New email phishing campaign tries to steal Office365 credentials, lessons from Canada credit union data theft and more
Welcome to Cyber Security Today. It’s Wednesday, December 16th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A new spearphishing email campaign has been detected aimed at stealing login usernames and passwords of users of Microsoft Office 365. According to a firm called Abnormal Security, victims get personalized email from impersonated business such as eFax. The message may claim to be an electronic fax and ask the recipient to click on a link, which takes them to a fake login page. What makes victims fall for the scam is that the sender’s email is real because it uses a compromised account. Individuals and threat intelligence software may be fooled by messages that come from a known account. What is worrisome is that some employees are ignoring security software warnings about these messages that prevent them from being opened. Stubborn employees are forwarding the message to their personal email accounts to open the message there. People using any email platform should be wary about messages that ask them to log into an application page after clicking on a link.
Cyber crooks don’t always want to steal data. Some want to make money by forcing you to see online ads you don’t want. Crooks then get money from advertising networks. Microsoft this week outlined one of the latest scams: Infecting your browser so when you do an online search phony or malicious websites are at the top of the list. Crooks hope you will click on one of the links. You get infected by going to a bad website. Typically these are porn sites, gambling sites, or fake online retail stores. This tactic isn’t new. What is new is that a recent strain of malware behind one campaign affects not just one but four browsers: Google Chrome, Microsoft Edge, Yandex Browser and Mozilla Firefox. Between May and September researchers found hundreds of thousands of infected browsers and websites. The malware may not only modify your browser. It may also steal passwords. If you find something suspicious about the search results you get with a browser, delete it and install a new version.
A report this week by the Privacy Commissioner of Canada into the theft of data on almost 10 million people by an employee at the Desjardin credit union holds several lessons for organizations. One is if management has identified security risks that can be lowered by buying technology, get it done fast. The thief in this case might have been caught if planned security software had been installed faster. The other lesson is that the data storage practices of employees have to be watched carefully. Here the credit union’s marketing department, which had permission to access to confidential personal information of account holders, copied data to a shared folder. Presumably it was done so they could use the data for marketing financial products to customers. The problem was that in defiance of company rules that shared folder was open to all in the marketing department. It was supposed to be held in a limited access folder. The rogue employee was able to copy the data onto a USB memory stick and take it out of the company, where it was allegedly sold.
On my Friday afternoon Week In Review podcast guest analyst Terry Cutler and I will have more to say about this report.
Some online retailers are getting the message about cybersecurity. According to a study of 203 security professionals in the retail industry by a security vendor called Tripwire, 78 per cent of respondents said their firm had taken additional cyber precautions for this year’s holiday shopping. Just over 60 per cent of respondents thought their firm’s ability to detect and respond to a cybersecurity incident had improved over last year. On the other hand only one-third called ranked their company’s data protection capabilities as “excellent.”
Meanwhile alarming news about the lack of data protection in the medical sector. A cybersecurity firm called CybelAngel says it found more than 45 million x-ray, CT scans and other medical image files on unprotected servers around the world. These are stored using a common medical image management standard called DICOM. What makes this worrisome is that medical images have personal information about patients. The report suggests many labs and clinics aren’t safely protecting this data.
Starting this week users of iPhones and iPads will notice something different when they download or update an app from the Apple App Store: A number of the apps have a privacy label. The labels briefly explain what data the app collects and shares. Over time all apps will have the labels. The idea is to help users understand what’s going on under the covers. If they don’t like what an app collects, it won’t be chosen. Presumably app developers will get the message.
By the way, iPhone and iPad users should note there are new security patches available for your devices. Check to see if they’ve been automatically downloaded.
That’s it for now. Details about these stories can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.