Beware of links to malware in SMS texts, Reddit breach shows its time for web sites to stop using SMS for two-factor authentication and an animation in a package delivery scam means trouble.
Welcome to Cyber Security Today. It’s Friday August 3rd. To hear the podcast, click on the arrow below:
Today I’m going to talk a bit about the risks of text messages on mobile devices. Also called SMS messages, they’re a great way to save data charges for messaging people. They’re also a great way for scammers to trick you into being attacked. Here’s how it works: You get a text. The message says something like ‘We removed abusive content from your Facebook account. Visit this site.’ It includes a URL that seems to be from Facebook. If you click on the link, a login that looks like Facebook appears. If you sign in, you’ve given the attacker your username and password. Always be careful when people send you links – either on your mobile device or desktop computer – whether its by email or text. And be very suspicious if you get asked to log into a site after clicking on a link. My thanks to the SANS Institute for this tip.
Text messaging is also used by some web sites for what’s called two-factor confirmation authentication of logins. You try to sign in from a device the site isn’t familiar with, the site texts you a four-digit code to confirm you’re who you say you are. Unfortunately, the SMS text messaging system, which is run by cell phone companies, isn’t as secure as it should be. Reddit found that out when it recently discovered some of its systems had been hacked, an event it admitted to this week. The way the attacker got in was intercepting the SMS confirmation code texted to a Reddit employee. Reddit has now changed its two-factor security system to require staff and subscribers to use an authentication app, like Google Authenticator, to send confirmation numbers. So the confirmation code appears on the secure app. You should check with the sites you use to see if they offer this option. If not, see if the site offers another way of confirmation other than text. For example, some sites will phone a user, with an automated voice reading off the code. Certainly you should urge sites you use to stop using text messaging for two-factor authentication.
Finally, another tip from the SANS Institute: Malware buried in email doesn’t always look like a Microsoft Word message. A recent example is a common scam, an email from a package delivery company claiming a package is ready for you to pick up. Just click on the link to track your package. If you click, and a zipped file appears. If you click inside on a file called ‘Arrival notification,’ an animation pops up. In this case it looks like a dancing dinosaur. Don’t laugh. You’ve been hacked. In one case the malware will copy down anything you type – like passwords. Or it could be another type of malware. So again, read your email and text messages s-l-o-w-l-y. And think before you click on a link.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening.