Don’t Trust Your Trusted Facebook Friends

When one of the world’s massive social media sites offers an impenetrable way for account holders to regain a forgotten password and/or security question when they don’t have access to their registered email account, what could possibly go wrong?

Rest assured the Kings of Spam-a-lot reign supreme. They’ve wormed their way into this “foolproof” way to safely gain access to your Facebook account, or even help a friend with their account. Facebook developed a “Trusted Friend” option to help those locked-out users. What was once a happy idea has twisted tragically against Facebook users.

According to ACCESSNOW, this is how the Facebook phishing scam plays out:

– You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.

– The attacker asks for your help recovering his account, explaining that you are listed as one of his Trusted Contacts on Facebook, and tells you that you will receive a code for recovering his account.

– Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.

– In an effort to help, you send the code you’ve just received to your “friend.”

– Using the code, the attacker can now steal your account from you, and use it to victimize other people.
Now that we know how it works against us, how can we make it work for us?

– If you receive a message from your friend on Facebook Messenger asking for the code to get back into her account, don’t assume it’s legitimate. A simple phone call to your friend will confirm or deny the request.

– Take the time to verify the email sender, hover over the source, make sure spellings are correct, and never immediately act without thinking and thoroughly vetting the source.

– If you’re suspicious your Facebook account has been hit, go directly to, then click “My Account Is Compromised.” Follow the indicated steps to find your answer.

Also use Facebook’s Security Checkup tool, which helps fortify your account security settings.

© Copyright 2017 Stickley on Security

Looking for Love in Online Places May Lead to Scams

The holiday season for some is a time for looking for love. No one likes to be alone for the holidays, so some put pressure on themselves to hit the dating sites. But there are risks with online dating and should you choose to engage, use some good judgment when exchanging information with those you meet via online dating sites or even social media. Unfortunately, not everyone is truly looking for love. Instead, they threaten you if you don’t pay up.

There are many scams involving online dating and friendships nurtured via social media such as Facebook. In many cases, the scammers use social engineering to lure victims into a false sense of security. Once a relationship is formed, whether romantic or otherwise, some plea for financial assistance is requested. In a recent scam, the romance turns from texting and sending photos to a threat of arrest and it’s realistic enough that it may take a while for the potential victim to realize it’s really a scam.

One victim was chatting away with someone he had met on a dating site. According to her profile, she was in her late twenties. Once trust had been built, the woman sent some provocative pictures and asked him for some in return.

Not wanting to disappoint, he did it. The next thing he knew, she revealed herself to be a minor and he immediately received a call from the “local police.” He was suspicious and looked up the phone number that showed on his caller ID. It did show as belonging to the police. He picked up and was threatened with three felony counts and a prison sentence.

He then received a call from the girl’s “father” who implied that money might make the problem go away. That’s when the victim got wise.

There are a couple of notes in this scam. Firstly, it’s not difficult to make a phone number appear to come from someone else. It happens all the time. Sometimes there are legitimate reasons to spoof a phone number. For example, if you own a business and have several phone lines, you might like them all to reflect as coming from one single number so your customers don’t get confused.

However, there are many scammers who change them just to trick you into picking up. A recent tactic involves changing the number to make it appear as if it is from someone nearby, such as a neighbor. This is called “neighbor spoofing.” Sometimes, they make the number your own hoping that you’ll pick up, even if out of sheer curiosity. Just don’t answer. If you do, don’t press any numbers or provide any information. Just hang up.

The second point in the case of this romance scam, just don’t send compromising photos. Not only can they be used against you in situations like this, but also in some cases it may be a felony.

Don’t be afraid to use online dating sites. There are many success stories. However, should something like this happen to you, report it to local authorities. If people don’t, these scams will only continue and there will be more innocent victims.

© Copyright 2017 Stickley on Security

Get Free Milk And Free Malware Too

Everyone likes to get free stuff. Admittedly it’s better if it’s a free vacation or free money. However, researchers at Palo Alto Networks have found a way you can get FreeMilk. Hey, free is free! There is bad news, of course. It comes in the form of malware. The schemers have figured out a way to intercept ongoing email “conversations” to distribute malware around the world. It exploits either a Microsoft Office or WordPad vulnerability and involves two steps.

It uses a decoy document in an email message that uses specific information about the recipient in hopes it’ll make him or her think it’s an authentic message, as part one. That’s what they put together when they intercept the email conversation. This is the PoohMilk part of this. Then comes Freenki. This does the damage. It collects information such as user name, computer name, active processes on the computer, and can take screenshots of the device. The information is then sent to the attackers who can use it for other attacks.

In spearphishing, attackers gather information about the intended targets. This could be acquired from social media profiles and posts, such as from Facebook or LinkedIn, but could also be a result of a phishing phone call (vishing). Then they use it to craft the email. Since the recipients see all the specific information, they are more likely to click a link or attachment.

Just because the information may be accurate and specific, doesn’t make any attachment free of harm. Question why a document may be coming in the middle of a conversation before clicking it. Call the sender on the phone and ask about it first. You can even send a text. Just don’t reply to the message and in this case, it’s better if you don’t send email at all.

There are literally no attachments that are safe these days. Malware can come in the form of documents, spreadsheets, executable files, text files, images, and anything else you can come up with. If you are not expecting an attachment or link, don’t click it.

