Pokemon Privacy: Catching Them All, Safely

By | July 18th, 2016|Industry News, Malware and Scams, Online Safety|

CSIDOn July 6, Niantic launched Pokemon Go — a free, augmented reality game for iOS and Android devices. The world went wild. Pokemon Go grabbed 26 million users in the U.S. alone, surpassing both Google Maps and Twitter in daily active users.

It’s been hard to escape the colorful news over the past week. Articles continue to surface on where to find the best Pokemon, how to catch them, and (most importantly) how to stay safe while doing so. In addition to warning users to be aware of their physical surroundings, many headlines warn of the cybersecurity risks involved with the game.

Full Google Account Access
One of the main concerns was Pokemon Go’s access to iOS users’ full Google Accounts. Although the app was vague on what this entailed, many privacy experts and users were concerned the game could access everything from Gmail to Google Drive.

Niantic was quick to respond to the alarm, claiming this was an error. “Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected,” Niantic said in a joint statement with The Pokemon Company.

The statement also clarified that no additional information has been received or accessed within Google. Instead of potentially accessing your entire Google footprint, the app can now only access your Google user ID and email address.

Take Action: iOS players should take care to update the app from the App Store and re-login to accept this updated privacy policy.

Malware Threats
Pokemon Go is only currently available in the United States, Australia, New Zealand, and United Kingdom, though it will soon be available in Italy, Spain and Portugal. While other regions wait for their chance to build their Pokedexes, many over-eager gamers are downloading versions from third-party sites.

“When it comes to malware, you really don’t want to catch ’em all,” Tim Erlin, Director, Security and IT Risk Strategist at Tripwire told InformationSecurityBuzz.com. “Cybercriminals are after any angle that helps them gain a foothold on your devices. A popular app that’s not available in some places is a near-perfect target for crafting a malware delivery strategy. … Installing software from third-party markets and unknown sources increases your risk of malware. Period.”

The security firm Proofpoint claims to have found a third-party version of the game which included a RAT, or remote access tool, called Droidjack. While Proofpoint has not observed the malicious tool “in the wild,” Droidjack has the potential to give a cybercriminal full control over a victim’s phone.

Take Action: If Pokemon Go is not currently available in your area, be patient. Do not risk infecting your phone and devices with malware. Android users should also take care to download the app from App Store.

Watch Where You Work
The cybersecurity risks around Pokemon Go give employers a great opportunity to create a conversation around BYOD security (and time management) in the workplace. Companies and employees should be aware that a device infected with malware could affect the entire network’s security.

Take Action: Brush up on our best practices for protecting your business.

Create a Conversation with Kids
While apps – and Pokemon – are meant for fun, it’s important to examine the privacy policies of all your apps to ensure you are not over-sharing data. This can help lead into a conversation with your family, and especially your kids, about privacy and security.

Discuss what types of information should be kept private, both online and in person. Discuss concerns over connecting devices to public Wi-Fi, and how to recognize a scam. Creating a conversation now can lead to better cybersecurity habits later.

Take Action: We discuss more tips for talking to your kids about privacy.

Are you playing Pokemon Go? Let us know your experience with the app and how you’re protecting your information. Join in the conversation on Facebook, Twitter or LinkedIn!

Recognizing Different Types of Imposter Scams: Part 2

By | July 14th, 2016|Malware and Scams, Online Safety|

CSIDImposter scams – when criminals disguise their true identity, pretending to be someone trustworthy in an attempt to obtain money from their victims – can happen anywhere, and to anyone. Imposters go to great lengths to appear real and manipulate their victims, and we’re not seeing any sign of these scams slowing. In order to combat this growing trend, the Federal Trade Commission recently released educational videos and articles to help consumers and businesses alike avoid some of the most common imposter scams facing us today. We took a look at a couple of scams last week – the second of this two-part series discusses the others: grandkid and online dating scams.

Grandkid Scams
This type of scam happens more commonly with the elderly, taking advantage of the bond between a grandparent and grandchild. However, anyone can be affected. Typically, the scammer will give you a call, claiming to be a grandchild or another family member, asking for money to get out of an accident or other fabricated incident.

