If it’s in the news, it will probably be used in a scam shortly thereafter, and such was the case this week. According to an article on Bleeping Computer, “An attacker is attempting to take advantage of the recent warnings about possible Iranian cyberattacks by using it as a theme for a phishing attack that tries to collect Microsoft login credentials.”
If you want bona fide proof that someone is smart, what would you look for? A medical degree? A PhD? How about a Nobel Prize? Yes. If someone has won a Nobel Prize, it’s pretty safe to assume they’re smart. But, smart enough to avoid getting phished? Maybe not, because that’s exactly what happened recently.
According to Yahoo News, “Nobel laureate Paul Krugman said he likely fell for a phishing scam.” Yep, that Paul Krugman. “The Distinguished Professor of Economics at the Graduate Center of the City University of New York, and a columnist for The New York Times.” He knows economics. Email security not so much.
There were pre-holiday phishing attacks and holiday phishing attacks. So, it should come as no surprise that there are post-holiday phishing attacks. According to KLFY.com, phishing emails are targeting shoppers with post-holiday offers.
“Here’s how the scam works: You receive an unsolicited email or text message that appears to be from a major retailer claiming you have a new reward. Experts have seen scammers use the names of Amazon, Kohls, and Costco… but any company can be spoofed. You open the message, and it looks real. It includes a company logo, colors, and a link to claim the reward points or gift from your recent holiday shopping.” You’ve been warned.
Most spam is annoying, but harmless. Unless of course it’s the basis of a sextortion scam. If you’re not familiar, sextortion is a form of sexual exploitation that employs non-physical forms of coercion to extort money or sexual favors from the victim. For instance, if someone threatens that they can blame you for child pornography and will do so unless you pay them a ransom, that’s a form of sextortion.
(San Diego, CA – January 8, 2020)
DuoCircle is a cloud-based email security solutions company and DuoCircle is offering a Free MX Backup Services account to help ease some of the business impact that the fires have had on Australia.
Hackers are at it again using PayPal to dupe unsuspecting users into stealing their data. According to The Payers, “researchers have spotted an ongoing phishing campaign targeting PayPal customers, where hackers are trying to gain access to customers’ credentials to the payment service.”
The article went on to say, “Targeted customers receive emails camouflaged as ‘unusual activity’ alerts warning them of suspicious logins from unknown devices, with the hidden purpose of stealing all their credentials and financial info. To make sure that the potential victims are willing to click on the link embedded within the phishing message, the attackers say that their accounts are limited until they are secured by confirming their identity.”
Nobody wants to get phished. And if you think about getting phished, you probably envision a worst case scenario. Maybe you see your credit rating taking a hit or perhaps even getting your bank account drained. All very bad outcomes. But, these are just consequences you see from a potential phishing attack. What can be much worse is the unseen ripple effect of a phishing attack.
Like to play video games? Then you’re a target for a phishing scam. This week’s scam of the week, courtesy of Meta Compliance, is targeted at PlayStation users.
According to the article, “PlayStation users are being warned that scammers are disguising themselves as The Elder Scrolls Online developers in a bid to trick players into disclosing their login credentials. The crooks are targeting PlayStation users via private messages that state their account will be banned if login credentials are not provided within 15 minutes.”
If you fall for the latest phishing attack aimed at American Express cardholders, you may not have a home left to leave. According to Strategic Revenue, “This AMEX Email Phishing Scam Wants You Homeless & Poor, With A Zero FICO Score.” Yikes.
This latest phishing scam is hitting hundreds of thousands of inboxes just in time for Christmas. According to the article, “You receive an email which appears to be from American Express, but it isn’t, it’s from some unscrupulous hacker hiding somewhere behind a computer who is looking to steal your identity.”
Did you think AOL was dead? Well it isn’t. And it’s being used to scam people with phishing emails. According to Scamicide, there is “a phishing email presently circulating that attempts to lure you into clicking on a link in order to continue using your AOL account. If you click on the link two things can occur and both are bad. Either you will end up providing personal information to an identity thief or you will. merely by clicking on the link, download dangerous malware such as ransomware on to your phone, computer or other device.” Not good.
