Over 90 Hacked WordPress Add-Ons Could Give Away Your Website Access

The affected WordPress developer's add-ons are used on more than 360,000 active websites.

Researchers have found a total of 93 WordPress apps — 40 themes and 53 plugins — have been compromised as part of a large backdoor attack that gives threat-actors full access to the websites those add-ons have been used for. How large is the supply chain attack? On one hand, it's constrained to AccessPress, a single WordPress developer. But one the other hand, AccessPress's add-ons are used on more than 360,000 active websites, making this a massive security incident. We've said it before and we'll say it again: Getting a quality antivirus software looks more and more like a necessity every day.

How the WordPass Files were Affected

Researchers at security company Jetpack first discovered the attack when they noticed a PHP backdoor had been added to some themes and plugins. Their theory is that an external threat actor breached AccessPress's website in order to compromise all the software needed to more easily gain further access to a much larger swath of websites. According to Bleeping Computer, once admins install one of these add-ons on their WordPress website, the threat actors slipped a new “initial.php” file (one with a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file) into the main theme directory and added it to the main “functions.php” file. Once in place, the payload would be decoded, giving the threat actors just what all hackers want: remote control of their target website. The attack happened in September 2021, Sucuri researchers say, and went undetected until now.

Check if Your WordPass is Infected

Jetpack has put up a list of the compromised add-ons. If you run a WordPress blog and the list of compromised softwares includes a plugin or theme you've installed between now and last September, you might be infected and you'll need to check. Here's how, according to website security company Sucuri: - Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised - You can also query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files If compromise, Sucuri recommends taking these steps: - Replace your core WordPress files with fresh copies - Remove and replace any affected AccessPress themes or plugins with fresh copies downloaded from the official WordPress repository. If the software you need was taken offline, go ahead and remove the plugins/themes from your website and find replacements - Follow the standard post-infection steps like updating wp-admin administrator and database passwords as a precaution Granted, this incident is just 93 themes and plug-ins, but there's no harm in checking for the latest threat. As any IT professional can tell you, the online security job is never done.

WordPress Vulnerabilities

WordPress has been having a bit of bad luck when it comes to malware attacks and vulnerabilities. Last November, the site ran into a spate of fake ransomware messages that demanded website owners fork over Bitcoin payments or see their files deleted — something that the attackers couldn't actually accomplish. The attacks aren't only WordPress, of course. Last week, for example, we covered the ‘Whispergate' malware family, which acts like ransomware, but which Microsoft says “lacks a ransom recovery mechanism” and is actually “designed to render targeted devices inoperable.” As for this recently revealed add-on attack, the danger is over now, but a similar incident could be tough to avoid in the future. An antivirus software won't hurt — we'd recommend McAfee or Norton — but the danger is always out there. Original article written by: Adam Rowe | tech.co Read the full article

How to keep your Zoom meetings safe and secure

Part of The Verge guide to working from home Back in the early days of the COVID-19 pandemic, people who wanted to get together while staying safe from infection discovered that they could meet with friends, families, and co-workers via videoconferencing software. Maybe because many of them were already using Zoom at work for videoconferencing, that app almost immediately became the flavor of the day. There were a few hiccups along the way — possibly because Zoom was meant to be primarily a business app. At first, while Zoom included some methods that could be used to safeguard meetings, those features could be hard to find, especially if you hadn’t used the app before. Meetings began to be interrupted by unwanted intruders who would purposely cause disruptions, often in extremely nasty ways (a problem that was soon named “Zoombombing”). Related Not surprisingly, this led to a considerable backlash, much of it concerning the lack of security for users. In response, the company put additional safety measures in place. For example, it automatically enabled virtual waiting rooms and passwords for accounts in its free and lowest-paid tiers, and encouraged people to use unique meeting IDs rather than their permanently assigned personal IDs. Having to deal with passwords and virtual waiting rooms may make for a slightly less friendly interface, but it also means it’s less likely somebody you don’t know will pop into your family get-together. Although there are a number of alternative videoconferencing services available, Zoom is still a popular choice. So if you’re using the free version of Zoom, here are some ways to keep your meetings secure.

Use a unique meeting ID and password

Zoom automatically adds passwords to accounts, and those passwords can be embedded in the meeting links. For example, if you schedule a meeting, you’ll see that the link contains your meeting ID and, right after that, the password for the meeting. Anyone you send that link to will be able to immediately gain access to your meeting without having to separately post a password — and if they decide to post that link publicly, it will negate any security the password might have provided. So while everyone who uses Zoom has a personal meeting ID, using that ID for all your meetings means more and more people will know that ID, and that increases the chances someone unwelcome may find their way in. For this reason, when you schedule a meeting, Zoom now assumes you want to use an automatically generated unique meeting ID rather than your personal meeting ID. In fact, there are few reasons to use that personal ID — even if you have a regularly scheduled conference with friends, you can simply send out a new invitation (with a new meeting ID) for each meeting, just to be safe. If you haven’t yet created a meeting, this is the process that you will probably follow: - If you’re using the Zoom app, click on the “Schedule” button. If you’re using the web interface, click on “Schedule a meeting” on the top line. In either case, the “Schedule Meeting” window will appear. - If you wish, you can enter a meeting topic and description. Put in the date, time, and duration of your meeting. (If you’re on the free plan and there will be more than two people in your meeting, you’re limited to 40 minutes.) - Look for “Meeting ID,” and make sure that “Generate Automatically” is selected. This will generate a unique ID for that meeting rather than use your personal meeting ID. - Under the Security heading, you will be assigned a passcode; you can change it if you want.

- Below that, it’s strongly recommended that you enable “Waiting Room,” so that you can approve anyone who wants to enter the meeting space. (We’ll discuss it more in a moment.) - Click on “Advanced Options” if you want to allow participants to join without having to use the waiting room (not recommended), mute them upon entry, automatically record the meeting, or approve or block entries from specific geographic areas. - Click on “Save.” - You will most likely be brought to a page where you will see all of the options for that meeting. Halfway down, you can click “Copy the invitation” to easily save the info so you can send it to your participants. - And that’s it. When you’re ready, you can click on the blue “Start this Meeting” button or use the generated meeting link.

Use the virtual waiting room

As mentioned before, you can approve anyone who wants to join a meeting by using a virtual waiting room, from which you can then either let them in — or not. When each participant clicks on their link, they will be asked to wait, while you will get a notification at the top of your screen telling you someone has entered the waiting room. You can either immediately admit them or click on “View.” A sidebar will then show you everyone who is waiting to enter the meeting; you can then either admit them, remove them from the waiting room (and from any chance to enter the meeting), or send them a message.

You can use the waiting room to make sure of your participants. Having to approve everyone who wants to join might be a pain to deal with, especially if you’re expecting a lot of people, but it will ensure that anyone who shows up in your meeting actually belongs there.

Lock down, don’t share, kick ’em out

There are other Zoom security features you can use to protect yourself and other participants. If you know exactly who belongs in your meeting, and they’re all there, you can lock down the meeting by clicking on the “Security” link at the bottom of the screen and choosing “Lock Meeting.” Once you do that, even somebody who has the meeting ID and password cannot get in. Using the same menu, it could also be a good idea, especially if you’re holding a meeting with a lot of people, to uncheck the “Share Screen” selection. If by bad luck somebody who means to disrupt the meeting is allowed to share their screen, they can make things extremely uncomfortable for the rest of the participants. (If at some point, a participant has a legitimate need to share their screen, you can re-enable sharing at any time.) If a participant does start to misbehave but you don’t necessarily want to kick them out (or you want to discuss what you’re going to get them for their birthday), you can put them back in the waiting room. Click on the “Participants” icon at the bottom of your screen, find the name of the participant on the resulting side panel, hover over their name, and then click on “More” > “Put in waiting room.” The participant will no longer have access to the meeting; in effect, they will be back in the waiting room until you decide to let them return.

