More websites infected, mobile threats to companies and an email delivery scam
Welcome to Cyber Security Today. It’s Monday March 18th. I’m Howard Solomon, contributing reporter on cyber security and privacy for ITWorldCanda.com. To hear the podcast, click on the arrow below:
I talked earlier this week about the risks of credit card skimming in the United States because some merchants have old card readers that force customers swipe their cards, even if the cards have security chips. Well, there are other ways criminals sweep up credit card data — by infecting retail web sites where people enter their credit cards. Last week a Russian cyber security company called Group IB said it found seven companies with compromised web sites, including British sportswear company FILA. It estimated at least 5,600 shoppers had payment and personal information stolen from that site alone. U.S. victim firms included Jungle Lee, Forshow, Absolute New York, Safe Harbor Computers, GetRXd and Cajun Grocer. One way these companies may have been hacked is through the e-commerce platform they use, or by hacking the website administrator’s username and password. Whatever the explanation, company security teams have to do a better job of protecting business websites.
Experts regularly urge companies to tighten security around their email and websites, which are regular ways criminals break into databases to steal information. But a report this month from Verizon is a reminder that mobile devices of employees have to be secured as well or they can be used as an access point. The report notes that in a survey the number of firms admitting that they’d suffered a compromise in which a mobile device played a role went up from 27 per cent in the 2017 to 33 per cent last year. Problems include employees clicking on bad links in email on mobile devices, ignoring security rules by going to risky web sites or not encrypting data, downloading unapproved apps, using easily hacked public Wi-Fi and losing a device that isn’t password protected. What should companies do? First, they need to create policies employees have to follow for logging into the company with mobile devices, and where they can go on the Internet with a mobile device used for business purposes. Policies may also limit what data mobile devices can access. They need to train staff to be smarter, to be more security-aware. They also need to consider buying mobile device management software, which ensures employees connecting to the company have devices that are patched and are password protected.
China will “never” ask its firms to spy on other nations, the country’s premier said Friday, according to Agence France Press. That is not in accordance with Chinese law, he told reporters. This comes as the United States continues to press its allies not to allow Chinese telecom equipment into their upcoming fast 5G cellular networks. Canada is among the countries considering such a ban. The government hasn’t made a decision yet. Complicating things is that Canada has arrested the chief financial officer of Chinese equipment maker Huawei pending an extradition hearing to the U.S. on allegations Huawei tried to get around U.S. trade sanctions against Iran. Last week Huawei pleaded not guilty to that and other charges.
An old email package delivery scam to get you to click on a link has resurfaced. This time attackers are sending messages pretending to be from DHL Express with a subject line like “Urgent delivery.” The message says there’s a package coming to you. Attached is what is supposed to be an invoice. Click on it and you get infected by ransomware. Don’t be fooled.
Finally, recently I told you about a serious bug in a Windows file compression utility called WinRAR (Win-RAR). This is just another reminder to users of this application to make sure you update it. WinRAR does NOT automatically update. There are reports that hackers are now exploiting this hole, so make sure it’s plugged.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.