Guilty of password scam, watch out for these email subject lines and don’t fall for this Twitter prank.
Welcome to Cyber Security Today. It’s Monday April 1st. I’m Howard Solomon, contributing reporter on cyber security and privacy for ITWorldCanda.com
Have you been victimized by giving away your password after getting an email from a phony company saying you have to reset your credentials? You’re not alone. Last week a man pleaded guilty in a U.S. court to tricking professional athletes and musicians into giving away their Apple usernames and passwords and stealing their credit card information. His scam had been going on since 2015, and involved sending an email pretending to be from Apple customer support and saying he had to reset their accounts. Armed with their usernames and passwords, the man then took over their accounts, and took credit card information and used it to buy plane trips, furniture and to transfer money to his bank. He pleaded guilty to computer fraud and aggravated identity theft. He’ll be sentenced in June.
It’s not uncommon for a company to ask you to change your password. But first, check the sender of the message to make sure it’s legit. Second, don’t click on a link in the message or follow the URL in the message. Go to the site in your usual way and then log in. Never give away passwords over the phone.
Did you ever take your computer to Office Depot in the U.S. for a checkup? Well, you might have been scammed. Last week Office Depot agreed to pay $25 million and its software supplier, Support.com, Inc., paid $10 million to settle allegations they tricked consumers into buying unnecessary repairs. Consumers were told service people had found malware on their computers after running a free PC checkup. The Federal Trade Commission alleged the store employees were pushed to generate sales.
Periodically security companies put out analysis of trends in malware families. You may not be aware but criminals send out malware with a bunch of packaged attacks — for example, tools that grab passwords, look for bank login information and spread ransomware. One nasty piece of malware has been dubbed Emotet and has modules criminals can use for different attacks. Emotet warheads are often spread by emailing infected documents to unsuspecting people who click on them. What caught my eye in a report last week from Trend Micro were the subject lines attackers often use to get your attention. You should be wary of subject lines like Invoice, Invoice reminder, Payment Status, ACH Payment, Payment Notification and Up to date emergency exit map.
For security professionals trying to protect an organization, the report notes that distributors of Emotet malware try to use the Windows PowerShell utility in computers to spread the attack. So a good defence is to adopt best practices for locking down PowerShell. Microsoft provides guidelines on how to do that.
Finally, Twitter is warning users not to fall for a prank message that says you can get new colour schemes if you change your birthday in the settings to 2007. That, of course, would make you 12 years old. And because Twitter has a rule that no one under 13 can have an account, changing your birthday will only get you locked out of your account. Then you’ll be blue. Or red in the face.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.