for fixing the issues found by the researchers or if they will be providing a patch at all. Therefore, if you already have this system installed, consider disconnecting critical components such as the door locking capabilities or putting the system into vacation mode. One of the attacks resulted in the researchers disabling that mode.

Although Samsung has put the blame on third-party developers and those clicking the malicious links, at some point it may indeed issue a patch for this. If and when it does, make sure you apply it right away. The same goes for any security or critical updates or patches issued for products that have control capabilities via the Internet. Other examples are for comfort control systems, smart TVs and digital recording systems such as Tivo, solar system monitoring apps, and a whole host of others that are on your home network. All of these are entry points into your home and should be kept updated at all times.

Other results of the proof-of-concept attacks included the ability to secretly plant door lock codes and trigger fake fire alarms. The exploits are not limited to any particular model. In the report, the authors noted that “55% of SmartApps in the store are overprivileged due to the capabilities being too coarse-grained. Moreover, once installed, a SmartApp is granted full access to a device even if it specifies needing only limited access to the device.”  Forty-two percent of the 499 apps tested granted access that was not requested.

Samsung has stated that the issues “would not ever impact our customers because of the certification and code review processes SmartThings has in place to ensure malicious SmartApps are not approved for publication.” However, it also has put in place additional security review requirements for any SmartApps.

© Copyright 2016 Stickley on Security

127 Embarrassing Characters Coming to Your Twitter Feed Soon


It’s happened again. Another social media site is in the news being accused of a network breach. The user names and passwords of well over 32 million Twitter users have been found for sale on the dark web as happened to LinkedIn and MySpace users recently. Some analysts confirmed they were Twitter account credentials. It is uncertain how the information was obtained, but being blamed are both malware and password reuse. Twitter is confident that there has not been a breach of its network.

Be sure to never use the same log on credentials for multiple sites. It’s just a bad idea all around. The reason the credentials get sold are not necessarily because someone wants to mess with your Twitter account, but so many people use the same password for multiple sites that hackers are very often successful at getting into financial accounts with them.

It can be complicated with so many of them that we have to remember, but it is really to your benefit to do it.

Jim Stickley of Stickley on Security recommends creating a single “default” password and adding to it for each site, using the name of the site. For example, if your base passwords is “PASSWORD” and you are going to Yahoo!, your password for that site could become “PASYSWORD” by inserting the first letter of the site into the same spot in your default password. In this case, it’s in the fourth position. However, you could use two of the letters to bookend it as well, such as “YPASSWORDO.”

Stickley is sure to emphasize that “PASSWORD” would be a terrible default password, but it’s merely an example.

If you have to write your passwords down, make sure to keep that list in a separate location from your computer. Either put a paper list in a secured cabinet or drawer or a digital list on a removable drive of some type. If someone does manage to get access to your computer, they could find that file and have access to all of your online accounts as well.

Since Twitter says it has not had a breach, the theory of how the passwords were obtained with malware is from users’ browsers. There is this option to have the browser remember passwords when you type them in. It is suspected that malware somehow made it onto the users’ systems and found those passwords from the browsers. However, this has not been determined as the culprit either.

In any case, Stickley believes saving passwords in the browser is a bad idea and he does not recommend it. Instead, just take the few extra seconds to retype the password into the site each time. It could save you a big headache later and it certainly lowers your risk of becoming a victim and having something embarrassing tweeted to all your followers.

© Copyright 2016 Stickley on Security

Typosquatters Take Advantage of Simple Mistakes to Download Malware

Businessman pushing a search bar on a virtual computer screen. Empty space ready for your web address or keywords.

Simple mistakes really can harm you and typosquatting is one way hackers take advantage of people’s typographical mistakes. Also referred to as domain jacking (or do-jacking), this type of hack is when the cyber criminals intentionally register web domains that are slightly different from something that is well-known and likely to be mistyped at some point. For example, instead of “bank,” the registered site might be bnak in hopes that someone will be in a hurry and mistype the domain when going to their bank’s online site.

These are not the only typosquatting methods used. The site can also be .cm or .om instead of .com. Other prominent examples are twtter or appl and often this trick is employed when phishing email messages are sent out.

Education is critical to avoiding this. Jim Stickley of Stickley on Security says that if your customers are not educated on security, you may be accepting additional and unnecessary risk. The more they are educated, the less likely they will fall victim and that helps everyone.

Recently, it was found that the .om versions of several popular websites, such as Netflix and Citibank were registered in Oman. While sometimes these may be legitimate sites for those companies, they were not in this case. These were intended specifically to install adware malware onto user’s computers. These do-jacked websites would redirect multiples times before displaying an Adobe Flash update dialogue. If the announcement was accepted, malware was installed that advertised software that generated revenue for its author.

If you see a dialogue pop up on your computer, don’t simply click something to get the message to go away. Make sure to read it and choose the desired answer. Don’t fall victim to popup or warning notice fatigue. Hackers are counting on this and will take advantage at every opportunity.

While you’re at it, if you need to update software on your system, use the update feature of the software or go to the developer’s website directly. Dialogue boxes are often used to download malware.

© Copyright 2016 Stickley on Security

Is Social Media Scamming You? Five Popular Scams and How to Avoid Them

Technology Computer Scam Alert Concept

Cyber criminals will use whatever they can think of to try to get your online banking credentials or other information they can sell on the dark web. Here are five ways they use social media to do it and how you can avoid giving up your information, in no particular order.

  1. They use the comments to news articles and popular posts on Facebook by adding their own posts with a conveniently clickable link included. Those who click the link may be taking to fake websites or presented a form for which the user is supposed to enter information. Often the links are accompanied by catchy headlines (click bait) themselves.
  2. They create fake customer service accounts on Twitter, Facebook, LinkedIn, or other social media that pretend to help customer. For example, they may see a Twitter user complaining about not being able to reach a representative. They reply to that user with a post that includes a link to another site where the user is led to believe he or she will get assistance. Unfortunately, the link really is phony and asks for login credentials and/or other sensitive information.
  3. They create social media accounts using names that sound like legitimate companies, such as Netflix and offer discounts. When users click links included in these, they are asked for account information or other details that can be sold.
  4. They use fake online surveys and polls to trick users into inputting information that can be later sold or used for fraud. An example is setting up a realistic news story and asking what users think. A link is included, naturally, but it goes to a fake site where personal information is requested. Often the “surveys” promise a chance to win a fabulous prize.
  5. They pretend to offer live streaming of big events, such as the Olympics or other popular sporting events. Often they attach a link to a posted story about the event that is on Facebook. However, when the included links are clicked, a request for personal information appears claiming the video cannot play until they are entered.

Avoid these scams by not clicking links or putting information into any form that appears as a result of clicking links. If you need to reach your financial institution or other organization for any kind of support, contact them directly using information from their website that you have previously bookmarked. Alternately, type the name of the site into the browser manually.

View any comment posted in social media that claims to help you or offer you something sensational with suspicion. If you want to stream an event, go to the website of a well-known and trusted source to get there, such as the major sports broadcasting companies, media outlets, or television networks.

Use apps that are downloaded from the official app stores for your devices. These are typically put under additional scrutiny for security before being allowed into the app stores. Sideloading, downloading apps from places other than the app stores is not recommended because it introduces additional risk of executing malware on your devices.

As always, make sure all internet-connected devices have anti-malware installed and it is kept updated. Also, keep all your software and operating systems updated with the latest critical and security patches. While these actions don’t guarantee malware won’t be installed or a vulnerability won’t be exploited, they reduce your risk significantly and it’s worth the relatively small effort versus dealing with malware.

© Copyright 2016 Stickley on Security