The Security icon leads to several ways you can handle a problem participant. Of course, you can kick somebody out of the meeting entirely by using that same drop-down menu and clicking on “Remove.” If that becomes necessary, by the way, it might be a good idea to then lock the meeting so they can’t try to get back in. If things get really out of hand, click on the Security icon and select “Suspend Participant Activities.” According to Zoom, this will stop “all video, audio, in-meeting chat, annotation, screen sharing, and recording during that time” and as host, you’ll be asked if you want to report any particular user. You will also be able to supply details of the problem, along with screenshots. That person will be removed from the meeting (and reported to Zoom’s “Trust and Safety” team), and you can then re-enable your various features and continue your meeting. Original article written by: Barbara Krasnoff | The Verge Read the full article

Phishing Scam Targets Businesses by Impersonating US Dept of Labor

The phishing scam has been at large since 2021 and involves around 10 sites impersonating the government agency.

A new phishing scam that involves threat actors impersonating the US Department of Labor (DoL) has been targeting US businesses and their employees. The scam email asks prospective victims to enter their Microsoft 365 address or company email into a fake webpage.  Attacks like this are a grim reminder of the importance of equipping your staff with both antivirus software and the knowledge to spot ‘fake’ emails. 

What Happens During the Phishing Attack?

This new type of phishing attack was discovered by cloud-based security platform Inky, who say they’ve been detecting scam emails impersonating the US DoL during “the back half” of 2021.  Concerningly, the vast majority of the phishing emails appeared as if they came from no-reply@dolgov, which is the genuine address of the US DoL webpage.  Additionally, Inky also reports a small percentage came from the fake but similar-looking domains – dol-govcom, dol-govus and bids-dolgovus.  This scam was able to utilize the actual web address for the US Department of Labor, which many unsuspecting victims will take as an indication that the email is legitimate.  The scam email – which uses a US DoL letterhead – asks recipients to bid on “ongoing government projects”. The email claims to have been sent from the “Chief Procurement Officer” at the department.  Attached to the email is a PDF document that includes information about the fake bid opportunity, as well as a malicious link. You’re then sent through to a fake DoL page and a ‘click here to bid’ button will take you to a page where you’re asked to enter your Microsoft 365 or business email address.  Regardless of whether you enter your details correctly, the page will ask you for them twice, ensuring your actual details are stolen. 

Phishing Scam Techniques

The page victims are sent through looks identical to the real DoL page – because it is (but only visually). This is done by lifting the HTML code and CSS from the legitimate site, reproducing an exact copy.  However, another sophisticated tactic used in this scam is utilizing the legitimate DoL page. If a victim enters their credentials twice – which an Inky researcher did – it will redirect to a legitimate page, adding to the confusion over what has happened. Inky also reveals that the email was able to obtain a DKIM pass – which is used to root out scam and spoof emails – by hijacking a legitimate mail server belonging to a non-profit organization.  However, brand new domains were also used in some cases – another tactic used to avoid detection by anti-phishing tools that use blacklisting processes. 

What Can I do to Protect My Business and Employees?

In this day and age, your business has to be prepared for all kinds of threats – only some phishing emails are designed to steal credentials. Others may include links to pages full of malware or sites that attempt to encrypt your files and demand a ransom.  For this reason, you’ve got to equip employees with antivirus software as well as the knowledge to spot shady emails when they show up in their inboxes – both are just as vital to protecting your company’s data.  Having online learning courses on email phishing that have to be completed every so often is a good place to start. They’ll help employees identify the often subtle differences between legitimate emails and ones sent by threat actors, and familiarise themselves with common characteristics of phishing emails.  Remember, if unsure as to whether an email is legit, you can always open a new, separate channel of communication with the legitimate organization referenced within it to double check.  In this case, contact the DoL and ask them if this is an email that was sent from their servers. Similarly, if you think an email purporting to be from your bank looks suspicious, contact your bank and ask them about it.  Approach every email from an address that doesn’t belong to a work colleague or expected contact with extreme caution. Always ask yourself the question: could this email be a scam? If the answer is even a maybe, then again, treat it with extreme caution and – most of all – never, ever click on anything.  Original article written by: Aaron Drapkin | tech.co Read the full article

US Counterintelligence Tips For Blocking Spyware

Tips include ensuring that passwords are secure, as well as regularly restarting devices to disrupt the spyware.

The US National Counterintelligence and Security Centre (NCSC) and Department of State have kicked off the new year with a gift for everyone – tips on how to block spyware attacks. The advice runs the gamut from the more obvious, such as avoiding suspicious links and having anti-virus software installed, to slightly more esoteric tips that you might not be aware of, such as regularly restarting your device. Having a device infected with spyware is a huge risk for anybody, opening up your phone or computer to constant surveillance, and meaning that all your data can be compromised.

Protecting Yourself Against Spyware

The advice comes as a collaboration between the US Counterintelligence agency and Security Centre, and the Department of State, published as a PDF. Among the tips given by the organizations, are: - Regularly update devices and mobile apps – a key action to protect against vulnerabilities that may have been discovered in software - Don't click on suspicious links or email attachments – a given, granted, but there's no harm in being reminded that this is always a very bad idea. - Encrypt and password protect your device – password managers can help here if you're struggling to remember your passwords. - Disable geo-location options and cover cameras – this one might seem inconvenient if you need to regularly use these elements, but it's good practice if you're concerned about spyware. - Regularly restart devices – many of us don't restart our mobile phones often, but doing so could distrupt any spyware on the device. The threat of spyware is very real, and can have dire consequences for those who are unfortunate enough to become a victim: Journalists, dissidents, and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both WiFi and cellular data connections. – US National Counterintelligence and Security Centre and Department of State

The Dangers of Spyware

Spyware is a lucrative business for hackers. Once a computer or mobile phone has been infected with this software, it makes that device an open book, with hackers able to access files, passwords, track keystrokes, location, messaging, browsing history and more. It's even possible to access the device's camera too, meaning that it's feasible for someone with ill intent to see take over a webcam, which could potentially lead to extortion scams. While ransomware may be security threat most in the headlines at the moment, spyware hasn't gone away. In fact, there have been several high profile cases recently, including Pegasus, an Israeli-created spyware that was identified last year as having many high profile targets, including French president Emmanuel Macron, and Imran Kahn, prime minister of Pakistan. Some spyware hides in plain sight, with creators piggybacking off popular trends to get their software into people's devices. Google regularly removes apps from its store that masquerade as legitimate apps, but are designed with the intent of stealing user data, such as the ToTok app in 2020.

Staying Cyber Safe in 2021

If you feel like there's been a rise in cyber threats in recent years, then you're not paranoid. Numerous studies have show that more attacks are happening than ever before, spurred by the disarray caused by the pandemic, which has seen an increase in the number of us working remotely. However, it's not all bad news – there are plenty of steps we can take as individuals and businesses that can mitigate the threat from hackers. The first, and most important step is being vigilant and aware of where attacks can come from. Advice like that from the NCSC and Department of State above is a great start. There is also a lot of tech and software that can assist, too. Password managers are an exceptional way of remembering multiple passwords without having to rely on using the same one over and over (a great big no!). They can even alert you when your password has been compromised. Anti-virus software might seem obvious, but it really is a great line of defence against any malicious software out there, and can also save your skin if you let you vigilance slip and click on a suspicious link or attach an infected device. VPNs are a great way to hide your identity online, making it harder for hackers to target you. They can also provide you with peace of mind when using public Wi-Fi spot. Original article written by: Jack Turner | tech.co Read the full article

Hackers Sending Ransomware-Laden USB Drives To Businesses

Packages purporting to be from Amazon, containing gifts, actually held something much more sinister.

The FBI has warned that the latest ransomware threat may not come from the internet – but instead via an infected USB stick. A security alert sent to US organizations details that packages have been received by businesses in transportation, insurance and defence, containing external drives with ransomware loaded onto them. These are often disguised as gifts. Ransomware is a serious concern for any business, but most threats occur from online attacks. The news that physical devices are being actively distributed by scammers is warning that companies need to be more vigilant than ever.

