Scam Of The Week: Facebook Dislike Button
| At a Sept 15, 2015 Town Hall Q&A session at Facebook headquarters, Zuckerberg mentioned that for years users had been asking about a 'dislike button', and that Facebook was finally working on such an option. He went on to clarify that this would not be a "downvote" for a post, but more meant to communicate empathy in the case of bad news.
Well, scammers all over the Internet jumped on this like flies on manure, and came out with a multitude of scenarios trying to lure users to "get the new dislike button" in their profile. Over the years there have been a multitude of similar scams.
End-users falling for these attacks wind up giving out confidential information, install malware on their machine, install rogue browser plugins and/or get inundated with unwanted phone calls, emails and snail mail trying to sell them various products. I suggest you send your users, friends and family something like the following. Feel free to copy/paste/edit:
"Facebook's CEO Zuckerberg recently answered a question about a "dislike" button in a forum. Did he promise one? Not really. They are working on a button you can click to show empathy if someone posts some bad news.
In the mean time, Internet lowlifes have jumped on this and are sending people phishing emails with the false promise they can get the new 'dislike' button in their profile. But if you click on any of these links, you may be tricked in giving out personal information, install malware on your computer or be spammed to death with all kinds of offers.
If you see any email, message, or posting about a Facebook dislike button, know this is almost certainly a scam. Click on nothing, do not open any attachment, do not fill out any forms and do not forward this to your friends and/or Facebook groups. Remember: 'If in doubt, throw it out!'"
If you are a KnowBe4 customer, you can use a new phishing template from the Current Events campaign to inoculate your users on Monday. If you aren't a customer yet, find out how affordable this is for your organization and be pleasantly surprised:
3 Major Data Breaches Last Week - Don't Be That Guy
|Last week, three high-profile data breaches hit the news, compromising personal and sensitive details of millions of people; telecom giant T-Mobile, crowdfunding website Patreon, and US brokerage firm Scottrade.
In T-Mobile's case, its credit application processor Experian was hacked, exposing sensitive details of 15 Million people who applied for T-mobile's service in the past two years; data like home address, birth date, driver's license number, passport number, military I.D.'s, SSN# and more.
Here's the rub, organizations generally have a standardized image for their machines, and replicate that hundreds (or thousands) of times. If one server was hacked, there is a high certainty all others have or had the same vulnerability. Expect more Experian customer hacks.
Patreon CEO Jack Conte confirmed that the crowdfunding firm had been hacked and that the personal data of its users had been accessed. No credit card or debit card numbers were stolen in the data breach, and "all passwords, social security numbers, and tax form information" were properly encrypted. However, the company still suggests all its customers to change their passwords as a precaution. This is a good idea, and never use the same password over a number of websites.
Online discount brokerage Scottrade suffered a data breach affecting 4.6 Million customers. They were oblivious until the Feds showed up. The company announced on its website that hackers managed to access one of its servers in late 2013 and early 2014. Other sensitive information, including email addresses and SSN#, were also stored in the hacked system, but the company believes that this information has not been compromised.
"We have no reason to believe that Scottrade's trading platforms or any client funds were compromised," the company's statement reads. "Client passwords remained fully encrypted at all times, and we have not seen any indication of fraudulent activity as a result of this incident." Scottrade is also offering a year of free identity theft protection services as a precaution to its 4.3 Million affected customers.
It is believed that Scottrade's crown jewels were stolen to enable stock "Pump & Dump" scams, so if you are in the market, be careful and do not fall for stock offers that seem too good to be true. At this point in time, about all financial and confidential information of every family in the U.S. has been stolen at least once.
Literally everyone needs to be on the lookout for spear phishing attacks and ID Theft. It makes sense to freeze your account to make sure no car loans, mortgages and credit card applications are made in your name. Law Enforcement is overwhelmed and are not interested in any crime less than a million dollars. At the same time, top hackers in Eastern Europe are paid a million dollars a year for their criminal "services". Here is how to freeze your credit:
|"A dream you dream alone is only a dream. A dream you dream together is reality."
