Sunday, April 29, 2018

Why we all need to stop responding to online quizzes and personal surveys

The Internet has become a massive data aggregation tool, providing entire lifestyle and consumer profiles about people to a host of anonymous entities. If you participate in social media tools like Facebook, your life's details are not only being harvested by marketing firms but by hackers as well.

Many social media sites offer up seemingly harmless quizzes and games that serve up questions urging you to reminisce about specific areas of your past, like "What was your first job?" You can substitute the word "job" with a host of other words—like pet, car, school name, etc.

Other questions might be, "What was your favorite teacher's name?" Again, you can substitute a number of words for teacher—like movie, book, school mascot, etc.

These questions are no different from the secret questions that you use online to reset a lost password or unlock an account. By sharing the answers with anonymous sources you are giving away the keys to unlocking your online accounts.

Although most people won't give away this kind of information, you'd be surprised at how many do. Whether you think you trust the source or not, always avoid answering questions like these in chain emails and social media "quizzes" and surveys.

Also, when configuring your secret questions and answers for unlocking online accounts, be sure to use information that is not readily available through your online persona.

For more information, see Brian Krebs' posting entitled Don't give away historic details about yourself at https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/.

Sunday, April 22, 2018

New active shooter "emergency scare" phishing scam at college

Here is a scheme for college students to be aware of. A community college in Florida fell victim to a fake campus-wide security alert that awkwardly announced an "emergency scare" by email to students. Even though this hit just one school, it paves the way for more scams like it. And scams like this can lead to panic, a flood of calls to 911, and other harm.

KnowBe4, the organization that posted info about this scam, warns college students to be on the lookout for these potential variations in the subject line of the phishing email:
  • IT DESK: Security Alert Reported on Campus
  • IT DESK: Campus Emergency Scare
  • IT DESK: Security Concern on Campus Earlier
If you click the links in the message, you're asked to enter your Microsoft online account credentials, which the bad guys then steal from you.

Always, always be wary of any unexpected email that leads you to provide a user name and password. If you do inadvertently click such a link, look at the full web site URL in the address bar of your browser before typing anything. In this case, if the URL doesn't have "microsoft.com" in it, then you know it's a fake.

In fact, it is best to always check the URL before typing in your credentials anywhere on the world wide web. Is the domain name correct? Is the prefix "HTTPS" (not "HTTP"), which shows you that the information you type is secure? If not, leave that site without interacting with it.

For the story, see http://www.prweb.com/releases/2018/04/prweb15410086.htm.

Saturday, April 7, 2018

The latest domain name scam involves changing .com to .cm in a web address in order to fool unsuspecting victims into clicking a link to a nefarious web site that looks a lot like the real thing.

Domain names are used to identify web pages on the Internet. In a web page address (also known as a "URL," for uniform resource locator), the domain name identifies the realm of the administrative authority that controls the domain.

For example, in the URL https://support.microsoft.com/en-us, the domain name is microsoft.com. The suffix of the domain indicates which top level domain it belongs to. Common suffixes (sometimes called domain extensions) are .com, .edu, .net, .org, .gov, .mil, .biz, .info and .us.

Some other top-level domain names are facebook.com, villanova.edu, billygraham.org, fdic.gov and navy.mil. Here's another: parliament.uk. For this one, the domain name extension is ".uk," which is a country code for United Kingdom.

Anyone can register a domain name for an annual fee.

With this particular ".cm" ruse, someone registers a trusted name using the .cm extension. In actuality, .cm represents the country Cameroon. But, as we said, anyone can buy a domain name, provided it's not already taken.

Say I was quick on the draw and registered facebook.cm before Mark Zuckerberg thought to reserve it. If I was a bad guy, I could then stand up a web server at facebook.cm and use it to mine bitcoin, store porn or serve up malware--you name it. Then I could buy a spam email list on the dark web and send tens of thousands of phishing emails to people that point to a web page on my facebook.cm server. I can guarantee you that a certain percentage of those recipients would take the bait and click that malicious link. It looks too much like the real thing.

Never click links in unexpected emails. Personally, I treat every link as suspicious. To protect yourself, before you click any link, hover over it with your mouse pointer to view the real URL behind the text. Scrutinize the domain name. Is it a domain you trust? Is it spelled properly? When in doubt, don't click. The safest route to a web site is to type the address into your browser address bar yourself, then store it as a bookmark.

For details, see Brian Krebs' article at https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/.