Infected USB Keys Sent to Businesses

The threat, first reported by The Record, has seen several businesses receive packages via the United States Postal Service and United Parcel Service, containing USB sticks which purport to be sent as gifts. In some cases, the USB sticks arrive in presentation boxes from Amazon, with a thank you letter and gift certificate included. In others, they contain letters about COVID-19 procedures alongside the USB drive. “Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries” – FBI security alert Despite the presentation, there's nothing but a nasty surprise on these USB sticks, which when inserted into the user's device, activate a BadUSB attack, effectively mimicking the keyboard and delivering commands to the device. At this point, ransomware can be delivered, and the user locked out of the device, and network, until demands are met. Failure to do so risks any available data being wiped or distributed to the internet. According to the FBI alert, US defence industry companies have been targeted, as well as health authorities and hospitality providers.

The Rise of Ransomware

Ransomware made plenty of headlines in 2021, in fact it barely felt like it ever left them. Many high profile targets, such as Garmin, Colonial Pipeline and software provider Kaseya have all been hit, but smaller groups have also been hit hard. Even the Baltimore school authority found itself victim, with IT systems shut down and schools unable to open. As many experts will tell you, ransomware is thriving. Despite efforts by authorities to disrupt the scammers, it continues to thrive. Part of the reason for this is believed to be the pandemic, and the increase in the number of us working from home. With the pivot to remote working, the traditional security of the office has become a lot harder to contain, with companies wrestling with ensuring that all their employees are following best IT practice from their living rooms and bedrooms. Ransomware attacks were estimated to cost $20 billion in 2021 – that's up from $325 million in 2015. And with the average ransomware attack costing companies $761,000, not to mention the risk to data, it's a threat that every company needs to be vigilant of.

Avoiding USB Ransomware

If you're reading this with a heavy heart, worried about yet another avenue that scammers can use to attack your business, then don't fret, there are some key steps you can take to avoid these attacks. Firstly, be very cynical about unsolicited gifts, especially those that you need to plug into your computer. Employees should be wary of using devices that have not been cleared by IT – in fact, you may wish to disable the use of USB devices that don't have authorization from IT, although this can be difficult in the case of USB sticks as they are fairly common and many employees may have a genuine need to use them. In the case of the most recent scam, the USB sticks distributed are branded ‘Lily GO', so definitely be on the look out for this particular make of drive. Another key to fighting any attacks like this is antivirus software. While the best defence is to not plug an infected USB drive into your device in the first place, a computer with antivirus software stands a good chance of identifying and isolating the malicious code before it has a chance to do any damage. Original article written by: Jack Turner | tech.co Read the full article

Regulating crypto could create American super apps

Image Credits: loveshiba / Getty Images Much of Chinese society has come to depend on so-called super apps like WeChat to do multiple tasks, from making a medical appointment to hailing a taxi to getting a loan, all on one platform. But such one-stop shops have not taken off in the United States. Now, the time may finally be ripe — and the best contenders for super apps come from the fintech world, especially those platforms dedicated to cryptocurrency. Cryptocurrency is quickly growing in popularity amid sky-high equity prices, record-low interest rates and fear of inflation on the horizon, and they could, perhaps, gain more legitimacy if the U.S. government decides to fully regulate them, a topic Congress is currently exploring. Dedicated crypto platforms like Coinbase or even Paypal, Venmo and Stripe, which recently added abilities to use crypto for payments, could evolve into the U.S. versions of super apps, assuming crypto issuers can work with regulators to find a middle ground between protecting the consumer and creating new financial and investment opportunities. If consumers see crypto as secure and legitimate — and easy to use — it could become the base of super apps. The bottom line is that people are thinking about finance not just when they go to the bank — if they even have access to a bank — but when they shop, vacation or pay for a medical visit. Expanding these crypto and payment apps to integrate with other apps and services would make many diverse tasks more convenient. The bottom line is that people are thinking about finance not just when they go to the bank — if they even have access to a bank — but when they shop, vacation or pay for a medical visit, and such apps would help deliver the financial services they need in a personalized manner. Integrating crypto payments into other tasks would also go a long way in democratizing the world of finance and money, giving underserved communities and those with no credit histories who struggle to open credit cards or get loans more access to financial services.

The rise of the super app

WeChat started out as a messaging app in China in 2011, but by 2013 it also functioned as a payment platform and soon offered many other services, like shopping, food delivery and taxi-hailing. Now it offers more than a million different services, mainly through mini apps that businesses develop to work within WeChat. AliPay, which also has more than a billion users, is similar. These two apps have been credited over the last decade with converting China from a cash-only economy to one heavily reliant on digital payments, skipping over the intermediary phase of debit and credit cards. The concept has also become popular in Indonesia and elsewhere in the region. The fact that they involve financial services, including payment options, is key, and the common thread that runs through many of the super apps’ services. But while app use has exploded in the United States and Europe; Big Tech players like Apple, Facebook and Google have added payment services; and several payment apps like Venmo and Square have become more popular, super apps have not yet emerged. This is partly because of data privacy regulations; privacy laws in the United States, and especially in Europe, limit data shared between apps, making it harder to create an ecosystem where mini apps can automatically integrate into super apps like Alipay. It also stems from the U.S. having had a well-developed internet ecosystem, with popular social media sites, like Facebook, and payment sites, like PayPal, existing before the rise of smartphones, which resulted in each of these platforms launching separate apps, rather than one app offering multiple services. Compare that with China, where much of the internet was mobile-first, arising only after the advent of smartphones. The U.S. market has long been used to separate platforms for separate tasks. But many analysts point to apps and tech companies adding more services — like TikTok adding shopping, Snapchat integrating mini apps for games or Apple entering the payment space — and say that super apps will eventually emerge in the U.S., or at least bigger apps that can do more things. Adding more services to any one app, and finding a way to keep users on it, is also a way around privacy regulations that prevent one app from knowing what its users do on another app. Apps are clearly on track to get bigger and more comprehensive, even though it is unlikely the U.S. would end up with only one or two dominant ones, as seen in Asian markets.

The rise of DeFi

Meanwhile, cryptocurrency developed alongside payment apps and super apps over the last decade. What started out as one product, Bitcoin, has developed into an entire peer-to-peer financial system, known as DeFi, with several currencies, including Ethereum and Dogecoin, allowing users to invest, trade, spend and lend out money. But despite its surge in popularity, especially during the economic uncertainty posed by the COVID pandemic, and more traditional financial institutions starting to offer some crypto-related services, it remains outside the mainstream financial system and sector, with many experts saying it poses high risks. Crypto issuers have also long resisted regulation, as that would go against their goal of having a decentralized financial product. But now things are starting to change, with some crypto platforms expressing interest in following regulation. For example, Coinbase dropped a plan to offer an interest-earning product, which would have allowed users to earn interest on coins loaned out to others, after the U.S. Securities and Exchange Commission failed to offer guidance on it and threatened to sue Coinbase if it released it. In fact, crypto issuers are realizing that some regulation would give their product more legitimacy and allow more people to use it for more purposes. This comes as new crypto products hit the market recently, including stable coins, which track the value of traditional currencies. Regulation of crypto, an idea that SEC Chairman Gary Gensler has said he supports, along with some in Congress and some in the crypto industry, could indeed be on the horizon.

