Gmail Calendar scam, replace these Yubikeys and who’s real on LinkedIn?
Welcome to Cyber Security Today. It’s Monday June 17th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com.
A phony link in an email is a common way people become victims of scams, but criminals have found a new one: Tricking people into clicking on links in a Google Calendar notification. It takes advantage of the fact that lots of people use Gmail, particularly because it’s free. According to security company Kaspersky, it works like this: A victim gets a popup Calendar notification. They probably weren’t expecting it. Being curious, they click on the link in the notification. In many cases it goes to a web site with a questionnaire and the promise of prize money if it’s filled out. But you have to enter your name, credit card number and phone number. This is obviously a scam. However, Kaspersky notes criminals trying this tactic will learn to try less obvious ways to trick victims.
How can you avoid being hit? Turn off the ability for Calendar to automatically add invitations. Open Google Calendar, click on the settings or Gear icon, then click on Event Settings. There’s an option for “automatically add invitations” and a drop-down menu. Click “No, only show invitations to which I’ve responded.” Below that in the View Options section, make sure “Show declined events” is NOT checked.
Have you met Katie Jones? She’s a stunning redhead who, according to her LinkedIn page, knows a lot of important people in the Washington area. She’d probably want to be added to your network. She might have even asked you to join her network. One of those who admit he carelessly accepts invites to join online networks, including one from Katie Jones, is a former deputy director of President Donald Trump’s domestic policy council. Except according to the Associated Press, she doesn’t exist. Her picture is phony. Her profile is phony. Experts told the news agency her LinkedIn page probably was created by the intelligence agency of some country trying to lure people into making contact. Then they might use people unwittingly for intelligence, or recruit or blackmail them into spying.
People also create phony LinkedIn pages to trick employees into becoming friends. A few years ago I wrote a story about a security company that did a test to see how many people would fall for this. It created phony LinkedIn and Facebook pages for a supposedly new employee at an organization. It didn’t take long for staffers to discover the new hire online and make online friends with her. One even introduced her online to the company IT department so she could get a free company laptop and password to get on the company network. That would have been ideal for an attacker. So the lesson is anyone can be anybody on the Internet. Life isn’t about building the biggest online network. Think carefully before joining a network or friending a stranger online. As LinkedIn told the news agency, “We recommend you connect with people you know and trust, not just anyone.”
I often talk about the need for people to turn on two-factor or multi-factor authentication if they can for email, bank and other major applications. There are two types: One sends a message to a phone with a four or six digit code to enter in addition to your username and password. The other uses a physical device called a security key that slides into the USB slot in a computer to verify ID. A few weeks ago I told you that Google’s Titan key had to be recalled because of a flaw. Now the company that makes the Yubikey device has to replace some of its FIPS keys because of a bug. Users of this device should check the Yubico web site to see if your key needs to be replaced.
Finally, those of you who use the Thunderbird email client for your mail should update to the latest version, which was released last week. It fixes three high severity bugs.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.