October was not only National Cybersecurity Awareness Month, but also the time to celebrate Halloween — a time of fun, candy and costumes.
Much like trick-or-treaters and other Halloween mischief makers, malware can use “costumes” to disguise what it is and to trick you into installing it. These costumes come in many forms, but if you know what to look for, you can avoid the tricks.
Trojan horses Trojan horses are a type of malware that misrepresents itself to look legitimate, much like the Trojan horse the Greek army used to enter Troy.
Trojan horses may be apps in smartphone stores, freeware and shareware or even attachments to emails. The last is a very common spam technique and is often used with spam email campaigns that say you have a voice mail, fax or shipping notification. When you click the attached document to hear the voice mail, see the fax or see who has shipped you a package, the file opens to show what you expect to see or hear, but in the background, malware is downloading onto your computer.
Drive-by downloads and ‘malvertising’ Drive-by downloads occur when a program is downloaded onto your device without your permission. One way this happens is through malicious advertising, or malvertising.
You know the advertisements that appear on the edge of many Web pages? When malicious actors purchase advertising space there, they can install malware in the advertisement. That means if you see the malicious advertisement, which looks like any legitimate advertisement, the malware hidden in the advertisement will automatically try to download onto your device.
Social engineering: Malicious links Social engineering relies on tricking you into taking an action, such as clicking a link. As the malicious website opens, malware can be installed on your device. Simply visiting these websites is enough to infect your device.
Some types of social engineering use “link baiting” or other techniques to get you to click on the malicious link. Link baiting (which isn’t necessarily malicious) is when content providers try to get you to click on a link. One popular form of link baiting is providing a teaser that generates interest in the story, such as “5 things preventing you from being rich” or “When I found about this trick, it blew my mind!”
Social engineering: ‘Scareware’ Scareware, such as ransomware and fake anti-virus software, frequently use social engineering by making pop-up boxes look like messages from your computer.
These messages try to look official and say things like, “System Warning!,” “Threats Found!” or “Your computer is infected. Click OK to remove the virus.” They hope you’ll click on the message, which allows the malware to be downloaded onto your computer. Often, clicking anywhere on the message allows the malware to be downloaded, so instead hit the Back button (or on a Windows® computer, use the Task Manager to close the pop-up window).
As if scareware isn’t bad enough, some versions of scareware use the scary warning messages to convince you to buy the malware. ‘Fake anti-virus’ malware most commonly uses this technique. Fake anti-virus is malware that pretends to be real anti-virus software. The criminals who sell the fake anti-virus have professional-looking websites, call centers where you can ask for help and even different payment levels.
After you buy and install the fake anti-virus, it will infect your computer with malware instead of cleaning it, and the malicious actors have your money.
How can you minimize your risk? Avoid the tricks by being aware of the tactics:
Only open an email attachment or click a link if you’re expecting it and know what it contains. Don’t open email attachments or click links from unknown or untrusted sources.
If something looks suspicious in an email from a trusted source, call and verify the email is legitimate.
Use up-to-date anti-virus protection and apply recommended patches/updates to your device.
Only install third-party applications and software you really need. Make sure it’s from the vendor or the Android®, Apple® or Windows store. Since the app stores allow third parties to post and sell apps, make sure the app is from a trustworthy source.
Use discretion when posting personal information on social media. This information is a treasure trove to scammers who will use it to feign trustworthiness.
Sun, Sand and Cybersecurity (July 2015)
Every summer, vacationers put their house lights on timers and their mail on hold when they travel away from home. It’s just as important when taking a vacation to take similar precautions with good cyberhabits. Many cybercriminals specifically target travelers. Criminals often set online lures to sell fake vacations or tickets. These may be just simple advertisements or sophisticated scams using realistic websites, complete with telephone operators who will “assist” you.
Home Alone Social media posts with pictures of tourist attractions may update your friends and family, but they also tell criminals that you’re on vacation and your house is empty. Other older posts may contain personal details or pictures of your home, telling thieves what items of value are in the house or how to circumvent security systems.
Stolen ‘Keys’ Sensitive data, such as usernames and passwords, are especially valuable to criminals. One way criminals obtain such data is by installing a “keylogger” on hotel public computers. The keylogger records every keystroke typed on the computer and then transmits that information to the criminal.