Microsoft is a big target for hackers, and it seems that they have recently come up with two new and novel phishing attack methods to go after the company’s customers. And the thing that makes these phishing tactics so scary, is that they bypass traditional security measures.
The first of these phishing attacks, reported by Latest Hacking News, uses a local login form to bypass security. The attack starts with “an email notifying users about a ‘copy of payment notification’.” The email doesn’t say much, but does contain an HTML attachment.
If there’s one thing you should be able to trust, it’s an email from someone with a “.gov” domain. As in, they work for the government. Surely, only those in the government can register a .gov top level domain. Right? Wrong!
From an article on KnowBe4, “a researcher said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ‘.us’ domain name, and impersonating the town’s mayor in the application.” Huh?
If you don’t already know, phishing attacks are not a technology exploit, they are a human exploit. Phishing technology itself is usually not that clever. A fake email, a fake website, and you have all the makings of a phishing attack.
The real trick to successful phishing attacks is the way they exploit human weaknesses. And there’s no greater human weakness than greed. People have been known to make some really dumb decisions when they let greed get the better of them. Hackers know it, and they use it in social engineering, which is a precursor to most phishing attacks.
Hackers are always looking for ways to make their phishing attacks more effective. Afterall, phishing scams are big business. The last thing a hacker wants to do is to go through all that trouble of social engineering, putting up a fake website and crafting a clever phishing email only to send that email to a dead account. One without a live person on the other end opening the email.
Netflix returns this week in our Scam of the Week section. No real surprises here. According to IT Security Guru, “You may get an email that has the official Netflix logo on it which would say that your payment for the month was not able to go through because of some problem with your bank. The email would then go on to say that if you don’t log in and check your payment details you could potentially end up losing access to your account. Needless to say, when you click the link and log in you will end up giving your account details away to someone that would use them for malicious purposes.”
People are getting wise to IRS phishing scams which happen during tax season. So, what do hackers do? Send out the same phishing emails out of season to catch unsuspecting victims off guard.
According to an article on ARS Technica, “Tax return scammers usually strike early in the year, when they can turn the personal information of victims into fraudulent tax refund claims. But members of Akamai’s threat research team found a recent surge in off-season phishing attacks masquerading as notices from the Internal Revenue Service, targeting over 100,000 individuals.”
It’s the most wonderful time of the year…for hackers. And while all indications are that hackers are actually getting started early this year with phishing emails, you can expect Black Friday and Cyber Monday to be the main events.
According to Global Security Mag, “Black Friday and Cyber Monday marks the traditional start to the holiday shopping season. Yet, with 39% of shoppers starting before then, cybercriminals have kicked off the season early too.” Their research indicates a 400% increase in pre-holiday phishing activity specifically targeted at “well-known online shopping sites.”
At its core, phishing is a pretty simple exploit. Send a malicious email, but make it look like it comes from some person or some company you know and trust.
One of the most frequently-used phishing tactics is domain name spoofing. Domain name spoofing occurs when an attacker appears to use a company’s domain to impersonate a company or one of its employees. This can be done by sending an email with a false domain name that looks like the correct domain name, or including a link in an email to what appears to be a trusted domain.
A lot of people have a Gmail account, which means marketers send a lot of emails to Gmail accounts. It sure would be nice if most or all of those emails could avoid the spam folder. Unfortunately, Google doesn’t see it that way.
According to a new report from Twilio, How Political Campaigns Can Ensure Their Email Messages Hit Home, only 3.8% of email messages from Presidential candidates made it into the primary tab of the Gmail account. What’s worse, is that 21.3% of emails ended up in the spam folder while the remaining 74.8% ended up in promotions.
Here’s a quick, one-question quiz:
If you got phished, you most likely:
Well, according to Proofpoint’s Q3 2019 Threat Report, if you got phished, there’s an 88% chance it’s because you clicked on a malicious link. So, the correct answer is #1. And that’s just one of the findings in the latest quarterly report.