This is fortunately, a limited spearphishing campaign discovered by the researchers in May of this year. But that doesn’t mean it won’t come across your inbox. Always be on the lookout for these scams.

© Copyright 2017 Stickley on Security

ATMs Are Becoming The Preferred Method For Stealing Cash

While stealing via payment card and identity theft is still popular, visits to ATMs are starting to be a preferred method of stealing cold hard cash by gangs of cyberthieves. Called jackpotting or cashing out, recent attacks were carried out in Taiwan, Russia, the UK, The Netherlands, Spain, Belarus, Estonia, Armenia, and other countries throughout Europe and Asia, according to Europol and Trend Micro. These groups use malware that is installed on a financial institution’s network, eventually making it to the ATMs allowing them to empty the machines of cash.

Unsurprisingly, the malware gets there via spear-phishing. Typically, the thieves send a malicious attachment to prescreened employees of the financial institution. If it’s opened, the malware executes and makes its way through the network. This method allows it to bypass perimeter security tools such as firewalls and intrusion detection systems.

Once the malware is on the ATMs, a low-level group member (a money mule) enters a sequence of numbers onto the keypad and relieves the machine of all the cash inside. Sometimes debit and credit card information is also retrieved from the ATMs.

Ripper malware was used in such an attack in Thailand in 2016. Thieves stole roughly $363,000 worth of baht. In Taiwan, a more sophisticated technique was used, where the thieves stole administrator credentials by accessing a bank’s voice recording system. They then mapped the network, locating the ATMs updating system, ultimately “updating” the system and loading malware that instructed the machines to dispense the maximum number of banknotes. They ended up with $2.7 million.

These types of attacks are becoming more popular because it’s less risky than walking into a bank with a note and a firearm demanding all the cash from the drawers or vaults. In fact, it’s unlikely the criminals in a remote attack using the money mules will ever be identified or caught.

© Copyright 2017 Stickley on Security

TrickBot Trojan Evolves To Steal Email Messages And Cryptocurrency

The infamous TrickBot financial Trojan is a very active and ever-changing one that continues to make its way around the globe. IBM X Force Research has recently discovered that it not only is targeting major banks, but now can also empty crypto-wallets of all the accumulated currency. It doesn’t stop there, however. It can now steal Outlook email messages and information from browsers as well. This version is being propagated through phishing email messages as well as through websites.


Earlier this summer, this Trojan was being sent in spam campaigns at the rate of 75,000 in a mere 25 minutes. It tricked customers of the UK’s Lloyds Bank out of login credentials by using legitimate security certificates and website addresses that were so close to the actual ones, that it was nearly impossible to identify them as imposters.

Regardless of where email messages originate, always pay attention to where any links may be taking you. If you need to check something in any of your online accounts, log into them directly from the websites and verify there. Don’t click links or attachments or panic because an email claims you will be locked out of your account or poses some other threat.

If you don’t know the sender, it’s good practice to never click links or attachments anyway. And if you get an email from Aunt Martha that has a short “Hey, look at this” type of message with just a link, it should be deleted right away. It’s unlikely Aunt Martha would send such an obscure note. If you want to be sure not to offend her by trashing it without looking, pick up the phone and call her first to confirm she did intend to send it to you.

This malware is also now being delivered via fake websites. So, pay close attention when typing addresses into browsers so you don’t set it loose that way either. TrickBot is being sent at a rate of 40 million email messages per week and is targeting financial institutions in over 40 countries.

© Copyright 2017 Stickley on Security

Popups in Apple Apps Steal iCloud Credentials

Scammers truly don’t give up. That’s because once they find something that works, it works really well, and it can result in a significant payoff. Recently, some of them have figured out how to trick Apple iOS users into giving up their iCloud passwords. And it is a surprisingly simplistic attack. It pays to take a few seconds to read and analyze why you’re being asked for credentials to anything. That’s because this one is so good, it can fool anyone.

Felix Krause, a software expert explained in a blog how scammers are taking advantage of our conditioning of just entering our Apple credentials whenever we are asked, without so much as a pause to consider what we are doing.

The scammers are building popups requesting credentials inside apps. He didn’t get into the gory details or publish the code, although he did say anyone who can program for iOS would be able to do it very easily. Krause created a fake popup that is identical to the actual one that Apple sends.

Take some time when installing apps and updates to make sure the request for any credentials is a legitimate one. There are some ways to avoid falling into this trap:

– If you see a popup, hit the home button on your device. If the app and the popup both disappear, it’s phishing. If they don’t, it’s a genuine request.

– Get into the habit of entering your password manually, rather than putting it into any popup. That means going into the settings and enter it in the app there.
Clear the fields of all text you may have entered and cancel the request.

– In addition, when you are looking for an app to install on any device, do some research first to make sure it isn’t riddled with malware. Read the reviews and if there is something wrong with it, it’ll show there. If there aren’t many reviews and the ones that are showing are all glowing, they may have been planted by whoever put the app up.

Also, avoid sideloading any apps (downloading from sites other than the official app stores). While getting them from the official app stores does not guarantee they are safe, the risk of downloading malware is significantly lower when doing this.

© Copyright 2017 Stickley on Security