Missed Connection Some cybercriminals specialize in “sniffing” the Wi-Fi® and public networks in airports and coffee shops, allowing the criminal to collect and read all information sent over a wireless network. Other criminals use a practice called “juice jacking,” where the criminal rigs a public charging kiosk to siphon information directly from your device when you plug into it.
Who’s the Boss? The cybersecurity threat doesn’t end with you. Social engineers often use information about a boss’s vacation to gain physical access or commit financial fraud. The social engineer knows that he or she can reference the boss and the boss won’t be reachable to verify whether he or she really did order the “repairman” or give instructions for a fraudulent wire transfer.
When in Rome … Different countries have different laws, which may give government employees or law enforcement full access to your device without your knowledge or permission. Some countries are known to collect all data residing in that country, while others collect data from devices left in hotel rooms. This may be very important in countries that don’t have the same freedom of speech as the United States. Some of these countries are known to have jailed tourists who posted negative comments online about the government or who posted criminal activities online, such as the use of alcohol or drugs.
Easy Tips Luckily, with a little care, it’s possible to avoid these problems. Follow these simple tips to ensure the only memories from your vacation are good ones:
Use discretion when posting personal information on social media. This information is a treasure trove to social engineers. Don’t post information about travel plans or details; save the pictures and updates until after you return home.
Set email “away” messages to only respond to known contacts in your address book.
Disable geolocational features, such as automatic status updates and friend finder functionalities.
Remind friends and family members to exercise the same caution.
Protect Your Devices
Keep your electronic devices with you at all times.
Before traveling abroad, change all passwords that you’ll use while traveling. Upon your return, change the passwords of any accounts that were accessed while abroad. This includes passwords used by social media websites and email providers for which you have automatic logins.
Don’t access sensitive accounts (such as bank and credit card accounts) or conduct sensitive transactions over public networks (such as hotel and airport Wi-Fi, business centers and Internet cafes).
Use up-to-date anti-virus, anti-spyware and anti-adware software. Apply recommended patches to your operating system and software.
Use wired connections instead of Bluetooth® or Wi-Fi connections whenever possible.
Don’t plug USB cables into public charging stations. Only connect USB-powered devices using the intended AC power adapter.
Know the local laws regarding online behavior, as some online behaviors are illegal in certain countries.
Social Engineering Through the Internet (June 2015)
Social engineering refers to the methods attackers use to manipulate people into sharing sensitive information or taking an action, such as downloading a file. Sometimes a social engineer is able to rely solely on information posted online or will sometimes interact with the victim to persuade the victim to share details or perform an action.
Oversharing Online Information posted online can seem harmless, until you think about how a social engineer could use the same information. By gathering multiple pieces of information from various sources, a cybercriminal could have enough facts about you to craft a very convincing social engineering scam. Think about how these seemingly innocuous details might be valuable to the cybercriminal:
Posting a picture of your pet might give away your pet’s name, or posting a photo of your car would identify its color. Pet’s name and car color are common security questions.
Answering a “meme” can give away personally identifiable information (PII), such as your date of birth or other sensitive information, including answers to security questions.
Be careful about how much information you post and think about how the various pieces might be combined for use by a cybercriminal.
Persuasion Scams The following three common types of persuasion methods highlight different ways social engineers target victims through the Internet.
Tech Support Call Scams In tech support call scams, the scammer, claiming to work for a well-known software or technology company, cold calls victims in an attempt to convince the victim that his or her computer is at risk of attack, attacking another computer or is infected with malware, and that only the caller can remediate the problem. In convincing the victim, the scammer often persuades the victim to provide remote access to the victim’s computer. The scammer can then install malware or access sensitive information. In some variations, the scammer persuades the victim to pay for unnecessary or fictitious anti-virus software or software updates.
Romance Scams In romance scams, the malicious actors create fake profiles on dating websites and establish relationships with other site members. Once a sense of trust is established, the scammer fabricates an emergency and asks the victim for financial assistance. The scammer generally claims he or she will repay the victim as soon as the crisis is over. However, if the victim sends money, the scammer will prolong the scam, sometimes stealing thousands of dollars from the victim.
