Have you ever seen a scam so obvious that only a kid could fall for it? As reported by Malwarebytes, scammers on TikTok are offering “free” download codes for popular games as part of a malvertising scheme—kids are encouraged to visit a website for free games, and malware is automatically downloaded to their computer through ads.
We’ve started seeing some almost believable malware, popping up on our Android devices. Remember never to click on ANYTHING that pops up while you’re browsing the web, no matter how much it looks like it came from your operating system or phone vendor.
We got the scary virus warning below clicking on an article on a political website TheHill.com (repeatedly, alternating with another dubious click-hole). It references a “hacking event” with yesterday’s date, and there’s even a 3 minute countdown-to-disaster timer. (HURRY! You better click NOW!) They even throw in the phone model for good measure, and it looks like it could be from Samsung, or a notice of an Android update. Yeah. Could be. But…It isn’t.
Don’t be fooled. Never click on pop ups. When in doubt, just hit BACK.
BOSTON — The state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted spear-phishing assault on U.S. and foreign government agencies and think tanks this week using an email marketing account of the U.S. Agency for International Development, Microsoft said.
The effort targeted about 3,000 email accounts at more than 150 different organizations, at least a quarter of them involved in international development, humanitarian and human rights work, Microsoft Vice President Tom Burt said in a blog post late Thursday.
It did not say what portion of the attempts may have led to successful intrusions.
The cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of the phishing emails suggest the attacker was “likely having some success in breaching targets.”
Burt said the campaign appeared to be a continuation of multiple efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets spanned at least 24 countries.
The hackers gained access to USAID’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails dated May 25 purport to contain new information on 2020 election fraud claims and include a link to malware that allows the hackers to “achieve persistent access to compromised machines.”
Microsoft said in a separate blog post that the campaign is ongoing and evolved out of several waves of spear-phishing campaigns it first detected in January that escalated to the mass-mailings of this week.
While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks as well as at least nine U.S. government agencies, was supremely stealthy and went on for most of 2020 before being detected in December by the cybersecurity firm FireEye, this campaign is what cybersecurity researchers call noisy. Easy to detect.
Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider’s software updates; this campaign piggybacked on a mass email provider.
With both methods, the company said, the hackers undermine trust in the technology ecosystem.
Scam artists are getting so good at creating realistic-looking phishing emails that some are getting past Gmail’s spam filters. Although most of us have been trained to spot suspicious email messages, some (like the one above) look like they could be from companies like Amazon.
Google Drive is one of the more trusted cloud services out there, but that doesn’t mean it’s perfect. As System administrator A. Nikoci tells The Hacker News, bad actors can exploit flaws in Google Drive’s manage versions feature to trick you into downloading malware.
To demonstrate, A. Nikoci put together a YouTube video that shows the process. To start, the bad actor needs to upload a legitimate file, like a PDF, and create a shareable link for it. Google Drive will do its thing and generate previews, and the like so anyone who follows the link can see what the file contains.
But the next step is where things get nefarious. Google Drive has a “manage versions” feature that lets you update a file and keep the same shareable link. That’s useful if you needed to make some changes to a file you’ve already sent out.
It seems Google Drive doesn’t take as close a look at the new file as it did the original. You can change out the file entirely, even if it has a new extension like .exe, and that doesn’t trigger an update to the preview or update the file name and extension in the shared link site.
The only real indications are a change to the file icon (it no longer shows a pdf icon for instance), and when you download the file it will reveal the .exe extension. Of course, that could be too late for the right kind of malware. Or you might have the “open when finished downloading” option going.
Google Drive doesn’t seem to scan the updated file closely enough to realize it’s malware, even when SmartScreen and other antivirus programs catch the problem. Nikoci says he notified Google of the problem two days ago, but the company hasn’t corrected it.
