By Lauren Morley on May 30, 2018, 2:01:08 PM
New cybersecurity threats like phishing attacks, ransomware, and scams are always popping up. Stay up to date on the latest widespread threats and protection methods in our recurring series.
Fake General Data Protection Regulation (GDPR) phishing emails
The European Union recently enacted laws regarding the collection, handling, and use of consumer data called the General Data Protection Regulation. It went into effect on May 25, and businesses have been sending emails to their customers and subscribers notifying them of the changes. This has created an opportunity for attackers to create fake emails impersonating these companies in attempts to scam end users and steal account credentials.
Two companies that have already caught people impersonating them and trying to take advantage of the slew of GDPR emails are Airbnb and Apple.
"'On April 30, we detected a new Apple ID phishing scam using a known social engineering tactic —threatening to suspend a service to pressure users into divulging personal details,' wrote Trend Micro researchers in a blog post about the scam last week. 'Multisite login details, like an Apple ID and corresponding password, are valuable because they can give an attacker access to all the applications linked to that account.'
The phishing email purports to be a legitimate email from Apple. The email notifies victims that their Apple account has been 'limited' due to unusual activity and urges them to update their payment details via a link. The link opens to a fake Apple website that looked like the legitimate website in most respects – even containing the same background image as the real Apple site – but with a different URL....From there, users were prompted enter their Apple IDs and passwords. When users put in their information, the website offers a standard message telling them their account has been locked, and offering a button to unlock it.
The 'Unlock Account Now' button is linked to a malicious site that collects user data. This site asks for a slew of personal information like name, date of birth, address, and credit card details...After all personal and account information fields were filled in, the site informed victims they would be logged out for security reasons and forwarded the user to the legitimate Apple website."
What to do: As we always recommend, never click the links in emails like this! If you receive an email from Apple, Airbnb, or any company asking you to click a link in the email, we say it's better to be safe than sorry. Instead of clicking the email link, go to the website yourself and check any notifications. If your account truly has been compromised or needs you to update information, it will tell you when you log in!
"Rules of Conduct" Office 365 phishing email
"A new phishing email scam is under way that pretends to be from a company's human resources (HR) department and requests that the recipient read and acknowledge an attached 'Rules of Conduct' document. This document, though, prompts you to login at a fake Office 365 login prompt, which is used to steal your credentials.
This email will be from 'H.R Dept' and have a subject line of 'Rules of Conduct'..." (Bleeping Computer)
Attached to the email is a PDF. If opened, it will prompt you to go to a fake Office 365 login page and enter your credentials for the scammer to steal.
What to do: This email seems specific to Office 365 and follows the above rules. So if you see this email, do not click or open anything and report it to your IT administrator.
Twitter data storage bug
Twitter asked its 300 million users to change their passwords after it was discovered that a bug in their system was storing user passwords in plain text. Twitter has not discovered any evidence of a breach or misuse of this data, but recommended the password change as a precaution.
What to do: If you have a Twitter account and haven't already, change your password! Twitter also recommended enabling two-factor authentication/login verification on your account for added security.
VPNFilter router malware
While we usually only think about protecting ourselves from computer or phone viruses, routers have been seeing more action lately.
"VPNFilter is a new type of malware designed specifically to target internet routers. It’s capable of collecting communication information from your router, attacking other computers, and destroying your device remotely. According to Cisco, the malware has already infected over 500,00 routers around the world.
Not all routers are susceptible to VPNFilter, but a few of the major brands are at risk. Here’s the full list of devices (via Ars Technica):
- Linksys E1200
- Linksys E2500
- Linksys WRVS4400N
- Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
- Netgear DGN2200
- Netgear R6400
- Netgear R7000
- Netgear R8000
- Netgear WNR1000
- Netgear WNR2000
- QNAP TS251
- QNAP TS439 Pro
- Other QNAP NAS devices running QTS software
- TP-Link R600VPN" (Lifehacker)
What to do: There is no easy way to check if your router is infected, unfortunately. If your router is on the list of susceptible models, it's better to be on the safe side. The only known way to remove the malware is to perform a factory reset. This usually involves pressing the power button for 5-10 seconds, but you should double check the function for your specific model. If you can't or don't want to perform a factory reset, which can wipe settings, you can also simply reboot the router. It won't completely wipe the malware, but it will set it back to its original stage.
Once the malware is taken care of, you can prevent infections in the future by ensuring your router's firmware is updated, changing its password, and making sure remote management is turned off in the settings. This will block hackers from trying to remotely control your router.
Nigelthorn/Nigelify Google Chrome extension malware
"A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).
The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities...
The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser." (Security Affairs)
What to do: Be wary of Facebook links, and do not enter your social media credentials on any site that looks fishy. Take the time to examine the URL of any pages Facebook takes you to, and never install Chrome extensions you're not 100% sure about.
If you need some extra help identifying or protecting against any of these or other cybersecurity threats, let us know!