Facebook Servers Deliver Malware To Steal Login Credentials

It may be difficult to understand the Facebook Content Delivery Network (CDN) and it isn’t really important that you do. But this is the way some cybercriminals are distributing malware to a large amount of unsuspecting Facebook users. The CDN is how the social media site delivers video and photos to its users. In this case, the enterprising thieves are using these servers to deliver banking Trojans to your devices that can and will steal your credentials.

The scam works like this: An email shows up in your inbox that appears to be from local authorities. Included is a link that takes you to a particular CDN. On that CDN resides the malware that executes the banking Trojan.

The concern here is not simply that by using these CDN servers the malware can be delivered to a large number of people quickly; it’s also a matter of trust. You see, it is largely believed among cybersecurity professionals, that the perpetrators of this scheme are the very same ones that used Dropbox and Google’s cloud storage in the same way not long ago. All of these companies are trusted within the user communities and if we cannot trust them, then who can we really trust?

The answer eludes us. In fact, since they are trusted, cybersecurity solutions that are supposed to help protect us against attacks such as these recognize their domains as “safe” and won’t see malware on them as a threat. If the criminals used a custom domain to deliver this malware, these products would immediately discover them and block their deliveries. With large companies like these, it’s not so simple to just cut access off when something like this happens.

This is why it’s really up to users to be wise when using the Internet. Keep in mind that public officials typically do not use platforms such as links in email or social media to deliver information to citizens. So if you receive a link or attachment purportedly from a government official or public servant, it should be questioned. Don’t take any quick action. Instead, try checking their public social media sites or referring to your local news publications, radio stations, and television stations directly to get the information that is supposedly contained in the links.

© Copyright 2017 Stickley on Security
October 11, 2017

Tips To Identify Gift Card Scams

It starts with an email from Amazon and likely ends with “You’ll need an Amazon Gift Card to pay…” You may know what’s coming next. Amazon Gift Cards join iTunes, Walmart, and others whose gift cards are used for all types of email scams. Many unwitting consumers fall prey to expertly faked emails from “legitimate” sources. Fear, among other taunts, is an effective phishing tactic when demanding payment with gift cards. Family and friend emergencies and overdue insurance or utility bills are ripe for payout. The email demands the crisis will go away immediately if you pay up with an Amazon Gift Card. Others believed they were purchasing a car directly from Amazon (Amazon does not sell cars) and were required to pay with…did you say Amazon Gift Cards?

It’s easy to see the phishing lure, but why would anyone bite? Scammers count on grabbing your heart and money through these emails. Amazon is now added to the list of companies like Nordstrom and CVS being targeted for their gift cards. Amazon posts information on their website alerting consumers to email scams. First and foremost, Amazon wants all consumers to remember: “Amazon.com Gift Cards can only be used on Amazon.com”. Take it to heart, and learn to spot scam emails involving Amazon gift cards.

– Start at the beginning. Verify the URL address for an email claiming to be directly from Amazon. Hover your mouse over the URL address until the hyperlink address appears. No matter how legit a URL looks, a mismatched URL between the sender and Amazon is classic phishing. If it doesn’t match the URL, delete the email immediately.

– Don’t purchase Amazon Gift Cards for payment on anything other than on Amazon.com.

– Emails claiming to be from Amazon thanking you for your purchase. They may go on to say you’ll receive a $50 gift card for a review of your online purchase. Always type Amazon.com directly into your browser and go to “Your Orders” to verify. If the purchase isn’t there, beware.

– Amazon asks you to consider the logic behind the gift card scam. Anyone pressuring you to pay up with Amazon Gift Cards just doesn’t make sense. Why would the IRS or any other entity that’s not Amazon accept payment with Amazon Gift Cards? Also, Amazon never asks you to verify any account information and payment methods through emails.

© Copyright 2017 Stickley on Security

Amazon Reviewers Gifted $50 In Exchange For Their Prime Credentials

Are you one of the 80 million Amazon Prime members who gets excited for “Prime Day” and subsequently becomes all giddy like a child with a new toy when your purchases arrive in two days? If you are, you may be targeted with a phishing scam that seeks to get your Prime login credentials out of you. This new one asks you to conveniently review your Amazon Prime Day purchases by clicking a link in an email and promises $50 gift card.

Unfortunately, it’s a phony site and there is no gift card. Instead, the crooks get your login credentials and the site may also download malware to the device. Making it even more confusing, if the link is clicked the site address is similar enough to Amazon’s real one that it’s easy to see how people can be tricked into entering information.

It’s completely fine to review purchases made at any e-retailer. However, if you receive an email asking you to click a link to do so, think twice about it. Instead, go directly into your account, find the purchases and go through the process to review it there. This advice is good to heed for any links received in email asking you to enter login credentials; be it your favorite shopping sites, your healthcare site, or your financial services companies.

If you have clicked a link in an email from Amazon like this one and entered information, go immediately to your account and change your password. Make sure it is at least eight characters, has upper and lower case letters, as well as numbers and special characters.

While you’re at it, if you haven’t already enabled two-step verification for your account, go into the “Login & Security” settings, then to the “Advanced Security Settings” and enable it. This will require another random code that is sent via text to be entered before anyone can access your account.

In addition, you can and should report phishing scams to Amazon at its website.

© Copyright 2017
Stickley on Security
October 2, 2017

Yahoo Revises Number Of Breach Victims Upward To Three Billion

Just because Yahoo became part of Verizon, it doesn’t mean it’s sitting quietly out of the news. This week, the company announced publicly that after additional investigation into the data breach from 2013 (which they announced in December of 2016), all three billion of its users were affected by that incident. It isn’t limited to email users either. Anyone using any Yahoo service was affected in this, including those using the photo sharing service Flickr and fantasy sports players.

The bottom line is that if you didn’t listen to the last warning (that was thought to have affected one billion).

1. Change your password for your Yahoo accounts. That means all of them.

Use a unique password for each online account. If you don’t, if they got one of them, they got them all.

Make sure passwords are not easy to guess, such as any word you can find in any dictionary.

Use at least eight characters. Include numbers, special characters, and upper and lower case letters. Vary where you put the numbers and special characters. Don’t always put them in the same spot in your passwords.

2. Also, be on the lookout for additional phishing targeted at you.

Don’t click links or attachments that arrive in email messages or any text messages, particularly if you are not expecting to receive them. Review all email messages for indicators that they are phishing. Watch for typos, incorrect grammar, and poor punctuation.

Be suspicious of requests for personal or confidential email. If you are asked to click something to update your account information, don’t. Go directly to the organization’s website using a previously bookmarked link or by manually, yet carefully typing the address into your browser.

3. Review your Yahoo accounts for suspicious activity. Check your “sent mail” box and see if your account was used to spam anyone, including those in your contact list. If so, use a different account (if possible) to alert your contacts that they may be receiving malicious email messages from you.

4. Change your security questions and answers for your accounts. Try to choose questions with answers that cannot be easy to find out on your social media profiles.

5. Enable two-step (or two-factor) or multi-step authentication for your accounts. If you haven’t, do this after you’ve changed your password. You can do this in your account settings.

This additional information was discovered as Yahoo was being merged with AOL, another Verizon company. It also stressed that it took action to protect accounts back in December. However, your security is up to you. So, regardless of that claim, follow the above and you will be better off all around.


© Copyright 2017

Stickley on Security
October 4, 2017

Facebook Friends Are Duping You With Malvertising

They are at it again; although they really don’t ever seem to let up either. The cybercriminals are taking advantage of “chatty” users. They are employing social engineering techniques combined with online advertising to make a lot of money. This time the vehicle of choice is Facebook Messenger. To make it an even slicker trick, they are changing what users see based on various factors, such as the operating system or browser being used.

Kaspersky Lab researchers discovered this new malvertising campaign that infects all platforms. The initial infection is via Facebook Messenger, but the researchers are not sure how the users’ information is retrieved in the first place. They suspect it could be from hijacked browsers, via clickjacking, or by using stolen credentials from separate incidents.

In any case, it works this way: A video is received that appears to be from someone on the user’s contact list. When that is clicked, other websites collect information about the user’s system such as the browser and operating system, language, geo location, etc. Then it redirects to a Google document with a dynamically generated video thumbnail. If that thumbnail is clicked, he or she is redirected again to a customized landing page displaying something different based on the browser and operating system.

The analysts found that Firefox users saw a phony Adobe Flash Update and Google Chrome users got a video of a fake Chrome extension. Safari users saw yet something different.

The lesson here is the same as watching for phishing attempts. If you receive a chat or text message unexpectedly, it should be deemed somewhat suspicious. Don’t reply to the message, but contact your Facebook friend some other way to find out what the message is all about. If they confirm that it’s OK for you to click, go ahead. Although, be aware that even links that are confirmed and seem harmless may do damage behind the scenes.

In the case of this one, it does not appear that any Trojans or other types of malware are installed when clicking through the links. It is clear, however, that whomever is behind this scam is making a lot of money on click through advertising and probably getting real access to victims’ contacts.

© Copyright 2017 Stickley on Security

Medicare Fights Fraud With New ID Cards

Medicare knows the information safety of its many members is at risk. There’s been a steady increase in identity fraud for seniors, with 2.1 million reported cases in 2012 growing to 2.6 million in 2014. That’s one big reason Medicare is introducing new replacement cards for all fifty million-plus members. The newly designed (and still red, white and blue) cards will begin mailing in April 2018 and finish by April 2019. The new card takes a major step toward improving the safety of member information by removing Social Security Numbers. The new cards will automatically be sent to recipients, with absolutely no action required on the part of members.

With the good news for Medicare recipients comes the need for an info-scam safety lesson. There’s no shortage of fraudsters ready to exploit the new cards­ and their owners. Medicare strongly suggests all those card-carrying members and the people who know them learn how to protect one’s Medicare ID Card. Being best-informed about “information thieves” and their scams is a very effective deterrent.

New Medicare Card Safety Feature

Social Security numbers are removed and replaced with 11 randomly chosen letters and numbers called the Medicare Beneficiary Identifier (MIB). Those whose cards don’t currently carry an SSN will also receive a new card with an MIB. Still, the new cards carry valuable information and should always be safely stashed away.

How to Stop Scammers

-Once you receive your new card, immediately destroy the old one. Use a crisscross shredder or scissors to cut the old card to bits. Dispose of the pieces safely and responsibly. Whenever possible, don’t toss an entire destroyed card in the same receptacle. Believe it or not, they can be reconstructed by very patient and dedicated thieves.

-Medicare has websites for questions and education informing new card recipients about scams. You can visit the Medicare website for more details. Remember, if you’re contacted by a suspected scammer, hang up and immediately call Medicare to report the incident. Get the phone number off the Medicare website.

-Beware of any contact regarding new cards. Do not provide any information to someone claiming to be from a federal agency (Medicare, Social Security, IRS, etc.) who asks for money to replace the old card; verify sensitive information; and/or threaten a loss of benefits. This is a thief. Always hang up and immediately report the attempt to Medicare.

© Copyright 2017 Stickley on Security