Death possibly linked to ransomware, a phishing training scam, COVID victims list published and watch the privacy settings in mobile apps.
Welcome to Cyber Security Today. It’s Friday September 19th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
German authorities wonder if a ransomware attack last week that forced a Dusseldorf hospital to refuse admissions was partly responsible for the death of a seriously ill woman, Her ambulance had to be routed to another institution after the Dusseldorf hospital was closed because it was dealing with the cyber attack. The German news service RTL says the person or persons behind the attack dropped their ransomware demand and handed over the decryption key to unscramble the hospital’s data when police told them what had happened. There is some suggestion that an affiliated university and not the hospital was the target of the attack.
A number of cybersecurity companies specialize in selling online phishing training to companies and government departments. It’s been revealed that a hacker is taking advantage of the fact that employees are expecting an email reminding them to take the training. So the hacker creates phony messages that include links for stealing personal data. This scam was discovered by a phishing training firm called Cofense, which says the victim training firm is called KnowBe4. Employees would get a message with the subject line “Training Reminder,” saying their security awareness training course would expire in 24 hours. Like many scams, creating a deadline is aimed at pressuring the recipient to click on an included link without thinking. Two links in this message supposedly go to the training course. At a quick glance the two links look real, because they seem to include the word “KnowBe4,” the name of the training company.
However, users who are smart enough to look closely would see the address is not spelled as one word. It’s spelled “knowb.e4.com” in one link, and “knowbe.4.com” in another. That should be a warning something isn’t right. Those fooled into clicking on one of the links go to a fake Microsoft Outlook web page that asks for their real name, username, birth date and password. Asking for a birth date is another sign something’s wrong. This scam has been going on since April. In the past attackers have also used this trick with a supposed sexual harassment training course.
KnowBe4 has blogged on this attack.
This scam is another example of how important it is to teach employees to slowly look at every email they get, especially messages that ask them to click on a link. Those links have to watched carefully. They are clues.
Medical practitioners around the world are probably cringing after news that the public health authority in Wales admitted the personal data of over 18,000 people who had tested positive for the COVID-19 virus was left open on the internet. According to the British news site ComputerWeekly.com the data was open for 24 hours in August if somebody knew where to look. It was viewed 55 times. Fortunately, only virus victim’s initials, general location, gender and birth dates were listed. The likelihood of them being identified is low. However, just over 1,900 people living in care homes or supported house would more likely be identified because their residences were listed. An initial investigation showed a health authority employee loading data into a business intelligence platform clicked a button publishing the information to a public web site instead of a private internal site. So this incident also speaks to training employees to do things slowly. It might also help if software developers put colour-coded markers on certain buttons in their applications.
Finally, a thread on Twitter caught my attention. A woman using the Strava mobile app for recording and tracking running and cycling routines was dismayed to discover that after a recent run the app had captured the name and running route of another runner she briefly accompanied that day. As she pointed out, a stranger could have followed the route and figured out where the person lives. Strava offers this supposedly helpful wireless capture capability so users can make friends. This capability is called Flyby, and it can be turned off in the privacy settings. However, the woman posting the complaint noted Flyby was turned off on her mobile device, but not on the other person’s device. The lesson here is be careful with apps that offer to help you wirelessly discover people with like interests. As with any app, know its capabilities and the privacy settings.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.