State Farm Insurance issues alert, foul ball at hall of fame and more fake web sites.
Welcome to Cyber Security Today. It’s Friday August 9th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
One of the biggest insurers in the U.S., State Farm Insurance, is resetting passwords of an unknown number customers after detecting an attempt to break into online accounts. Someone was doing it by using a list of usernames and passwords. It’s called a credentials stuffing attack, where the attacker tries hundreds or thousands of stolen usernames and passwords to log in to an account, hoping a victim has used the same password elsewhere. Apparently the attacker tried to get in on eight days last month. State Farm says while some customers’ usernames and passwords were valid for its site, no personal information was viewed.
This kind of attack is another reminder of why you should have a different password for every site you register for. Use a password manager to keep track of them all. If you get a notice from State Farm, the insurer says you should watch your account and credit and debit card accounts for the next two years for suspicious activity.
The National Baseball Hall of Fame reports its web site was hacked sometime between last November 15th and May 14th of this year. Anyone who made purchases during that period likely had their credit card information and personal information stolen. The attacker did it by fooling around with the Hall’s web page to capture information as it was filled in.
One of the problems with the Internet is it’s still too easy for criminals to create phony Web sites that look like real ones. You log in and boom — you’ve given away sensitive information. News about the latest attempts at doing this comes from researchers at a security firm called Domain Tools. It discovered phony sites like”walmartcareers.us” and “mcdonaldcareer.us.” They have branding that makes them look like real company career sites. They invite you to submit resumes with personal information. And it’s not just big-name companies that are copied. There’s a phony site called “cashgiftcards.us”, where you’d get suckered if you used a credit card to buy a gift card; and a site called “captainmarvelmovie.us” which allegedly sells Marvel superhero movies. Domain Tools found 540 phony web sites including career sites, dating and movie/TV sites. They may be tied to the same criminal or group, who may be hoping people will come across them through Internet searches or may be sending out phishing texts or email.
What can you do? Verify a site is real before filling out your password and personal information by checking the web site address. If the home page of Walmart is Walmart.com, why would it have a “walmartcareers.us” page? When in doubt, ask knowledgeable friends or family if a site looks legit. And remember, if a deal seems to be too good it probably is.
As for companies, always watch for sites trying to spoof your brand and be ready to take action by notifying Internet registries and alerting the public.
Finally, privacy problems with another dating service have been discovered. This time it’s a site called 3Fun. According to a security company called Pen Test Partners, the 3Fun app gave a smart hacker people’s location, saved photos and personal information. The company was notified July 1 and the vulnerabilities have apparently been fixed. But that won’t help 3Fun users who might have been hacked before that.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.