I was, at one time, an autofill user. How convenient for me that my browser fills in the answers for me in various web form fields, like name, address, phone number, zip code, etc. It's possible to input credit card data this way as well, although I never enabled that feature.
More recently, I disabled the autofill capability in my preferred browser, which happens to be Google Chrome. I did this because the bad guys figured out a way to cull this information without the user's knowledge.
How they do this is quite simple. The user clicks a link in a targeted phishing email and is redirected to the attacker's web page. A form on the page shows some blank fields—such as first name and last name.
With autofill enabled in browser settings, and with a single click, the user chooses to automatically fill the name fields, unaware that there are hidden fields on the page that are automatically filled as well—only with more sensitive information than just a name.
Note that if you use a password manager program (such as LastPass), it may have an autofill feature enabled.
For more information, see https://www.social-engineer.com/disable-autofill-browsers/.
Saturday, June 30, 2018
Wednesday, June 6, 2018
Facebook users: Beware Target gift card scam
If one of your Facebook friends claims that he/she sent a text and received a free Target gift card in exchange, it's a hoax. The simple lesson here is that if it looks too good to be true, it probably is.
According to an article on Goodhousekeeping.com, the Facebook post appears to come from someone you know, and it may look like this:
This is a phishing scam.
The rule of thumb to avoid being scammed is this: Don't click links or open attachments in unexpected or unusual messages. Always verify before clicking. Other red flags are messages urging you to act now, messages asking for money, and anything offering something for nothing.
Want to stay safe online? Be careful what you click. When in doubt, verify. It's as simple as that.
For more information, see https://www.goodhousekeeping.com/life/money/a20952055/target-gift-card-scam/.
According to an article on Goodhousekeeping.com, the Facebook post appears to come from someone you know, and it may look like this:
This is a phishing scam.
The rule of thumb to avoid being scammed is this: Don't click links or open attachments in unexpected or unusual messages. Always verify before clicking. Other red flags are messages urging you to act now, messages asking for money, and anything offering something for nothing.
Want to stay safe online? Be careful what you click. When in doubt, verify. It's as simple as that.
For more information, see https://www.goodhousekeeping.com/life/money/a20952055/target-gift-card-scam/.
Saturday, May 5, 2018
Time to change your Twitter password if you have one
This week Twitter reported that it was storing user credentials in clear text in log files. Twitter users would be wise to log in to twitter.com and change your password. Now. Make it a long one, and make it unique.
For more information, see the Wired article at https://www.wired.com/story/change-your-twitter-password-right-now/.
Tired of keeping up with passwords? We all are. If you're not using a trusted password manager by now, you're behind the times. There is no excuse. Make it an immediate goal to stop using insecure passwords and to stop writing them down.
There are plenty of good password managers available, and many of them are free. LastPass is an example. See Wired magazine's recent article at https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/.
For more information, see the Wired article at https://www.wired.com/story/change-your-twitter-password-right-now/.
Tired of keeping up with passwords? We all are. If you're not using a trusted password manager by now, you're behind the times. There is no excuse. Make it an immediate goal to stop using insecure passwords and to stop writing them down.
There are plenty of good password managers available, and many of them are free. LastPass is an example. See Wired magazine's recent article at https://www.wired.com/story/password-manager-autofill-ad-tech-privacy/.
Sunday, April 29, 2018
Why we all need to stop responding to online quizzes and personal surveys
The Internet has become a massive data aggregation tool, providing entire lifestyle and consumer profiles about people to a host of anonymous entities. If you participate in social media tools like Facebook, your life's details are not only being harvested by marketing firms but by hackers as well.
Many social media sites offer up seemingly harmless quizzes and games that serve up questions urging you to reminisce about specific areas of your past, like "What was your first job?" You can substitute the word "job" with a host of other words—like pet, car, school name, etc.
Other questions might be, "What was your favorite teacher's name?" Again, you can substitute a number of words for teacher—like movie, book, school mascot, etc.
These questions are no different from the secret questions that you use online to reset a lost password or unlock an account. By sharing the answers with anonymous sources you are giving away the keys to unlocking your online accounts.
Although most people won't give away this kind of information, you'd be surprised at how many do. Whether you think you trust the source or not, always avoid answering questions like these in chain emails and social media "quizzes" and surveys.
Also, when configuring your secret questions and answers for unlocking online accounts, be sure to use information that is not readily available through your online persona.
For more information, see Brian Krebs' posting entitled Don't give away historic details about yourself at https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/.
Many social media sites offer up seemingly harmless quizzes and games that serve up questions urging you to reminisce about specific areas of your past, like "What was your first job?" You can substitute the word "job" with a host of other words—like pet, car, school name, etc.
Other questions might be, "What was your favorite teacher's name?" Again, you can substitute a number of words for teacher—like movie, book, school mascot, etc.
These questions are no different from the secret questions that you use online to reset a lost password or unlock an account. By sharing the answers with anonymous sources you are giving away the keys to unlocking your online accounts.
Although most people won't give away this kind of information, you'd be surprised at how many do. Whether you think you trust the source or not, always avoid answering questions like these in chain emails and social media "quizzes" and surveys.
Also, when configuring your secret questions and answers for unlocking online accounts, be sure to use information that is not readily available through your online persona.
For more information, see Brian Krebs' posting entitled Don't give away historic details about yourself at https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/.
Sunday, April 22, 2018
New active shooter "emergency scare" phishing scam at college
Here is a scheme for college students to be aware of. A community college in Florida fell victim to a fake campus-wide security alert that awkwardly announced an "emergency scare" by email to students. Even though this hit just one school, it paves the way for more scams like it. And scams like this can lead to panic, a flood of calls to 911, and other harm.