Using cryptocurrency to fuel the first U.S. super app

If crypto issuers work with government officials to set up regulation that protects consumers without limiting innovation, crypto is a good bet for what finally spurs American super apps. Think about what could happen if Coinbase were to work with the SEC and align on smart regulation that would validate Coinbase as a viable and certified financial intermediary that users could rely on for crypto, embracing both its new financial products with potentially attractive yields in addition to its ability to use for everyday spending. Regulation would likely stabilize the currencies, turning them into something practical to shop with, rather than just hold for potential value. Such regulations would also eliminate some of the steps that add friction to current user experiences when it comes to using crypto in everyday life, like long transaction times, high transaction fees and large fluctuations in its value. A regulatory framework would unlock massive demand for crypto, and there would suddenly be many businesses — from restaurants to retail – that would want a way to process crypto payments, spurring them to integrate into existing crypto payment apps and causing those to evolve into super apps. More people would also make deposits in crypto on these apps, rather than using traditional currencies in their banks. This would disrupt the entire economy and financial ecosystem. Banks have always produced products they think the public wants while the world of crypto and DeFi are clearly providing products and services that people need, and millions are already using them, despite their uncertain regulatory and legal status. Just as ubiquitous and integrated digital payments quickly emerged in China to fill a need — a cash alternative in a market underserved by credit cards — crypto-based super apps would fulfill the needs of consumers and businesses looking for a secure and efficient way to use crypto instead of, or in addition to, traditional payment methods. If crypto remains an unregulated gray zone, and its platforms remain isolated from the rest of economic and daily life, rather than evolve into super apps, the United States will miss the opportunity to build a new and innovative mobile- and digital-first financial ecosystem. Original article written by: David Donovan | TechCrunch Read the full article

The Worst Scams of 2021

We've covered a lot of scams over the last year. Take a look at some of the worst below and learn how to avoid them.

It's been one heck of a year. Between massive security breaches and new COVID variants, it's safe to say it's been a year of protecting yourself. Unfortunately, the world of cybercrime hasn't taken a break during the pandemic, which means that staying vigilant while online is more important than ever. In fact, in just the first four months of 2021, the US was already experiencing 25% more digital fraud than the previous year, and it didn't get much better from there. As the consequences of poor cybersecurity continued to become a part of everyday online life, and to paraphrase GI Joe, understanding how they work is half the battle. Over the course of the year, Tech.co has covered a wide range of scams, from ransomware and phishing attacks to fake vaccine surveys and cryptocurrency hacks. In this article, we're going to round them all up to help you understand that 2021 was a year full of scams, so you know how to avoid them in the new year.

The Worst Scams of 2021

It's that time of year! Let's take a look at some of the worst scams that we've covered in 2021, and let's vow to be better in the new year! The Bait Attack Scam The key to an effective phishing scam is the ability to actually get a potential victim to engage with it. Because most phishing scams are far from clickable content and often just end up your spam folder, scammers have gotten wise to focus their attention on potential victims that actually open these kinds of emails. And the way they are finding these click-heavy users is through something called “bait attacks.” A bait attack is a low-threat attack that doesn't even try that hard to scam you. It's often something as simple as an empty email with an innocuous subject line like “Hi” or “How are you?” However, if the user responds to the email in any way, it informs that scammer that you're someone ripe for the scamming.

Almost immediately after responding, users will receive a second email that is poised to steal your data. Gmail was the primary provider that this scam focused on, with 91% of attacks coming on the popular platform. The SIM Swapping Scam There are a lot of ways you can protect yourself online. From password managers to VPNs, the kind of software available today does plenty to keep you safe. This is one of those scams that you can protect yourself from, but it's still worth knowing exactly what to look out for. It starts with a potential scammer attempting to convince your mobile carrier to send them a new SIM card, often with a combination of stolen data and readily available personal information. If they succeed, they'll be able to set up any phone with your credentials, giving them access to a wide range of your sensitive information. Just a few weeks ago, a rash of these SIM-swapping attacks hit everyday users with the goal of emptying out cryptocurrency accounts. One victim reportedly lost up to $80,000 in Bitcoin. The Vaccine Survey Scam Tragically, the pandemic has given the scam business a lot to work with. Fearful people are much more prone to falling for scams, at least that appeared to be the case with a March 2021 scam that saw users being duped into taking a fake vaccine survey in exchange for a non-existent reward, the shipping of which the user would have to cover. There, of course, was no such reward, with all of the information provided in the survey and, of course, the credit card number used for shipping sent to a nefarious third-party. “The past year has been incredibly challenging for every single one of us,” said Ian Dyson, commissioner of the City of London Police. “Sadly, we have seen devious criminals taking advantage of the coronavirus pandemic as a means to commit fraud, often homing in on people’s anxieties and the changes that have occurred to their daily lives.” The YouTube Collaboration Scam The good news about some phishing scams is that you don't really have to worry about a lot of them, as they are often geared towards particular professions. The bad news is that this targeted approach makes it a lot harder to know whether or not you're a potential victim of the scam until it's too late. At least, that's the case with this particularly clever phishing scam that was aimed at YouTube creators. If you know anything about YouTubers, it's that they love to collaborate. This scam takes advantage of that by sending fake collaboration emails for anti-virus software, VPNs, music players, photo editing apps, or online games. Once the victim clicks on the collaboration opportunity, the scammers hijack their account, selling it to the highest bidder or using it to broadcast other scams. The scam was pretty widespread too. Propagated primarily through Gmail at first, Google announced that its Threat Analysis Group (TAG) had blocked 1.6 million emails from the campaign to protect its YouTube brethren, and displayed 62,000 Safe Browsing phishing page warnings, blocked 2,400 files, and successfully restored 4,000 accounts.” The Fake Ransomware Scam Most scams are designed to trick you into providing money or information to a third party. Ransomware attacks, on the other hand, actually hold your data hostage, requiring a ransom to release it. However, if you can convince someone that you've encrypted their information without actually doing so, apparently that'll work too. This scam found WordPress users inundated with an admittedly alarming message, which states that their information is encrypted, and they'd need to pay to have it unencrypted. The thing is the message was a fake. No data was encrypted, and the message could be bypassed easily. Still, the countdown and generally threatening look of the message was enough to convince at least a few to pay the ransom. The lesson here: always check if your data is actually encrypted when a ransomware hack occurs.

The Excel Attachments Scam The inclination to click on a mysterious link to find out what it is runs deep in the average user. Fortunately, most email providers can tell when a link is malicious, and they block them from being read. But this scam from September found one effective way to dodge spam blockers in service of infecting computers with malware: Microsoft Excel. Because Excel is so low on the priority list of potential threats, emails with mysterious links to spreadsheets were able to eke by blockers into inboxes. The cells of the spreadsheet were then filled with “lightweight embedded macros,” which wreaked havoc on your computer if you activated them. When it comes to mysterious links, we implore you to fight your instincts and never click on them. In fact, avoiding links in emails that aren't from people you know is your best bet in the long run. The Google Photos Poster Scam Phishing scams, like clickbait, are terrible because they're designed to get you to click on them. Whether it be something you really want or a problem you really need to fix, an effective phishing scam will be tailored to a user's inability to stay away. And this scam from earlier this year took advantage of that big time. By impersonating the platform with some very convincing design choices, the scammers would insist that pictures taken and stored by the user on Google Photos would be used on a poster promoting the platform. As soon as you click on any of the links though, the Google facade is dropped, and you're sent to fake giveaway and rewards scams. In the event you actually follow through, you'll be asked to provide financial information, which of course, will be used to steal your identity and your money.

While Google Photos would be technically allowed to do this, the odds that the company actually would are quite low. Suffice it to say, even when the design is convincing, critical thinking is a great way to stop phishing scams in their tracks.

Types of Scams

In 2021, there were a few key types of scams that dominated headlines. Phishing scams, ransomware attacks, and cryptocurrency hacks have become an increasing nuisance in the online world. And the first step towards protecting yourself is knowing what to look for. Phishing Scams As arguably the most common type of scam in the world, phishing is the process of pretending to be a reputable company or website in hopes that the user will be convinced and provide personal or financial information. Whether it be over the phone, through SMS messages, or via email, these scammers are relentless in trying to get their hands on your precious, precious data. In 2021, early predictions showed that phishing scams would be even more prevalent, and the means by which these phishing scams are propagated have been elaborate to say the least. Ransomware Scams As the name suggests, ransomware is a form of malware that can infect your computer and either threaten to publish your data or withhold it indefinitely unless a ransom is paid to the perpetrator. It's extremely common among businesses, but individuals have been affected as well, which is never fun. Ransomware is not nearly as conspicuous as phishing scams, but there are still some interesting ways in which cyber criminals will infect your computer with this vicious malware. Cryptocurrency Scams Cryptocurrency is the decentralized, digital currency that is housed on the blockchain, allowing for a notable lack of regulation across its use. Unfortunately, this lack of regulation has a tendency to allow for cyber criminals to take advantage, leading to some seriously unfortunate cryptocurrency scams that cost victims a lot of money. The best way to hold on to your Doge and your Eth going into 2022 is to stay vigilant and avoid any nefarious deals that might be riskier than they're worth.