Traveler Scams In this scenario, also known as the “grandparent scam,” malicious actors use information posted on social media websites by a traveling family member to trick other family members into sending money overseas. Often the scam targets the elderly, who are less likely to realize the information was originally posted online. The scammer will monitor social media websites for people traveling overseas, and then contact the family members (through the Internet or via telephone) with a crisis and requesting money be sent immediately.The scammers rely on all the information users post online about themselves and their trips to convince the family member they know the traveler and are privy to personal details, and thus should be trusted.
Easy Tips to Protect Yourself from Social Engineering
Use discretion when posting personal information on social media. This information is a treasure-trove to scammers who will use it to feign trustworthiness.
Before posting any information, consider: What does this information say about me? How can this information be used against me? Is this information, if combined with other information, harmful?
Remind friends and family members to exercise the same caution. Request they remove revealing information about you.
Verify the identity of anyone who contacts you through different means. Don't use the information they provide you.
Don't send money to people you don't know and trust.
Smart Phone Security Tips(4/21/15)
Regularly Update Your Device Mobile malware increased 75 percent in 2014 and further increases in malware are expected in 2015, particularly in mobile ransomware. Updated operating systems and security software are critical in protecting against emerging threats.
Enable Encryption Enabling encryption on your smartphone is one of the best ways to safeguard information stored on the device, thwarting unauthorized access.
Use a Passcode In case your phone ever does fall into the wrong hands, don’t make it easy for someone to access all of your important information! Enable strong password protection on your device and include a timeout requiring authentication after a period of inactivity. Secure the smartphone with a unique password — not the default one it came with. Don’t share your password with others.
Don’t Use Public Wi-Fi Don’t log into accounts and don’t conduct any sensitive transactions, such as shopping or banking, while using public Wi-Fi. Disable the “automatically connect to Wi-Fi” setting on your device.
Install Applications From Trusted Sources Last fall, Gartner issued a prediction that more than 75 percent of mobile applications will fail basic security tests through 2015. When downloading apps, be proactive and make sure you read the privacy statement, review permissions, check the app reviews and look online to see if any security company has identified the app as malicious.
Install a Phone Locator/Remote Erase App Misplacing your device doesn’t have to be a catastrophe if it has a locater app. Many such apps allow you to log on to another computer and see your device’s exact location on a map. Remote erase apps allow you to remotely wipe data from your device, helping minimize unauthorized access to your information in the event you can’t locate the device.
Disable Unwanted Services When Not in Use Bluetooth® and near-field communication (NFC) can provide an easy way for an unauthorized user nearby to gain access to your data. Turn these features off when they’re not required.
Carefully Dispose of Mobile Devices With the constant changes in the smartphone market, many users frequently upgrade to new devices. Make sure you wipe the information from your smartphone before disposal. For information on how to do this, check the website of your mobile provider or the manufacturer.
Avoiding Online Tax Scams (March 30, 2015)
It’s tax season, which means it’s also time for tax scams, with numerous online scams that attempt to steal people’s tax refunds, bank accounts or identities.
The Internal Revenue Service (IRS) estimates it paid $5.2 billion in fraudulent identity theft refunds in the 2013 filing season. Websense® Security Labs reported in 2014 it saw approximately 100,000 IRS-related scams in circulation every two weeks.
This year, we need to be especially careful in light of the Anthem Breach, in which data from approximately 80 million customers was exposed, triggering new phishing attacks offering false claims of credit monitoring services.
Users who have already filed their taxes this season can still be vulnerable to tax-related scams. Many schemes take advantage of users by alleging to have information about the filer’s refund or noting a problem with the return that was previously filed.
One scam that has already been impacting users this season involves phishing emails claiming to be from Intuit’s TurboTax®. The emails prompt users to click on links to verify their identity or update their accounts in an attempt to download malware to the victim’s machine or steal data such as Social Security numbers (SSNs) or financial information.
Below are some of the most common email scams users should be cautious about:
The email says the user is owed a refund and should forward a bank account number where the refund may be deposited. Once the scammer has the bank account information, that account will see a big withdrawal, not a deposit.
The email contains exciting offers or refunds for participating in an “IRS survey.” This fake survey is actually used to acquire information to perform identity theft.
The email threatens the user with fines or jail time for not making an immediate payment or responding to the email.