Netflix is great for providing so many hours of television and movies, making it the go-to entertainment option for many. But as enjoyable as it is, it can still provide some trouble. This is what the Amorblox site found out when it discovered a Netflix phishing scam that is stealing credit card information. How the Netflix Phishing Scam Works Before abandoning Netflix, it may be beneficial to find out how the scam works and how it was found, as perhaps you can changes things up a little to be sure it doesn’t happen to you so that you… Read more
Criminals are getting busy — and creative — with an onslaught of new frauds preying on people’s fears and anxieties about the coronavirus pandemic.
The big picture: Desperate people are finding their unemployment checks and stimulus payments stolen. They’re also being bombarded with offers for fake cures, fake work-at-home offers and messages asking for personal financial information.
In perhaps the most widespread scam, criminals are filing fake unemployment claims on behalf of real people who haven’t lost their jobs, hitting one state after another.
The rush to get relief money in people’s hands has introduced new vulnerabilities to unemployment systems — state agencies and corporate human-resources departments alike are quick to approve claims without requiring much proof.
A Nigerian crime ring called “Scattered Canary” may be responsible for a lot of this fraud, which is made more attractive by the extra $600 a week in unemployment benefits Congress enacted.
Washington state — an early locus of coronavirus in the U.S. — seems to have been hit hardest, with hundreds of millions of dollars in benefits siphoned off, per the Seattle Times.
Where it stands: The Federal Trade Commission says consumers have reported about $50 million in losses to the agency.
TransUnion, the credit bureau, runs a weekly survey that shows that 29% of consumers say they’ve been targets of digital fraud related to COVID-19.
“Some of the really pernicious stuff that we were seeing were about people ordering P.P.E.-type materials — face masks, hand sanitizer — and then it never arrives,” Monica Vaca of the FTC tells Axios.
“Fraud is big business, and it runs just like every other corporation out there,” Will LaSala of OneSpan, which sells antifraud software, tells Axios.
Misinformation about COVID-19 — plus runs on items like soap and toilet paper — prompted a lot of people to try to buy things on merchant websites that turned out to be fake, or to click on phishing offers.
Fraudsters dangled lures like “check your $1,200 stimulus pay status” to get people to divulge information via email, phone and text.
Other scams include fake charity websites, false offers of Small Business Administration loans; sham work-at-home schemes that get people to pay money up front, and calls from a local area code that purport to be from a person’s doctor.
Official-looking notices claiming to be from the government might say you’ve been overpaid in stimulus or unemployment benefits and need to return the money immediately.
“A lot of times, they’ll say you have to do it right now or you’ll be arrested — and, oh, by the way, put it on an Apple gift card,” Paul Stephens of the Privacy Rights Clearinghouse tells Axios.
Then there are W-2 scams, in which a hacker spoofs the email address of a CEO and asks the H.R. department for a list of employees’ tax information.
“When we were working from offices, there were firewalls in place that really blocked a lot of this, but now that we’re working from home, we don’t have those safeguards in place,” LaSala says. “That really led to a lot of these attacks.”
Who’s scammin’ whom: While the elderly are frequent victims, more unexpected are millennials (who are at the prime age to be home, online, idle and jittery) and college students, who are nervous about their academic future and tuition status.
“They pretend that they’re from the school’s financial department and they’re giving you choices,” Paige Hanson, chief of cyber safety education at NortonLifeLock, tells Axios. “They’ll say, ‘click on this link to verify your personal information.’ It will go to a fake landing page” where criminals collect the information they need to take advantage of the student.
Even if only a tiny percentage of these fraud attempts works, “the payoff is significant,” Crane Hassold, senior director of cyber intelligence at the email security firm Agari, tells Axios.
“Some of these attackers are working 40 hours a week. These attacks are becoming more sophisticated, more realistic.”
Experts offered some advice to try to protect yourself:
“Be suspicious of any unsolicited phone call email or text message you might receive from anyone, unless you initiated the contact with that person,” Stephens said. If in doubt, call back to a number you know is legit.
Talk to someone before taking action. “Tell a friend, tell your sibling or somebody,” Hanson said. “Even though you’re in that moment and you want to react, they might know about this scam.”