Before you reach for your wallet, try to determine if the call is legitimate. Contact the person claiming to call directly. You should also check in with someone who knows the person, like a sibling, parent or friend. Don’t send money unless you’re positive the person calling is indeed who they say they are.

Online Dating Scams
In today’s digital world, more and more relationships are being formed via online dating sites. In many cases, relationships begin to develop online before ever actually meeting in person. The lack of face-to-face interaction is a perfect opportunity for a scammer to strike. Perhaps they’ll have a sick relative, or their car is just giving them all sorts of trouble, or they’re late with their rent. It’s a different excuse every time, with all requesting the same thing: money.

If you do suspect someone of attempting to scam you, report it at FTC.gov/imposters. Have you been a victim of a scam? Join the conversation on FacebookTwitter and LinkedIn.

Recognizing Different Types of Imposter Scams: Part 1

By | July 8th, 2016|Malware and Scams, Online Safety|

CSIDImposter scams – when criminals disguise their true identity, pretending to be someone trustworthy in an attempt to obtain money from their victims – can happen anywhere, and to anyone. Imposters go to great lengths to appear real and manipulate their victims, and we’re not seeing any sign of these scams slowing. In order to combat this growing trend, the Federal Trade Commission recently released educational videos and articles to help consumers and businesses alike avoid some of the most common imposter scams facing us today. The first of this two-part series takes a look at some of the most prevalent: IRS and tech support scams.

IRS Imposter Scams
Tax season is already a stressful period for many, and it’s made even worse by imposters pretending to be someone they’re not. We’ve discussed various types of tax fraud in the past, but an IRS imposter scam is a bit different. A scammer will send an email, text or call claiming you owe taxes, or there that there is an issue with your return, and can even rig your caller ID to look official. These are alarming messages for anyone to receive, and a scammer could take advantage of your anxiety to extort money.

Before panicking, remember this: the first method of contact from the IRS is always via a letter in the mail. If you’re receiving a message in any other format, especially if it’s suggesting paying with a debit card or wire transfer, it’s likely bogus.

Tech Support Scams
With how much time we spend on the Internet, it’s possible we may have picked up a computer virus along the way. Scammers know this, and may pose as a tech company to warn you about a potential infection.

These scammers come with varying intentions. They may want to sell you useless software services, steal your credit card number, or get access to your computer to install malware. If you receive a call or an email like this, take a moment to stop and think. Never give control of your computer or your credit card information to anyone that contacts you out of the blue.

We’ll cover two additional imposter threats in an upcoming blog post. Meanwhile, if you do suspect someone attempting to scam you, report it at FTC.gov/imposters. Have you been the victim of a scam? We’d love to hear from you – join the conversation on FacebookTwitter and LinkedIn.

Memorial Day Bargain or Scam? Tips for Secure Online Shopping

By | May 27th, 2016|Identity Protection, Malware and Scams|

CSIDNational holidays are a time to get together with family, enjoy some time off, and relax. Unfortunately, they’re also a gold mine for cyber criminals. With Memorial Day almost upon us, retailers are promoting their special offers for the holiday weekend. To keep your online shopping deals from turning into a hacker’s opportunity to steal, here are some security best practices to keep top-of-mind:

  • Update your devices. Any device you use for shopping should have the latest security software, operating systems, programs, and applications. Just as you update your computer, make sure to do the same for your tablet, smartphone, or any other device you use to make purchases. In addition, avoid shopping on any device while connected through public Wi-Fi or unsecured networks.
  • Know your merchant. When making online transactions, make sure you’re dealing with a reputable site and take a careful look at the website’s URL. A good indicator that the retailer is legitimate and has a secure payment portal is if your web browser’s address bar displays a closed, green padlock.
  • Be aware of phishing scams. Email phishing scams are always a threat, but be especially wary during peak shopping seasons. Be aware of any misspellings in communications and “too good to be true” deals from a retailer. When in doubt, just go to the site directly by typing in the URL to your browser. Make sure to delete any suspicious emails and mark them as “spam.”
  • Protect your personal and financial information. Be aware of the information that is being collected to complete your purchase. Only fill out what is required and understand the merchant’s privacy policy – know how your information will be stored and used for current and future purchases.
  • Keep track of payments. Keep records of your online transactions and monitor your bank and credit card statements to make sure there are no fraudulent purchases. Credit cards are often the best option for online purchases because if there is any suspicion of fraud, your creditor can investigate and remove the charge if it is indeed fraudulent.

For more online security tips, be sure to follow us on Facebook and Twitter. Stay safe out there and have a great long weekend.

Snapchat’s Phishing Attack: A Reminder That Security Starts with Employee Education

By | March 2nd, 2016|Business Security, Industry News, Malware and Scams|

EducateSnapchat, the popular ephemeral messaging application, just announced a phishing attack that has compromised the identities of a number of its current and former employees.

According to a blog post from the company, Snapchat’s payroll department was targeted by an isolated phishing scam, where a scammer impersonated the company’s chief executive officer and asked for employee payroll information. The email was not recognized as a scam and as a result, personal information about some current and former employees was disclosed.

Snapchat has not revealed the specific information that was released, but because it is sensitive payroll information, it could likely include everything from salary data and Social Security numbers, to bank details and addresses.

The frequency of phishing attacks continues to rise, and even unsophisticated hackers now have access to the tools needed to orchestrate an attack. According to a report from PhishLabs, “basic, even free, phishing kits now contain a variety of clever functions, as well as obfuscation and anti-analysis techniques.” While more sophisticated attackers are selling phishing kits for anywhere between $1 and $50, others are making them freely available.

In 2015, the FBI coined the term “business email compromise” to describe the growing category of phishing attacks targeting American companies. As of August 2015, the Bureau estimated that “since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.”

As with the case of Snapchat, attackers frequently impersonate executives from the company in order to hack in to company networks. These attacks are often difficult to detect. It’s essential that companies invest time in educating their employees on safe email practices, including:

  • Using strong, unique passwords and enable two-factor authentication whenever possible
  • Keeping all systems up-to-date with the latest security patches and updates
  • Avoiding sharing sensitive information over email, or utilizing code words to verify that the person requesting the information is indeed that person and not an attacker
  • Not clicking on any suspicious links
  • Deploying SPAM filters

How are you keeping your company safe from phishing attacks? We’d love to hear from you–connect with us on Facebook, Twitter or LinkedIn.

Ransomware in Review

By | November 24th, 2015|Business Security, Malware and Scams|

RansomwareOne of the scariest cyber security trends of 2015 was the evolution and uptick of ransomware attacks. Ransomware is a type of malware that, once installed on user’s device, will block access to the device until a ransom is paid to the cyber criminal to unlock and remove the malware. The FBI recently reported that Cryptowall, a popular strain of ransomware, netted cyber criminals more than $18 million between 2014 and 2015.

It is true that ransomware campaigns have continuously netted their owners large amounts of profit, and have become highly attractive to the fraud community. However, this rise in prominence has also led to an increase in focus by the anti-virus industry, whose job it is to mitigate the major threats seen in the underground world.

This is why ransomware has evolved drastically over the past 12 to 18 months. Cyber criminals have realized that that the security industry is capable of developing various countermeasures to software-based threats, so simply locking devices for a ransom is easily mitigated and prevented. As a result, cyber criminals have taken ransomware a step further and moved to file encryption, which is much more difficult to resolve via anti-virus software. By implementing file encryption, cyber criminals can ensure that users cannot simply apply a patch and undo the damage done to their device. Affected users are forced to deal directly with the cyber criminal if they have any desire to recover the encrypted information, increasing the probability of an affected user paying the ransom rather than going to a security vendor for help.

Countermeasures to this new approach to ransomware are in the works. Businesses can focus on monitoring network traffic to identify anomalous requests or physical devices to identify suspicious activities on devices, activities like file system access and injection into remote processes. However, these countermeasures are a product of businesses catching up to the cyber criminals. The underground community will always be coming up with new ideas and attack methodologies. They innovate at a faster pace than the business world and are constantly focused on designing new methods to steal anything that can be sold or used for financial gain. It’s up to businesses and consumers to understand these issues and utilize the best tools available to secure themselves and their devices.

As always, let us know your thoughts on FacebookTwitter or LinkedIn.

Load More Posts