A hacker is trying to trick the U.S. telecom regulator, WhatsApp gets to see Pegasus code and more.
Welcome to Cyber Security Today. It’s Monday, March 4th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
Threat actors have been impersonating IT support staff to sucker people for years. According to researchers at Lookout, the latest version of this scam is aimed at employees of the U.S. Federal Communications Commission and at the cryptocurrency exchanges Binance and Coinbase. The goal is to trick staff into giving up their login credentials. It works like this: An employee would get a phone call or text supposedly from the company IT support staff saying their email account had been hacked. The employee would then be sent a text to their smartphone with a link that’s supposed to help them regain access to their account. What the employees would see is a fake login page created by a newly-discovered phishing kit that impersonates the single-sign-on services of Gmail, iCloud, Okta, Outlook, Twitter, Yahoo and AOL.
Employees need to be reminded of the dangers of taking for granted phone calls, texts or emails claiming to be from IT support — especially if they get links to supposed company login pages sent to their smartphones. Smartphones don’t always show the full address of a link, which makes it harder for users to spot something suspicious. Staff need to be reminded that just because part of a link includes a company’s name doesn’t mean its legit.
A Washington State radiology clinic is notifying over 235,000 people of a data theft. Yakima Valley Radiology says it learned in August of a theft of data from its systems including names and social security numbers.
Two American insurance companies are warning over 28,000 people of a theft of data from its third-party information processor. Fidelity Life Insurance and Empire Fidelity Investments Life Insurance are sending letters to people about the incident. The data was stolen last fall from Infosys McCamish Systems, which processes services for deferred compensation plans. Last month Infosys McCamish notified over 57,000 people of the data breach, including people with the Bank of America.
An Asian telecom manufacturer that routes millions of SMS text messages a day — including multifactor authentication codes — left a database with that sensitive information open for anyone who knew how to find it. According to TechCrunch, a security researcher found the database and needed the news service’s help to find the company that owned it. Public access to the database belonging to YX International has now been blocked.
WhatsApp and its parent Meta may get a look into the innards of the Pegasus commercial spyware, which has been sold to and abused by some government and law enforcement agencies around the world. WhatsApp is suing Pegasus developer NSO Group, alleging the spyware was used against 1,400 WhatsApp users for two weeks in 2019. A judge has ordered the company to hand over versions of Pegasus that would have been running in and around 2019. Commercial spyware works by exploiting vulnerabilities that application developers don’t know about.
To meet the shortage of IT workers with cybersecurity expertise colleges and universities are increasingly offering courses for students. But what should be in a course? The U.S. Cybersecurity and Infrastructure Security Agency has advice. It’s contained in a new publication called a Resource Guide for Cybersecurity Clinics. It has links to agency resources like its guidance for small businesses, how to create cybersecurity performance goals, how to create incident plans and more. The guide could also be useful to companies that want to create a cybersecurity training course — and IT leaders who don’t know how to create a cybersecurity strategy.
Finally, if you’re looking for a wireless doorbell camera to improve home security, buy one that can’t be hacked. Consumer Reports says many retailers like Walmart and Sears, and online marketplaces like Amazon, Shein and Temu, may be selling camera doorbells that could allow someone to know when you’re not home, or let them harass or threaten you. They can do it by capturing the WiFi video stream. The publication warns about devices with brand names of Eken, Fishbot, Rakeblue and Tuck. Any so-called smart devices that connects to your home internet network with a smartphone app — especially if it has a camera or a microphone — must have protection against being hacked. Do your research before buying.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