How to Protect Yourself Online

We've been saying it all year, but the online world doesn't have to be a scam-riddled hellscape. While phishers and scammers and ransom-takers may be lurking around every corner, the reality is that there are plenty of tools designed to help you and your business stay safe all year round. Password managers are a great place to start. Not only will you be able to ensure that your credentials are securely protected from nefarious actors, you also won't have to remember all those pesky passwords. Talk about a win-win! Antivirus software and VPNs are a good next step as well, as they can protect you from malware, tracking, and other questionable tactics used in the tech industry. Finally, if you're a business struggling to manage cybersecurity and remote workforces, remote access software is designed to help you work from home without the threat of hacks. All those tools are great, but your most valuable asset when it comes to cybersecurity is your own vigilance. If you take a closer look, most scams are incredibly easy to spot, as long as you take the time to do so. Good luck out there, and we'll see you in the 2022 with a whole new batch of scams! Original article written by: Conor Cawley | tech.co Read the full article

Security flaws found in a popular guest Wi-Fi system used in hundreds of hotels

Image Credits: Jeff Greenberg / Getty Images A security researcher says an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk. Etizaz Mohsin told TechCrunch that the Airangel HSMX Gateway contains hardcoded passwords that are “extremely easy to guess.” With those passwords, which we are not publishing, an attacker could remotely gain access to the gateway’s settings and databases, which store records about the guest’s using the Wi-Fi. With that access, an attacker could access and exfiltrate guest records, or reconfigure the gateway’s networking settings to unwittingly redirect guests to malicious webpages, he said. Back in 2018, Mohsin discovered one of these gateways on the network of a hotel where he was staying. He found that the gateway was synchronizing files from another server across the internet, which Mohsin said contained hundreds of gateway backup files from some of the most prestigious and expensive hotels in the world. The server also stored “millions” of guest names, email addresses and arrival and departure dates, he said. Sponsored Content Mohsin reported the bug and the server was secured, but that sparked a thought: Could this one gateway have other vulnerabilities that could put hundreds of other hotels at risk? In the end, the security researcher found five vulnerabilities that he said could compromise the gateway — including guests’ information. One screenshot he shared with TechCrunch showed the administration interface of one hotel’s vulnerable gateway revealing the guest’s name, room number and email address. Mohsin reported the newly discovered cache of flaws to Airangel, but months passed and the U.K.-based networking gear maker still has not fixed the bugs. A representative told Mohsin that the company hasn’t sold the device since 2018 and was no longer supported. But Mohsin said the device is still widely used by hotels, malls and convention centers around the world. Internet scans show more than 600 gateways are accessible from the internet alone, though the true number of vulnerable devices is likely to be higher. Most of the affected hotels are in the U.K., Germany, Russia and across the Middle East, he said. “Given the level of access that this chain of vulnerabilities offers to attackers, there is seemingly no limit to what they could do,” Mohsin told TechCrunch. Mohsin presented his findings at the @Hack conference in Saudi Arabia last month. Airangel did not respond to a request for comment. Original article written by: Zack Whittaker | TechCrunch Read the full article

Buy Now, Pay Later Services Are Taking the Shopping World by Storm

Millions have now postponed payments with BNPL services, but concerns about consumers' ability to manage the debts remain.

Buy Now Pay Later (BNPL) services exploded onto the online shopping scene a few years ago, and according to various studies conducted over the last 18 months, they are only going to get bigger.  BNPL services like the Swedish-based Klarna have seen their user base soar during the pandemic, and now even integrate with in-store POS systems.  But the way it changes consumer approaches to debt, as well as the fact that the industry is new and is largely unregulated, is causing some concern amongst retailers and financial institutions. 

What are BNPL Services and How Do They Work?

You’ve probably already been given the option to use a Buy Now, Pay Later service when you’re inputting your payment information to check out on an online store.  Some BNPL services let you postpone your payment for thirty days, whereas others give you the option to pay for items in smaller increments, such as $5 a week for five weeks instead of $25 in one transaction. Typically, BNPL services do not charge interest (although some still do), whereas others charge late fees. Others take a small transaction fee on each purchase. Ecommerce platform Shopify claims that BNPL services decrease the chances that a customer will abandon their carts, and RBC Capital Markets estimates that this could increase conversion rates by around 20-30%.  This is how they make their money — by taking a cut of whatever the customer pays, on the proviso that they’re buying a lot more due to the presence of the service. 

Buy Now Pay Later’s Meteoric Growth

Buy Now Pay Later services have become particularly popular in countries like the US, with user bases increasing exponentially during the pandemic.  Their newfound popularity and subsequent worth are perhaps best illustrated by recent acquisitions. Leading POS supplier Square, for instance, announced in August that it planned to acquire BNPL company Afterpay for $29 billion and integrate it into its systems. According to a survey from early this year, 55.8% of US consumers have reportedly used one too, compared with 37.65% in the summer of 2020. According to Adobe, who analyzed over one trillion visits to US ecommcerce sites, BNPL service use had grown 215% year-over-year in Jan-Feb 2021.  Forbes reports that, since its launch, more than 7 million people have used PayPal's BNPL service and purchased more than $3.5 billion of products. They also estimate that, by the end of 2021, $100 billion’s worth of purchases will be made using these types of services, more than four times the figure from 2020.  But the phenomenon is not specific to the United States. According to Finder, 4 out of 10 Brits have used a BNPL service at least once, and around 9.5 million people in the UK say they avoid buying from shops that don’t provide one at the checkout.  Between January and July 2020, during which the UK went into lockdown, 986,000 Brits downloaded the Klarna app, the country’s most popular BNPL. By way of contrast, at the end of 2018, that figure was just 14,000. 

So, What’s the Catch?

For many millennial spenders, who enjoy the ability to spread out or postpone payments while experiencing difficult financial circumstances, there isn’t one.  But that’s not the whole picture. The rapid rise of the industry means that there’s very little regulation that purveys over this category of financial entity. These services don’t have to do affordability assessment checks, for instance, whereas other organizations that offer loans do.  Aside from the lack of regulation, there’s the problem of immediacy and simplicity. When you use a BNPL service, you are signing up for a credit agreement — but it's doubtful shoppers truly understand this and treat it in the same way they would another type of loan.  Is it feasible to expect someone to know what they’re signing up for or agreeing to during a process that can be completed in a couple of clicks?  One recent study conducted by Qualtrics on behalf of Credit Karma found that 34% of BNPL users had missed at least one payment, and more than half of millennials had. 

Should you use Buy Now, Pay Later services?

If, in general, you're financially stable enough to pay what you need to pay when you need to pay it — be that in a block payment in a month's time, or in increments over a few weeks – then these BNPL companies represent a great option for you. They're great for small purchases like buying a few items of clothing but remember — the larger the sum you defer to one of these companies, the bigger the hit it's going to be at the end of the month (or whenever you get paid). If you're finding yourself using the services regularly and subsequently missing payments — or you're making progressively larger purchases — you may end up paying more than if you'd just paid upfront if you opt to borrow from a service that charges late fees. Treat Buy Now, Pay Later services like you would every other loan — don't borrow outside of your means and ensure you've got a clear idea of how and when you're going to pay it back. Original article written by: Aaron Drapkin | tech.co Read the full article

How Much Does a Website Designer Cost?