The email includes a “helpful” downloadable document (for example: new changes in the tax law, a tax calculator, etc.). In reality, the download is a malicious file intended to infect your computer.
How To Avoid Becoming A Tax Scam Victim
Don't respond to emails appearing to be from the IRS. The IRS doesn't initiate taxpayer communications through email or social media to request personal or financial information. If you receive an unsolicited email claiming to be from the IRS, send it to firstname.lastname@example.org.
Don't respond to unsolicited emails and don't provide sensitive information via email. If the email appears to be from your employer, financial institution, broker, etc., contact the entity directly. Don't open any attachments or click on links contained in unsolicited or suspicious emails.
Carefully select the tax sites you visit. Use caution when searching online for tax forms, advice on deductibles, tax preparers and other similar topics. Don't visit a site by clicking on a link sent in an email, found on someone's blog or in an advertisement. The website you land on may look just like the real site, but it may be a well-crafted fake.
Secure your computer. Make sure your computer has all operating system and application software updates. Anti-virus and anti-spyware software should be installed, running and receiving automatic updates. Ensure you use a strong password and different passwords for each account.
Social Media Scams — Spot them Beforehand (October 2014)
The use of social media has exploded, with 255 million active users on Twitter and more than 1.2 billion on Facebook. Unfortunately, so too have the scams and attacks that target social media. Criminals are taking advantage of the increasing number of users and the enormous amount of information exchanged. What are some common scams?
Information about special events (such as the Olympics) or tragedies (such as the missing Malaysian Airliner) could be used by those with malicious intent to conduct a social engineering scam, particularly on social media. For example: Many individuals are tempted to click on a video they see on their “newsfeed.” Unfortunately, these videos may lead to a malicious website designed to infect your computer.
Typical scams feature notices of items that can be “free” for you or available at a very low price. If you notice an online advertisement about the newest tech gadget, at a ridiculously low cost, it's most likely a scam to trap users into clicking on the ad. Sometimes a refundable deposit is requested. Other times direct access to your Facebook account requested. These are scams intending to victimize you and your friends.
Fake organizations claiming to be charities have mushroomed on social media sites. They often post heart-wrenching images, such as a picture of babies with serious diseases or a fire that destroyed an entire community — basically anything that will appeal to people’s emotions. These posts almost always include a call-to-action, such as pleas for donations. Avoid being a victim. Investigate the legitimacy of these organizations before contributing.
What precautions can be taken?
Don't post private and confidential information, such as your credit or debit card number, password or other personal information.
Install anti-virus software, proper firewalls and anti-malware programs on your devices, including desktops, laptop, smartphones, tables, etc., that you use to access social networking sites.
Inspect a link before clicking on it. If it seems suspicious, trust your instincts and don’t click, even if the link has supposedly originated from someone you know and trust. It's possible that their account was compromised and could be spreading malware without their knowledge.
When posting images, change settings accordingly to ensure they're private and can be viewed only by people you trust. If you delete your account, make sure all data and pictures are removed.
Use strong, unique passwords that only you know. Each account on social media should have varied passwords.
Exercising caution is the best defense. Enjoy social media but be alert for fraudulent activities!
Secure Online Banking (August 2014)
Virtually every financial institution is using the Internet to communicate and allow customers to conduct transactions online. Customers today expect this convenience and, if done securely, these transactions can be as safe as those conducted in person.
Start with the Basics Ask yourself the four questions below. If your answer is yes to all, your chances of being impacted by a cyber incident are low. If any of your answers are no, then your chances of being impacted by a cyber incident are high. Understand these risks and take the recommended actions.
Is My Computer as Secure as Possible? Using an unsecured computer is like leaving the door of your house wide open: you are making it easy for someone with malicious intent to access your property. An unprotected machine can become infected with malware in a matter of moments, leaving you vulnerable to identity theft or other crimes.
Having up-to-date security software protection isn’t an option; it’s a requirement and should become as automatic as locking your doors when you leave your house. Be sure your computer is current with all operating system and application software updates. Anti-virus and anti-spyware software should be installed, running and receiving automatic updates.
In addition to taking precautions when using your own computer, practice vigilance when using someone else’s. Don’t use public computers or public networks for financial or other sensitive transactions. You have no control over the security of a public computer or public wireless network.
