Beware of texting scams, more stolen data for sale and a phony Facebook login
Welcome to Cyber Security Today. I’m Howard Solomon. It’s Monday February 18th: Family Day in many Canadian provinces, Louis Riel Day in Manitoba and Presidents Day in the U.S.
To hear the podcast, click on the arrow below:
Phishing scams are common in email, but con artists also use text messages. It’s not hard if they can get a list of phone numbers. One scam going around now claims to be from Canadian cellphone carrier Telus. The message says “Telus sends you funds” and there’s a link to a website. But, if you click on the link either you’ll be infected with malware, or you’ll be asked to login with a password, which will be captured by the fraudster. Note this text message could go to phones of people who are not Telus subscribers. That alone is a tipoff that it’s phony. It’s similar to a scam that used this message: “Due to an error on your last billing, a refund has been issued by” your carrier. And, again, there’s a link to click on.
Richard Gilhooley, Telus’ manager of communications, said it is aware of a fraudulent text campaign that essentially operates as an SMS version of an email phishing scam (which some people call “smishing.”). Telus customers can link to page on how to protect their privacy here: telus.com/protecting-your-privacy as well as a support page. There’s also an alert on telus.com/privacy. Additional information about this and other examples of digital fraud campaigns can be found on its TELUS Wise website, which supports a free educational program that focuses on Internet and smartphone safety and security to help consumers protect themselves from online criminal activity such as phishing scams, identity theft and financial fraud.
Cellphone carriers don’t send messages about billing refunds. If you get a text or email message like this, don’t click on the link. Instead, tell your carrier, who may ask you to forward the message. Also, report it to the Canadian Anti-Fraud Centre.
Last week I told you about a huge dump of 620 million stolen accounts put up for sale on and underground web site. Well, the next day apparently the same person added another file of hacked data for sale from eight websites with 127 million accounts. They include 57 million accounts alone from the housewares site Houzz. Some of these hacks have already been reported to users. At the end of January Houzz said it was resetting all passwords due to a hack. The stolen passwords were scrambled, said Houzz. However, other information like names and email addresses, might have been exposed. Also hacked was the YouNow video chat site, with 40 million accounts.
If you downloaded Windows 10 apps from developers called DigiDream, 1clean or Findoo from the Microsoft store, you’ve been infected. These apps called Fast-search Lite, Battery Optimizer Tutorials, Downloader for YouTube Videos, FastTube and Findoo are supposed to be utilities like a battery optimization tutorial or help with Internet search. But Symantec says they really take over the processor of your computer and use it to mine for cryptocurrency for someone else. Make sure you delete them. And be careful of downloading apps from unrecognizable companies.
Finally, Myki, which makes a password manager, is warning people about a phony Facebook login scam. You’ll encounter it if you go to a hacked web site — likely one you haven’t been to before — and want to do something like read an article. Up will pop a second window on top of the first saying you need to login with your Facebook credentials. Actually, it’s a fake to get you to give away your username and password. Sure the login window has a “facebook.com” address at the top. Don’t be fooled. In fact, one way you can tell a popup window is a fake is by clicking on it and dragging it across your screen to the edge. If the window goes off the screen, it’s a fake. Better yet, always use a password manager, which will read the web address from the first page you go to. If it’s legit the manger will let you log in. And, for extra protection. enroll in two-factor authentication on sites you have to log into. That way if someone has your password they can’t use it without the extra login code you get sent separately.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening on a holiday.