A good website designer can create a handmade, bespoke website that attracts the right customers, for any company. Our independent reviews and recommendations are funded in part by affiliate commissions, at no extra cost to our readers. Click to Learn More A good quality website designer may charge you from $500 to over $10,000 to create or redesign a website for you. If you're only looking to create a small site of a few pages to list your business details, however, then expect things to be at the lower end of the scale. In this guide, we'll talk you through the costs you can anticipate to pay for a website designer, plus explain how you can get comparable quotes for a more tailored idea of your own likely costs. However, we'd also urge you to consider creating a website yourself with a website builder like Wix, which came out top on our tests. The costs for this could be as little as $60 per year, but and you'll be in complete control. Professional, modern templates and fast-track creation processes mean you can build a website for yourself in a few simple steps. Below, we list the best website builders based on our independent tests and user feedback: Create and Manage Your Own Website From Just $5 per month Don't rule out creating a website for yourself – thanks to website builders, this can be incredibly easy (and cheap) Build Your Own 5 out of 9 Everyone judges a book by its cover, and every online customer will judge a business by its website. If your business site hasn't been updated in years, it could be turning potential clients away. The solution is to find a professional website designer. A good website designer can create a handmade, bespoke website that attracts the right customers for any company, small or large. But, every business is different and has different requirements. After all, there's a host of distinct features that could make a website sparkle. This article aims to break down each of those features and how much it'll cost you to hire a designer to implement them. We also explain any other details a business owner might need to know in order to hire a website designer today.

Website Designer Costs

If you're an individual hoping to craft a personal website, you're more likely take the Do-It-Yourself approach. You'd be amazed how good-looking a website you can create on your own. You can get started for free; though some of the best website builder features come at just $8/month. If you're interested in this route, take a look at the best website builders available today or learn more about website costs. For any busy small business owners, however, getting a professional web designer to build a site is the smartest path. This can help you build a distinguished online presence that leverages social media and SEO to reel in brand new customers. How Much Does a Website Designer Cost? While there’s no set cost, the average price of professional website designs can range from $500 to over $10,000 depending on the selection of features you'd like, and your business needs. Here's a quick rundown of the options for web design contractor jobs, and what prices to anticipate. Website Designer CostsWhat You'll GetBest ForUp to $500A simple but professionally designed brochure-style site of a few pagesVery Small Businesses$500-$1,000A small website with core pages and some basic app integrationsSmall Businesses$1,000-$1,500A website with a proper content management system for ongoing updates, plus more advanced app integrationsSmall to Medium Businesses$1,500-$3,000A website with more advanced ecommerce or customer order tracking functions, plus support featuresMedium to Large BusinessesOver $10,000A large-scale website with a focus on analysing customer data for analytics, databases and advanced trackingLarge Businesses Website Design for Under $1,000 For small or mid-size businesses that don't require much, a small website of between one and five pages should be all you need. In addition to the main landing page, the site might include an About Us page and a page listing contact or location information. Prices for this type of “brochure” style site might dip as low as $250, or shoot as high as $700, but should stay solidly under $1,000. It's a trim price for a sleek but limited professional website. This option suits most companies that conduct their main business offline and need a simple site that points internet goers in the right direction.

Website Design for Up to $1,500 A slightly more expensive website design might include a few additional features, listed here: - A content management system  — If business owners plan to make regular updates to their website, this system will allow them to do so. A good feature for a site with a blog. - Social media integration — This embeds social media pages directly into the website, allowing it to be updated effortlessly via Facebook or Twitter. - Google Business and Maps integration — By adding additional code to the backend of a website, a designer can ensure that Google highlights your site if a Google user in the area searches for your industry. - Analytics integration — This allows website owners to track their visitors and see a record of how those visitors interacted with the site. Website Design for Up to $3,000 This pricing range covers ecommerce websites — sites that function as online stores. Rather than point to an offline business, an ecommerce website functions as an extension of the business, or as an entire business by itself. Here are the features these sites need: - Order management system — This lets an online store collect customer orders and track the products sold. - Delivery tracking — This allows the customer to see where their package is in transit and when it has arrived, giving them a peace of mind and avoiding any potential miscommunication about when a lost package might have last been seen. - Live chat features — Customers feel better knowing there's a human behind the website, and a chat feature allows for real-time two-way communication that does just that. Website Design for Over $10,000 Large businesses might need a database-focused website: This type of site allows a local or regional business to gain data from their customers, which can then be fed into a service custom-built to turn the data into insights that can improve analytics, tracking, or orders. The more customized services that the website data is used for, the more expensive the price tag for designing a site. National or international businesses will be in need of an even more advanced database site, and can expect to pay over $13,000 for a professional website that accommodates their needs. With a higher price comes a higher return on investment: The data that a large company gathers can help it better hone its services, potentially saving millions in the long run.

Website Design Agencies

What's the difference between a website design firm and a website design agency? It comes down to size and function. Firms tend to be larger and cover a range of services, while agencies might subcontract out certain services or simply stick to providing a single service. An argument in favor of firms is that their in-house talent ensures quality. However, a point in favor of agencies is that the wider range of potential third-party designers offers a better variety. In the end, it comes down to the individual firms and agencies themselves. They both thrive on industry connections and healthy reputations. If they're professional, know what they're doing, and can deliver on their promises, they're worth their weight in gold. Looking for the Best Price? Compare Website Building Options Compare Now

Freelance Web Designers

Individual freelancers can be just as great as design firms, though they can be more difficult to track down if you're new to all this. Asking for referrals from trusted business owners in your network is often the best way to find a great freelancer. When working with an individual for the first time, you'll need to prioritize expectations of the project and a clear contract. Make sure both parties agree on the features that are needed, the timeline for the work to be done, and where and how the payment will be delivered. Neither you nor the designer should rely on a handshake. Any reputable designer will set out a contract with agreed stages for review and delivery of the project.

How Much Will It Cost to Design Your Website?

When it comes to website design pricing, nothing's set in stone. Prices differ depending on the type of website, the number of pages to be designed, and the quality of the service. For small, mid-size or large businesses in need of a website (or looking to redesign an old website), getting a few bespoke quotes from the best web design firms is the way to learn how much the job will cost. If a design firm is the right fit for you, they will be willing and able to provide a personally tailored quote that breaks down the services they'll be providing. For a painless way to compare quotes from multiple website design firms, fill out our fast one-minute form. Original article written by: Adam Rowe | tech.co Read the full article

Hackers Get Away with Tens of Millions of Dollars Worth of Cryptocurrency

A bug within a crypto finance system known as MonoX allowed hackers to steal over $30 million worth of cryptocurrency

An unknown hacker or hacker group has taken advantage of a vulnerability within MonoX Finance, a cryptocurrency service. They used this exploit to steal approximately $31 million worth of cryptocurrency, after artificially inflating the price. This vulnerability was found in their system that lets them draft smart contracts. This exploit allowed the hacker to exchange one cryptocurrency token for another of the same type but for a different value, which should be impossible. For some, one of the biggest appealing factors of cryptocurrency is the lack of a central governing body. With normal currency, the government can impose taxes and fees onto transactions, but cryptocurrency has no such body. This, however, means that there is little to no law when something does go wrong.

What Did the Hackers Do?

How exactly did this heist take place? After all, cryptocurrency blockchains are supposed to be some of the most secure online services in the world, so the fact that someone could not only figure out an exploit, but also escape with that much money, is noteworthy to say the least. An internal accounting error within MonoX Finance let the culprit inflate the price of the MONO token and then use it to cash out $31 million worth of Ethereum and Polygon tokens. This was done by altering the sell price without changing the buy price, meaning that the transactions were weighed heavily in their favor. This exploit was allowed to happen specifically due to a feature known as Smart Contracts, which are essentially automated scripts that are activated under certain conditions. However, since these scripts are automated, there is no human to look at each case and gauge whether it's a good idea or not, meaning that they can be manipulated under the right circumstances. “These kinds of attacks are common in smart contracts, because many developers do not put in the legwork to define security properties for their code… They had audits, but if the audits only state that a smart person looked at the code for a given period of time, then the results are of limited value. Smart contracts need testable evidence that they do what you intend and only what you intend. That means defined security properties and techniques employed to evaluate them,” said Dan Guido, expert in the securing of smart contracts. While this attack is enormous, it's not the first to occur under similar circumstances. Similar attacks have occurred to other financial firms that deal in cryptocurrency, like Indexed Finance losing $16 million due to index pool management.