Is My Connection to the Internet as Secure as Possible? Simply connecting to the Internet makes you vulnerable to a potential attack. Using a firewall helps minimize risks by blocking malicious traffic to your computer. Make sure you have a firewall that it is turned on and kept updated. New computers may be shipped with it on by default, but you should double-check.
When entering sensitive information onto a website, look for the “https://” and check that the lock icon is present in the URL bar. This indicates that your communications are encrypted. Also pay attention to the browser you use to connect to the Internet. Keep it updated and patched, and set to auto update. If you are using a wireless network to connect to the Internet, make sure encryption is enabled and change the default network name and password that come with the wireless router.
Is My Password as Secure as Possible? Strong passwords don’t have to be hard to remember, just hard to guess. A good password is at least 10 characters and uses a mix of uppercase and lowercase letters, and numeric or special characters. Each of your online accounts, especially financial ones, should have its own strong password so that if one is compromised, the attacker does not have automatic access to your other accounts.
Do I Know How to Recognize a Scam? Keeping your computer secure is only part of the equation when conducting online banking.
You need to be alert for scams and the things you can do to protect yourself. Phishing is one of the most common scams attackers use. A phishing scam typically consists of an email that tries to entice the recipient into clicking a link or downloading an attachment. A phishing scam targeting your financial accounts will consist of an email message notifying you of a “problem” with your account and asking you to click on a link to your “financial institution’s” site and submit sensitive information. This site, however, is a very convincing fake version of the legitimate site. This website may then prompt you to provide personal information such as Social Security number (SSN), financial institution account or credit card numbers, and/or it may download malicious software onto your computer.
Instead of clicking on the link to your financial institution's website embedded in an email, navigate to the financial institution’s website on your own by typing the address directly into your browser. Beware of attached files, as they may contain malware. Open attachments only from trusted sources, and if you are in doubt, don’t open it at all. You may also consider using anti-phishing software to help block many phishing-related emails.
Remember, no legitimate financial institution will ever ask you to provide sensitive information in an email.
Save the Social Media Vacation Posts Until You Get Back Home (July 2014)
It may be tempting to post details of where and when you’ll be traveling, but don’t.
By revealing such specifics, you are providing information that could be used by criminals to target your home while you’re gone. Another common scam involves compromising email accounts to contact your friends or family with requests for help, claiming that you were robbed while on vacation and need money.
Sending private posts and photos during your vacation to family and friends is OK, but if you post them publicly, you increase the risk of someone using that information for malicious activities. Also, make sure your children understand what, and when, they should post regarding your vacation plans.
Do Not Use Public Computers and Public Wireless Access for Sensitive Transactions
Whether you're entertaining the kids by streaming a video on a tablet, downloading new travel apps on your smartphone or even taking your tablet poolside, there are precautions you should take to make sure your personal information is safe.
Wi-Fi spots in airports, hotels, train stations, coffee shops and other public places can be convenient, but they're often not secure and can leave you at risk.
If you're online through an unsecured network, you should be aware that individuals with malicious intent may have established a Wi-Fi network with the intent to eavesdrop on your connection. This could allow them to steal your credentials, financial information or other sensitive and personal information. It's also possible that they could infect your system with malware. Any free Wi-Fi should be considered "unsecure." Therefore, be cautious about the sites you visit and the information you release.
Consider turning off features on your computer or mobile devices that allow you to automatically connect to Wi-Fi. Also, consider using a cellular 3G/4G connection, which is generally safer than a Wi-Fi connection.
Protect Your Smartphone, Laptop or Other Portable Devices While Traveling
Don’t let your devices out of your sight.
Just as your wallet contains lots of important and personal information that you wouldn’t want to lose, so do your portable devices. Never store your laptop as checked luggage. If there is a room safe available at your hotel, use it to securely store your devices.
Make sure your laptop and other mobile devices have the latest software installed. Your device manufacturer should notify you whenever an update is available.
Use of security software is a must. Many of these programs can also locate a missing or stolen phone, tablet or other similar device. These programs will back up your data and can even remotely wipe all data from the phone if it is reported stolen. Make sure you have strong passwords and encryption, where possible, on these devices in case they are lost or stolen.
Insured by the Federal Deposit Insurance Corporation