Sunday, November 29, 2020

Why you should be picky about allowing website notifications

Most websites run on advertisement income. And websites have the ability to create connections to your own computer from other Internet nodes through links, clickable images and push notifications that serve up ads or other content.  

Be wary of which sites you allow to send push notifications to your computer because these can also be used by nefarious entities to deliver fraudulent notifications. Fake notifications can serve up scareware that prompts you to install software to correct a "security risk" or click links to malicious websites that then deliver dangerous payloads to your computer.

Here is an example of an Adweek request, prompting to allow or block notifications:


The top level domain that delivered this prompt is adweek.com, as is visible in the URL.  

If I select Allow, my computer would then be able to receive connections directly from adweek.com servers, completely outside of my browser, and with blanket permission to allow these external connections to my Windows or Mac desktop at any time. 

Another problem that arises from allowing notifications is the potential difficulty you may have in discerning a legitimate notification (generated by your operating system) from a third-party notification. 

For many years it's been a security habit of mine to choose Block on every such request. You can change your selection for each request—depending upon how much you trust the notification delivery domain—or you can configure your web browser to block all such requests. 

To learn how to manage these settings on your preferred browser, use a search engine  like Google to query, for example, "Chrome turn off notifications," or "Firefox block notifications." These settings can be applied to browsers on your smartphone as well.

Last week, Brian Krebs posted an article explaining why you should carefully consider whether to allow or block notifications when prompted. It is definitely worth a quick read. For more information, see Be very spaing in allowing site notifications at https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/.


Saturday, November 14, 2020

Check out the new Google scam spotter online!

With the holiday shopping season already upon us, now is a good time to remind ourselves to be alert to online shopping scams and other ruses. 

Have you heard about Google's scam spotter website? Check it out at https://scamspotter.org/, and be sure to take the two-minute quiz to see how well you area at detecting a scam. 

I love this site because the most pertinent information you need to know is presented visually, making it easy to comprehend regardless of your level of security knowledge. In less than 10 minutes you can learn how to detect scams in email (phishing), text messages (smishing) and phone calls (vishing). 

If you know someone who isn't security savvy or doesn't have time to devote to becoming a security expert, please share the scamspotter.org link with that person. This is an especially useful resource to share with your elderly loved ones, your kids or those who may be mentally challenged. 

Sample tip from scamspotter.org:



A note to my readers

This tip came from a monthly email newsletter produced by Rebecca Herold, aka The Privacy Professor. Every newsletter is a treasure trove of privacy and security of tips. I recommend you give it a try!

For more information, or to subscribe, visit https://www.privacyguidance.com/. 

Saturday, October 31, 2020

Facebook copyright infringement scams

Once in a while my organization receives an email suggesting we are in violation of copyright law and can expect consequences. The majority of these are fake. A real copyright infringement letter is more likely to be sent to an organization's legal department via U.S. mail or a proper courier.

Individual consumers have become targets of this scam. Threatening emails and posts accusing you of copyright violation may very well be fake, so don't panic if you receive one of these. Fear is exactly what the scammers want you to feel. Don't fall for it.

If you receive an accusatory email, remember that scammers create phony emails (and posts) designed to look like they are from Facebook. Sometimes these can be quite convincing, often threatening to deactivate your Facebook account. They may provide you a link for filing an "appeal." As always, do not click unexpected or unknown links. 

Here is just one example:



To view sample copyright infringement scam emails and learn more about this ruse, see https://nakedsecurity.sophos.com/2020/10/27/facebook-copyright-violation-tries-to-get-past-2fa-dont-fall-for-it/.

If you receive bothersome messages from Facebook, consult Facebook's online help page at https://www.facebook.com/help/199655413426788/?ref=u2u. Also, you can forward phony Facebook emails to phish@fb.com.


Saturday, October 10, 2020

FBI warns students about spear phishing campaigns targeting student financial aid accounts

College students beware. 

On September 29, 2020, the Federal Bureau of Investigation issued a private industry notification warning universities and students of ongoing spear phishing attacks that have allowed thieves to successfully redirect financial aid funds into various Green Dot* bank accounts.


These spear phishing campaigns usually coincide with periods where large volumes of financial aid funds are disbursed, such as at the beginning of a school term, and the attacks are expected to continue into 2021.


The phishing emails fraudulently obtain student login credentials, allowing cyber actors to gain access to and change direct deposit information. Funds are withdrawn and quickly transferred to accounts around the world. 


After the funds have been successfully disseminated by the financial aid provider to the "new" bank account, the student suffers a financial loss that results in insufficient funds to pay tuition or other student needs (i.e., books, housing, meal plans, etc.). 


Students, remember to never click links or open attachments in unexpected emails without first inspecting links and validating the sender. Do not enter credentials on a web page that you were redirected to from an email message—especially for sensitive accounts. 


As a rule, I ignore login links sent by my bank; instead, I go straight to my web browser to log in using the bank's known URL, not the URL provided in the email or attachment. 


*Green Dot Corporation is an American financial technology and bank holding company. It provides customers affordable debit accounts and offers businesses an all-in-one platform for building banking into their brand.

Thursday, October 1, 2020

This month's mantra: Friends don't let friends get scammed!

Welcome to National Cybersecurity Month in the U.S.! This is the time of year where cyber pros do our best to raise awareness about staying safe online. 

The best way we can get ahead of the bad guys is by paying attention, staying alert, being skeptical of hyperlinks and attachments to emails, and sharing information with each other.

As such, one of my favorite security outfits—Sophos, is promoting this theme: Friends don't let friends get scammed!

If you get scammed online, report it to IC3.gov or FTC.gov. Post about it on your social media page. Warn your friends and family and co-workers (without sharing malicious links). If someone hacks your email, warn everyone in your Contacts list and reset your password to a long passphrase (stored in password manager software instead of written on a sticky note) while enabling multi-factor authentication on the account.

Believe me, there is a lot at stake here. Pay it forward. 

For more information, see this article (https://nakedsecurity.sophos.com/2020/10/01/becybersmart-why-friends-dont-let-friends-get-scammed/) or listen the brief audio interview (https://soundcloud.com/sophos-audio/friends-dont-let-friends-get-scammed). Both offer some great advice that will protect all of us.


Saturday, September 12, 2020

Don't click that scary web pop-up

While surfing the web on your computer or mobile device, if you've ever seen one of these pop-ups, you've navigated to an unsafe web page and need to shut down your browser and, preferably, run an antivirus scan on your device. 

FAKE VIRUS POP-UP SCAM - Frankenstein Computers, Austintatious IT Support

If you actually call the toll-free number, you're well on your way to becoming a victim of credit card fraud and worse, especially if you let the "Tech Support" person on the other end of the phone remotely control your device. 

Would you let a complete stranger into your house, in the dark of night where you can't even see his face, just because he knocks on your door and says, "your burglar alarm has been hacked?" I didn't think so.

Even Apple devices can display these fake warnings. 

This type of ruse is called scareware. (You should google that.) I've known a number of people fall victim to the "tech support scam," and it never ends well, requiring some level of security clean-up afterward. 

When you receive an unexpected email or a pop-up carrying a threatening message like this, please stop what you are doing and remember that things are not always what they seem. Don't pick up the phone and don't click links. Shut down the app (ALT+F4 in Windows, Command+Q on Mac). 

Security experts at Sophos recently posted an informative article about how to spot fake web pop-ups. Take a look at one the recent examples Sophos provides, like this one:

For more information, read the full article at https://nakedsecurity.sophos.com/2020/09/09/fake-web-alerts-how-to-spot-and-stop-them/. Stay on your guard.