The Future of Cyber Security and Cryptocurrency

As mentioned, one of the main draws of cryptocurrency is the ability to trade currencies and goods without having to pass through the government's mandated taxes or fees. And due to the relative newness of cryptocurrency, government regulations are still struggling to keep up. However, this is a bit of a double-edged sword. While not having to live under regulations sounds nice, that means when something like this happens, the legality of the whole situation is far grayer than it would be if someone had robbed a bank or government building. The more things like this happen, the more that governments will likely be pressured to impose stricter regulations on the world of cryptocurrency in general. In fact, federal bank agencies issued a statement outlining their 2022 roadmap in regard to cryptocurrency regulation. The relevant agencies stated that they were looking to: “Provide coordinated and timely clarity where appropriate to promote safety and soundness, consumer protection, and compliance with applicable laws and regulations, including anti-money laundering and illicit finance statutes and rules.” What this means is still slightly up in the air, but it's a borderline guarantee that the crypto world is headed for more federal regulation, despite the fact that a large portion of the crypto user base is likely opposed to this development. However, if it stops multi-million-dollar attacks from taking place, then it's hard to argue against regulations too strongly. Original article written by: Duncan Lambden | tech.co Read the full article

Hackers are Hijacking Phone Numbers to Empty Crypto Accounts

Aggrieved investors are suing their telecoms providers after falling victim to scammers using SIM-Swapping techniques.

Small-scale crypto investors are being increasingly targeted by hackers, according to one report published this week.  Cybercriminals are performing a fraudulent practice called SIM-swapping – within which a person’s phone number is switched to a new device. Several telecoms carriers are now embroiled in lawsuits brought by victims who feel they were not sufficiently protected.  Shielding yourself from SIM-Swapping involves limiting the personal information you put on social media and using tech like password managers and authenticator apps. 

Crypto-Thieves Move on to Smaller Fish 

Reporting in The Wall Street Journal details how one individual who invested their life savings in Bitcoin had their accounts emptied overnight, losing $80,000 or more in cryptocurrency value.  There’s a well-beaten path that has been trodden out over the past few years for hackers looking to target extremely wealthy, powerful people who are well known in the crypto scene and have made millions investing.  Hacking groups have also targeted crypto companies with increasing frequency. Most recently, $610m was stolen from the platform Poly Network, and further millions have been accrued by fraudsters from various hacks over the past six to seven years.  Small-time investors have been affected by these large-scale attacks in the past – but now, it seems cybercriminals are cutting out the middle man and going straight for the investors themselves via sim-swapping scams. 

What is SIM-Swapping?

SIM-swapping is an increasingly common way to subsume control of someone’s mobile number. This initially involves some social engineering on behalf of the hacker in question, as they will have to ‘verify’ who they are, duping the telephone carrier into thinking they are in fact their victim.  Similar processes are regularly performed by telephone providers when they either swap customers’ numbers over to new SIM cards (i.e. a SIM Swap) or switch over a number to a different telecoms carrier (i.e. mobile ‘porting’).  SIM-swapping only takes around 10 minutes and is well worth the time for hackers. Once you have control of someone’s phone number, you have a potential way into the owner’s accounts – from social media to their bank.  This is largely due to the fact phone numbers are often invoked in security protocols, such as two-factor authentication, and can be used to receive codes to reset passwords. 

Legal Battles and FCC Action

Aggrieved investors have already opened legal proceedings against various phone carriers, which The Wall Street Journal says has already caused some providers to modify their security provisions.  In February, for instance, Calvin Cheng sued T-mobile for indirectly enabling a hacker to steal $450,000 worth of Bitcoin after falling victim to a SIM-Swapping scam.  But the case – and all other of a similar nature – were dwarfed just days ago as a SIM-Swapping scam enabled a Canadian teenager to steal $36.5 million (USD) in Bitcoin.  In late September, The Federal Communications Commission proposed tightening the rules on how numbers can be swapped between phones and providers after a number of US citizens – including crypt investors – contacted them.  “The Commission and our sister agency, the Federal Trade Commission (FTC), have received hundreds of consumer complaints about SIM swapping and port-out fraud” the FCC’s document reads. “The bad actor can…change login credentials, drain bank accounts, and, increasingly, steal cryptocurrency and sell or try to ransom social media accounts.”  However, Telecoms providers have hit back, saying the proposed regulations provide hackers with the ‘Blueprint’ for future attacks. 

Can I Protect Myself Against SIM-Swapping?

One way to protect yourself is to use an authenticator app for multi-factor authentication processes rather than your actual phone number. This means a hacker would have to have your actual device to break through the authentication barrier, rather than your phone number, and the codes refresh regularly.  Minimizing the amount of personal information someone can find through your public social media accounts is the first step to decreasing your risk of a SIM-Swap. Hackers may try and obtain information about you prior to a SIM-Swap scam in order to answer security questions. Ensuring your social media accounts don’t have too much personal information on – and that any of this sort of information is only viewable by friends – is a good start.  Alternatively, speak to your carrier in order to add additional security questions that would be more impenetrable to social engineering or ask them to institute a call-back system or some other way to verify your identity that goes beyond the usual provisions.  As with all scams like this, hackers will still, at some point in this process, need to obtain at least one of your passwords for an account. Making sure they’re long enough, complex enough, and are stored in a secure password manager like LastPass – which also has its own authenticator app – is essential. 

How Will I Know if my SIM's Been Swapped?

An indication someone may have swapped your SIM is a sudden loss of cell service and a lack of incoming texts and/or calls. Remember to check whether your carrier’s network is down and eliminate the possibility that there’s another explanation – like your phone’s memory being too full to receive new messages.  If there’s a possibility you could still be a victim of SIM-Swapping, contact your telecoms carrier immediately and change the details of any accounts you own with your phone number on – as well as your account passwords.  Original article written by: Aaron Drapkin | tech.co Read the full article

37% of World’s Smart Phones Could Have Been Used for Eavesdropping

A problem with Mediatek chips - which has now been addressed - meant malicious android apps could've accessed phone audio.

Millions of Android users have a chip in their phones that could have allowed malicious apps from the app store to eavesdrop on their conversations, a security research team has found.  The microchip that contains the issue is present in about 37% of the world’s smartphones, and Android users were potentially left open to threat actors before the issue was patched.  Stories like this are a reminder that you have to take security into your own hands and bolster your mobile security provisions rather than relying on, say, the company that makes your phone. Anti virus software, for instance, is just as useful on your phone as it is on a traditional computer. 

What was the Issue with the Chip?

Mediatek’s System on a Chip (SoC) includes two things, one called an AI Processing Unit (APU) and another called a Digital Signal Processor (DSP). In short, they help with improving media performance and reducing CPU usage in devices that house them.  Checkpoint, the security firm that identified the issue, said in their research findings that they “reverse-engineered the MediaTek audio DSP firmware despite the unique opcodes and processor registers, and discovered several vulnerabilities that are accessible from the Android user space.” A “malformed inter-processor”, Checkpoint claim, could be used to hide and subsequently execute malicious code inside the DSP firmware, and because the DSP inside a device has access to incoming audio (it processes digital signals), it could be used to listen to the conversations of whoever is near or on the phone.  Interestingly – and quite concerningly – none of the vulnerabilities required interaction with the user to be exploited. However, thankfully, there seems to be little evidence the vulnerability has been exploited in the wild.  The vulnerabilities being tracked were named CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, all three of which were fixed in October.  A fourth vulnerability, dubbed CVE-2021-0673 that was presented in Mediatek Hardware Abstraction Layer (HAL) was also fixed in the same month, but this won’t be announced until December. The researchers at Checkpoint were able to use this to disrupt the hardware inside the Mediatek chip they were analyzing. 

