Be careful you don’t get hit twice by a data breach, behind a sophisticated email money transfer scam and why Apple killed two apps.
Welcome to Cyber Security Today. It’s Wednesday December 5th. To hear the podcast, click on the arrow below:
It’s been an interesting few days, with a flurry of large data breaches being announced one after another. First came Marriott Hotels admitting that personal information on a whopping 500 million guests at various Starwood Hotels and Resorts had been stolen over four years. On Monday the Quora question and answer site said 100 million usernames and passwords were stolen. And the Canadian site 1-800-Flowers.ca revealed buyers had their names and credit card numbers stolen over four years. Now in the aftermath of a hack it’s common for companies to send out email notices to victims telling them to change their passwords. But make sure you’re not a victim twice. Criminals seize onto news of a hack by quickly creating fake websites and email domains with similar looking company names, hoping to sucker people into clicking on a link and giving up their usernames and passwords. So, for example, an email from Marriott that should be spelled M-A-Double R-I-O-Double T, will be spelled by a hacker with one R or one T. Read a email quick and you won’t notice. So be careful when you get a message from a company saying its been hit by a breach, and “just click here” to go to a site to change your password. Instead, you should take control: Type in the name of the site you want to go to in your browser, or go to the site the way you usually do.
One of the problems with the Internet is so many people are willing to post information about their jobs and business contacts that it aids criminals. Of course, before the Internet there were ways to find out who the top officials are in companies. It’s just easier now. That was one of the things that came out of a report this week from security vendor Agari on a gang it calls London Blue. It buys lists of target executives from commercial data brokers. Agari figures the gang has a list of 50,000 potential targets, most of them chief financial officers, in the U.S., the United Kingdom, Spain, Finland, the Netherlands, Mexico, Egypt, Canada and other countries. It uses the names to send email messages pretending to be an executive asking a staffer to transfer money to an account. Sometimes people get suckered because the email service they use is configured only to show the sender’s name, not their email address, which would signal a fake. You should make sure you can see the full sender’s address in all your email accounts. And be suspicious of email from someone in your firm that asks you to send money on a rush basis.
Finally, recently I’ve warned about watching for bad apps on Google’s Play store. Well, according to Ars Technica, Apple just kicked two highly rated health-related apps out of its store for scamming people out of money. One was a fitness balance app, the other tracked calories. But after being downloaded they automatically charged users fees of $100 or more after the user scanned their fingerprint to log into the app. Keeping your finger on the scanner approved the payment. After Apple stepped in victims seem likely to get refunds. One way to protect yourself is to check onsite reviews of apps. But remember, those reviews can be faked. iPhone X users can protect themselves by activating the Double Click to Pay feature, so they have to verify a payment.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.