KnowBe4, the organization that posted info about this scam, warns college students to be on the lookout for these potential variations in the subject line of the phishing email:
Always, always be wary of any unexpected email that leads you to provide a user name and password. If you do inadvertently click such a link, look at the full web site URL in the address bar of your browser before typing anything. In this case, if the URL doesn't have "microsoft.com" in it, then you know it's a fake.
In fact, it is best to always check the URL before typing in your credentials anywhere on the world wide web. Is the domain name correct? Is the prefix "HTTPS" (not "HTTP"), which shows you that the information you type is secure? If not, leave that site without interacting with it.
For the story, see http://www.prweb.com/releases/2018/04/prweb15410086.htm.
KnowBe4, the organization that posted info about this scam, warns college students to be on the lookout for these potential variations in the subject line of the phishing email:
- IT DESK: Security Alert Reported on Campus
- IT DESK: Campus Emergency Scare
- IT DESK: Security Concern on Campus Earlier
Always, always be wary of any unexpected email that leads you to provide a user name and password. If you do inadvertently click such a link, look at the full web site URL in the address bar of your browser before typing anything. In this case, if the URL doesn't have "microsoft.com" in it, then you know it's a fake.
In fact, it is best to always check the URL before typing in your credentials anywhere on the world wide web. Is the domain name correct? Is the prefix "HTTPS" (not "HTTP"), which shows you that the information you type is secure? If not, leave that site without interacting with it.
For the story, see http://www.prweb.com/releases/2018/04/prweb15410086.htm.
Saturday, April 7, 2018
The latest domain name scam involves changing .com to .cm in a web address in order to fool unsuspecting victims into clicking a link to a nefarious web site that looks a lot like the real thing.
Domain names are used to identify web pages on the Internet. In a web page address (also known as a "URL," for uniform resource locator), the domain name identifies the realm of the administrative authority that controls the domain.
For example, in the URL https://support.microsoft.com/en-us, the domain name is microsoft.com. The suffix of the domain indicates which top level domain it belongs to. Common suffixes (sometimes called domain extensions) are .com, .edu, .net, .org, .gov, .mil, .biz, .info and .us.
Some other top-level domain names are facebook.com, villanova.edu, billygraham.org, fdic.gov and navy.mil. Here's another: parliament.uk. For this one, the domain name extension is ".uk," which is a country code for United Kingdom.
Anyone can register a domain name for an annual fee.
With this particular ".cm" ruse, someone registers a trusted name using the .cm extension. In actuality, .cm represents the country Cameroon. But, as we said, anyone can buy a domain name, provided it's not already taken.
Say I was quick on the draw and registered facebook.cm before Mark Zuckerberg thought to reserve it. If I was a bad guy, I could then stand up a web server at facebook.cm and use it to mine bitcoin, store porn or serve up malware--you name it. Then I could buy a spam email list on the dark web and send tens of thousands of phishing emails to people that point to a web page on my facebook.cm server. I can guarantee you that a certain percentage of those recipients would take the bait and click that malicious link. It looks too much like the real thing.
Never click links in unexpected emails. Personally, I treat every link as suspicious. To protect yourself, before you click any link, hover over it with your mouse pointer to view the real URL behind the text. Scrutinize the domain name. Is it a domain you trust? Is it spelled properly? When in doubt, don't click. The safest route to a web site is to type the address into your browser address bar yourself, then store it as a bookmark.
For details, see Brian Krebs' article at https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/.
Domain names are used to identify web pages on the Internet. In a web page address (also known as a "URL," for uniform resource locator), the domain name identifies the realm of the administrative authority that controls the domain.
For example, in the URL https://support.microsoft.com/en-us, the domain name is microsoft.com. The suffix of the domain indicates which top level domain it belongs to. Common suffixes (sometimes called domain extensions) are .com, .edu, .net, .org, .gov, .mil, .biz, .info and .us.
Some other top-level domain names are facebook.com, villanova.edu, billygraham.org, fdic.gov and navy.mil. Here's another: parliament.uk. For this one, the domain name extension is ".uk," which is a country code for United Kingdom.
Anyone can register a domain name for an annual fee.
With this particular ".cm" ruse, someone registers a trusted name using the .cm extension. In actuality, .cm represents the country Cameroon. But, as we said, anyone can buy a domain name, provided it's not already taken.
Say I was quick on the draw and registered facebook.cm before Mark Zuckerberg thought to reserve it. If I was a bad guy, I could then stand up a web server at facebook.cm and use it to mine bitcoin, store porn or serve up malware--you name it. Then I could buy a spam email list on the dark web and send tens of thousands of phishing emails to people that point to a web page on my facebook.cm server. I can guarantee you that a certain percentage of those recipients would take the bait and click that malicious link. It looks too much like the real thing.
Never click links in unexpected emails. Personally, I treat every link as suspicious. To protect yourself, before you click any link, hover over it with your mouse pointer to view the real URL behind the text. Scrutinize the domain name. Is it a domain you trust? Is it spelled properly? When in doubt, don't click. The safest route to a web site is to type the address into your browser address bar yourself, then store it as a bookmark.
For details, see Brian Krebs' article at https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/.
Monday, February 19, 2018
Beware bogus debt collection and IRS phone calls
After an 8-month sabbatical that took me to a new job in a new state, I'm back to my blog. And guess what?! It's tax fraud season again! A few things to know:
For more information on this new debt collection scam that goes after your IRS refund, see Brian Krebs' blog posting IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts at
https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/.
- If a debt collector calls you, hang up.
- File your taxes early, before an impersonator does it for you.
- If the IRS calls you, hang up. Remember that the IRS will never phone you asking for money.
For more information on this new debt collection scam that goes after your IRS refund, see Brian Krebs' blog posting IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts at
https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/.
Subscribe to:
Posts (Atom)