- John Lennon
"The world needs dreamers and the world needs doers. But above all, the world needs dreamers who do." - Sarah Ban Breathnach
|Thanks for reading CyberheistNews
This Week's Five Most Popular HackBusters Posts
FOX TV Drops By And Tells The Story Of The Scammer Who Got Phished Back
|This is what they wrote on their website, and I have a link to the segment itself at the end:
"TAMPA BAY (FOX 13) - A cyber hacker gets scammed when he targeted a Clearwater cyber security firm. KnowBe4 trains corporate clients on defending against "phishing attacks", a term for using realistic-looking but fake emails for illicit gain.
"That's the fellow standing there" comptroller Alanna Cormier told FOX 13 News, pointing to a co-worker 30 feet away, across an open office space. When she asked him about the email, "I said hold on a second - maybe this is the real deal" CTO Alin Irimie said, "We deal with this situation all the time - the CEO fraud."
KnowBe4 CEO and founder, Stu Sjouwerman, made the next executive decision. "We decided to have some fun and to see if we could trick the bad guy into clicking on a phishing link that we would send him" he explained. Here is the 3-minute segment. Enjoy:
It's Cyber Security Awareness Month. Set A Good Example.
|It's a good idea if you are at the top of an organization to set a good example. If you are a C-Level exec, you are a target for both criminal hackers that are after your corporate credentials so they can get into your bank accounts, and for state-sponsored advanced persistent threats like the Chinese cyber army who are trying to get your company's intellectual property.
It is a good idea, especially in politics, to apply the policy of setting a good example, because if you don't the fallout can be severe. Here is a well-documented example of a politician not following their department policy of taking regular security awareness training courses, and I am sure she is not the only one:
SEC Fines Investment Adviser 75,000 Dollars For Hacked Webserver
|The Securities and Exchange Commission today announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
The federal securities law require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access. SEC Press Release here:
You may have missed that recently the FTC started to throw it's weight around and started suing organizations that employ poor IT security practices. Here is a blog post with the story of Wyndham Hotels who is being sued by the FTC:
Fixing the #1 Problem in Computer Security: A Data-Driven Defense
|This is a great whitepaper you can download for free at Microsoft written by IT Security Guru Roger Grimes. Here is the Executive Summary.
"Many companies do not appropriately align computer security defenses with the threats that pose the greatest risk to their environment. The growing number of ever-evolving threats has made it more difficult for organizations to identify and appropriately rank the risk of all threats. This leads to inefficient and often ineffective application of security controls.
The implementation weaknesses described in this white paper are common to most organizations, and point to limitations in traditional modeling of and response to threats to computer security. Most of the problems occur due to ranking risk inappropriately, poor communications, and uncoordinated, slow, ineffectual responses.
This paper proposes a framework that can help organizations more efficiently allocate defensive resources against the most likely threats to reduce risk. This new data-driven plan for defending computer security follows these steps:
The outcome is a more efficient appropriation of defensive resources with measurably lower risk. The measure of success of a data - and relevancy-driven computer security defense is fewer high-risk compromises and faster responses to successful compromises.
- Collect better and localized threat intelligence
- Rank risk appropriately
- Create a communications plan that efficiently conveys the greatest risk threats to everyone in the organization
- Define and collect metrics
- Define and select defenses ranked by risk
- Review and improve the defense plan as needed
If such a defense is implemented correctly, defenders will focus on the most critical initial-compromise exploits that harm their company the most in a given time period. It will efficiently reduce risk the fastest of any defense strategy, and appropriately align resources. And when the next attack vector cycle begins, the company can recognize it earlier, respond more quickly, and reduce damage faster.
Grimes mentions end-user education as one of the top things any company can do. Here is the download, a "Stu's Warmly Recommended":
This Week's Links We Like. Tips, Hints And Fun Stuff.