Phishing scam victimizes employees in a U.S. county, an automated tool criminals might pick up and another problem Amazon S3 bucker user
Welcome to Cyber Security Today. It’s Monday, August 18th. To hear the podcast click on the arrow below:
Phishing continues to cause heartaches around the world as people fall for email scams. Familiar ones are attached phony invoices, an alleged package being couriered or a spreadsheet supposedly sent by a co-worker. In some way or another they want to you click on a link or document and log in, where you give up your username and password. Here’s one of the latest tricks: A pay-raise notification. It was sent to a number of county employees in Minnesota. Who wouldn’t open a notice for a pay-raise? According to the Minneapolis Star Tribune, the county says it has a good employee cyber awareness program, including simulated phishing tests to teach them what to look for. But, as experts say, even if only one employee falls for a scam, that’s one too many. It bears repeating: Email, texts, social media are all ways criminals use to trick you. Read messages carefully, always check where a message comes from. Remember, even a friend’s email can be hacked and then used to trick you, so just because it really came from Bob or Janet, it may be a scam.
Spear phishing is another attacker technique. It’s the use of targeted email at particular individuals. But how do you get personal information on targets to trick them? One way is looking at web pages of organizations, which list a number of employees. After picking a target, look through social media for pieces of information – a resume from LinkedIn, photos and family information from Facebook. That’s a lot work. Well, security vendor Trustwave created an automated tool to do it. Called Social Mapper, it can scan eight platforms for personal data and includes using facial recognition to scan photos. The tool is aimed at security firms who do penetration testing of organizations to see where their firms are vulnerable. Like which employees will fall for sophisticated phishing scams. However, Trustwave is making it available to the public. That means criminals will grab it, too. Maybe that’s not such a good idea, although we already know the bad guys are into automation. So it also means you’ve got to use privacy tools to protect what you put on social media.
Finally, employees are used to storing and number-crunching data in the cloud for convenience, but some don’t realize it could expose sensitive company and personal data if privacy controls aren’t handled right. Engadet reports that’s what happened when a sales employee at Amazon uploaded a spreadsheet to Amazon’s S3 storage service to work on. S3 buckets are private by default, but this employee didn’t follow best privacy practices. A security researcher combing through S3 discovered the open data. It was full of prospective pricing data for a customer. That’s the kinds of numbers a competitor would love to get their hands on. Too many people are uploading data to Amazon, Microsoft Azure or other cloud data storage services without thinking carefully about security. Employee training has got to be tougher. And maybe some services should put alerts up like, ‘Are you sure you want to do this?’
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.