Beware of phony Snowden book offer, Instagram copyright scam and bad Android apps
Welcome to Cyber Security Today. It’s Wednesday September 25th, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com. To hear the podcast, click on the arrow below:
Lots of people are worried today about privacy and how governments use technology. So the latest book by U.S. fugitive Edward Snowden, who worked for the CIA until he exposed secrets about government spying, is expected to be a hot seller. Well, don’t be suckered by an email offer you get for a copy. According to security firm Malwarebytes, hackers are offering the book as a Microsoft Word attachment. Victims who click on the attachment see a yellow warning asking them to enable content. Then, seemingly nothing happens. What’s you can’t see is malware is being downloaded onto your machine.
This is a common trick: Use something that’s hot in the news as a lure for a malicious email campaign.
A Russian man has pleaded guilty in a U.S. court to hacking a number of American financial institutions, wire fraud and bank fraud for his part in a gang operation between 2012 and 2015. He’ll be sentenced in February.
Security firm Sophos reports that Instagram users are being targeted by an email campaign with fake copyright infringement alerts, saying you’ve posted something wrong. They warn you have to fill out a so-called Copyright Objection Form. But the goal is get your username and password. Not only that, the scam tries to get your birthday by asking for your date of birth. There are some tipoffs if you get one of these messages — spelling and grammatical errors and an oddly long web address that ends in “dot-CF”, which is not what you’d expect from Instagram.
Twenty-five more malicious apps have been found in the Google Play Store, pretending to be photo utilities or fashion apps. Google usually quickly scans new apps and finds the bad ones. But according to security firm Symantec, this batch of apps was hard to detect because they used an interesting trick: They would install properly, but later send out a message to a controller to download malware that would also hide the app’s icon. Then advertising pops up on the victim’s device, seemingly from nowhere. The hackers, meanwhile, are getting money from the number of ads being shown from ad networks. Once notified, Google removed these apps. But they’ve been around for several months and downloaded more than two million times. As I’ve said before, Google does a good job of catching bad apps, but it isn’t perfect. Be wary of new apps, and especially from unknown developers. Your mobile device isn’t the place to play with the newest app.
Finally, Microsoft usually issues security patches on the second Tuesday of each month. But it just issued a new one for a serious bug in the Internet Explorer browser. If you don’t have Windows 10 and can’t use the newer and safer Microsoft Edge browser, make sure you get the patch.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon