Got an Amex or a Chase credit card? Then you were the target of a new phishing campaign this week. According to Information Security Buzz, “A new phishing campaign involves scammers sending fake Chase and Amex fraud protection emails asking users if the listed card transactions are valid. Victims who click the no button in the message to dispute the transactions will be redirected to a fake yet legitimate-looking Chase or American Express login site where they will go through a fake verification process that invites them to enter their username, password, birth date, social security number, as well as their bank and credit card information.”
Tip: If you find yourself on a website requesting your social security number, close the browser and call up the service provider. You’re welcome.
iPhone Free VPN Scam
Love and money—what better way to lure in victims to a phishing scam. From Hot for Security, a “New Phishing Scam Lures iPhone Owners with Romantic Chat, Gambling, Free VPN.” Ah, free VPN.
Apparently, the scam includes a slot machine app that says, “You are today’s lucky winner! You have a chance to win the progressive jackpot of over $4,903,349.05! Just tap SPIN NOW below to start playing!” I wasn’t suspicious until I saw the third exclamation point.
Corporate Brands Phishing Attack
Well-known corporate brands get hit the most, confirmed by the latest phishing attack this week according to Bleeping Computer.
How many companies were hit in this attack? How about 27. And some famous consumer brands too like Agilent Technologies, Hasbro, JC Penny and Eastman Chemical Company. Stay safe out there.
Phishing Phrontier
Sometimes the simplest methods are the most effective. This week’s simple method? Gift cards.
According to Techdator, the scam involves an attacker first compromising a top executive’s email and then messaging their “subordinates to wire transfer or buy a gift card for some cause. And the request being from the boss, most would eventually comply and do so, losing the money.”
“Reports say the minimum amount of these scams start from as low as $250 to more than $10,000 for each gift code. The average amount was said to be $1,627 and these would be targeted across multiple departments of the same organization!”
Hackers Strategy
Do you know what a hacker’s greatest asset is? Patience. That according to an article on Express Computer. Oh sure, hackers are willing to monitor and track your activity to learn about you before launching a phishing attack. It’s how long they are willing to wait to avoid detection that’s so impressive.
From the article, “The bulk of the attack happened within a time range of two days, but there was a 12-day gap between the initial login and further suspicious activity. One potential hypothesis about the long gap is that the attacker is trying to perform a reconnaissance attack by spending time gathering information.” Patience is a virtual afterall.
Account Phishing Scam
When you receive an email warning you of “unusual activity,” alarm bells should be going off in your head. The only thing unusual would be if the email wasn’t a phishing scam. This week’s, from Hoax Slayer, “claims that your account is set to be limited because the service provider has noticed some unusual activity. Supposedly, access to your account will be limited within 24 hours unless you click a log-in button to have the pending limitation removed.” Yeah, let me get right on that.
Body Count
Texas school districts didn’t fare too well this week. According to SC Magazine, “A school district and city in the same geographical area in Texas were each hit with ransomware this week with the city of Garrison making a quick recovery, however, the Nacogdoches Independent School District (NISD) is still struggling.”
According to the article “Officials are unsure how the ransomware was downloaded.” Let me take a guess. Without email security service, someone clicked on a link they shouldn’t have in a phishing email.
Puerto Rico’s Government Ransomware
Puerto Rico’s government also didn’t fare too well this week. According to Security Week, “Puerto Rico’s government has lost more than $2.6 million after falling for an email phishing scam, according to a senior official.” What was the culprit? Business email compromise.
Apparently, the government agency transferred money to a fraudulent account “after receiving an email that alleged a change to a banking account tied to remittance payments.” Those pesky last-minute change of banking accounts really hit you where it hurts.
Healthcare Breaches
The week wouldn’t be complete without at least a few data breaches at healthcare organizations. This week’s victims brought to you by the HIPAA Journal. This week’s list includes Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals; Lafayette Regional Rehabilitation Hospital in Lafayette, IN; My Health My Resources of Tarrant County in Fort Worth, TX; the medical transportation service provider, Reva; and Lawrenceville Internal Medicine Associates in Lawrence Township, NJ. The hackers would like to thank you all for not taking your email security seriously.
And that’s the week that was.