Why Android Users Were at Risk

Checkpoint estimates that these vulnerabilities were present in more than one-third of the world’s smartphones.  In the second quarter of this year, around 43% of the smartphones shipped contained the Mediatek Chip, up from 24% from the same period in the year prior.  If a malicious app on the Android store was coded sufficiently, it could, in theory, access the internal AI and related audio data. The flaw is certainly a complicated one and would have taken some significant technical nous to actually achieve it, but it’s entirely possible.  There is a feature on the Google Play Store called Play Protect, which can scan apps on phones to see if there’s malware present, but it’s unclear whether Play Protect would have picked up Apps coded to exploit this vulnerability. 

Security Matters – Especially on Phones

Whenever we think of computer viruses, hackers, scammers, and fraudsters, many people’s mind goes to their desktop PC or Laptop. But phones are just smaller computers and are equally as susceptible to malware infections and phishing attacks. Nowadays, it’s vitally important that you invest in adequate security provisions on your phone as well as the computer you use for working, gaming, and watching Netflix. VPNs, for instance, are one of the most useful pieces of tech you can invest in for your phone – although they're more of a privacy tool first and foremost.  Antivirus software is available for phones too, which is a good idea to have if you have an Android considering how many Android apps on the Google Play Store have been found to contain malware and used to orchestrate phishing attacks.  Original article written by: Aaron Drapkin | tech.co Read the full article

How Secure Are Your Messaging Apps?

A recent report has shown how much information the government can pull from messaging apps like WhatsApp and Signal.

The FBI has recently released a training document detailing the encryption of major messaging apps, and which details the FBI were able to get from a deep dive into each service. It's worth noting that this document was released under a FOIA request, so it is most likely accurate. Encryption is the practice of scrambling and obscuring data in order to have it be unrecognizable to any system that it isn't intended for. Various national governments have ever-so-slightly resented encryption on message apps for a while, with pressure being put on tech companies to limit the amount of encryption within each service in the interest of security. Despite this, some apps like Signal and WeChat have stuck to their guns and imposed some of the strongest encryption methods onto their services, meaning that the FBI (or other surveillance agencies, or even insidious third parties) are able to pull very little information from any of them.

Which apps are the most secure?

Encryption is an important feature, so a lot of messaging apps boast to have impenetrable encryption. But how true is this? Well, there's no better litmus test than having your service go up against the FBI, so who truly came out on top? Here are some highlights (good and bad) from the FBI document: - Signalallowed for no message content, and only the date and time of a user's registration and last use of the service - WeChat doesn't allow for messages to be viewed, but they can provide basic information (name, phone number, email, IP address) for Non-Chinese accounts - Viber doesn't allow for messages to be viewed, but provides account registration data and IP address at time of creation, as well as message history: time, date, source number, and destination number - WhatsApp doesn't offer up any messages, but can be subject to subpoenas, court orders, and search warrants, which can reveal contacts, blocked users, and other scraps of information - Wickr shows a load of information, including account creation information, the device owned by the user, the user's avatar, the number of messages, and the number of external IDs (like phone numbers and email addresses), among other things Clearly, Wickr drops the ball a bit, and WhatsApp isn't as impenetrable as Meta would want you to believe, due to the amount of legal interference it can be subject to. However, Signal and WeChat have a solid grip on encryption, allowing for the very bare minimum information to be revealed.

What does this mean for messaging apps?

Solid encryption is a crucial element of any messaging service. A lot of people don't go out of their way to encrypt their online activity, with around 80% of people claiming they're not particularly aware of any encryption provided on the services they use. However, one of the reasons that Signal is so consistently lauded by professional cybersecurity experts as a good messaging platform is due to its encryption. Encryption doesn't just stop governments from prying in on your messages, it prevents any third parties from accessing your messages and data. If Signal and WhatsApp's encryption is good enough to stop the FBI, you can be sure that cyber criminals and hackers won't be able to access any sensitive information that is sent via an encrypted service. Of course, if we were to put on our tinfoil hats, we could come to the conclusion that this is what the FBI want us to think. In reality, perhaps Signal is the most transparent messaging app on the market, and if we all switch to that in an effort to conceal ourselves, the FBI will have free reign over all of our interactions! Probably not though, as Signal is cited as the most secure app from various sources outside of the FBI's control.

Other Ways to Be Secure Online

Encryption is great, but it's not the only way to keep your information away from governments and criminals alike. This encryption will only work on the dedicated app you're using, so while all your Signal messages will be under lock and key, any other online activity will be entirely laid bare. That's where VPNs come into play. A VPN will shroud all of your online activity from external forces, meaning that prying eyes won't be able to see your information or activity. And, as an added bonus, you'll be able to change your region, giving you access to things like other countries' Netflix catalogues. And while it's less related to encryption, a password manager is a similarly good idea. Rather than using one password for multiple sites and services, you can vary your passwords and store them all in a password manager, meaning you can make them as complex and varied as you like, without having to worry about remembering them all. Original article written by: Duncan Lambden | tech.co Read the full article

Over 100 Million Pieces of Malware Were Made for Windows Users in 2021

To save you getting your calculator out, that's over 300,000 pieces of malware a day - or 227 every minute.

Over 100 million pieces of malware have been produced for Windows devices this year, according to a new analysis by security software company Atlas VPN.  The report also shows that new malware for devices using Windows operating systems has increased exponentially since 2012, with millions of novel threats appearing in the wild every year.  Findings like these are a grim reminder that the problem of malware is only going to get worse, which puts even more onus on individuals and businesses alike to deploy antivirus software on internet-connected devices. 

Windows Malware: An Epidemic of Epic Proportions

Atlas VPN has identified 107.28 million new threats designed for Windows devices, which is 16.53 million more than recorded in 2020. That works out at roughly 328,000 every single day, or 227 a minute.  The data used in Atlas VPN’s analysis was compiled by independent research institute AV-TEST GmBH, which also rates and reviews antivirus software. One of the most worrying statistics to be borne out of the data is that, on average, the amount of new malicious software for Windows OS by 9.5 million since 2012, which equates to a 23% YoY increase: 

Image courtesy of Atlas VPN) In an attempt to explain the increase, Atlas VPN highlights the fact that hackers can buy ransomware and malware now, meaning it requires a lot less programming knowledge to launch a cyber attack. At the other end of the market, it's also now a lot cheaper to hire a hacker to conduct one for you. “A malicious person with a relatively small budget can cause severe issues to an organization's security” – Atlas VPN.

Why do Windows Devices Get More Viruses than Mac and Linux?

There's Safety in Obscurity, not Numbers Windows is still the most popular operating system used on Desktop PCs by quite some way, and there are also thousands of Windows phones still in use. This makes it the biggest attack surface, so it’s largely a question of supply and demand – and there are an awful lot of Windows devices out there.  So, if you’re a hacker and you want to infect as many devices as possible with a virus or malware, you’ll have a much better chance of successfully doing so if you’re coding one for the planet’s most widely-used operating system.  Being the most popular OS, it’s also the OS of choice for the average, person. You have to be pretty tech-savvy to use an operating system like Linux, for instance, and Windows users are going to be much easier targets for phishing and social engineering attacks.  Historical Security Issues But there’s another explanation too – Windows was never really designed with security in mind, and there are a number of aspects of Windows’ architecture that have come back to bite it in the past. Linux and macOS, for instance, were always supposed to be multi-user systems in which you log in with different user accounts. Windows never had this, historically, and it was built on top of DOS (Disk Operating System), a single-user OS that had very few security restrictions. To make major changes to the way your computer works in Linux, you need root-level access via a root account, and the rest of the time you use a standard account. Wind back the clock a few years, and most Windows users were just using administrator accounts, so when they ran into a virus or a piece of malware, it was much easier for a malicious code to alter important settings it couldn’t if standard user accounts were being used.  In Linux, if you want to execute a file, you yourself have to make it executable with certain permissions, so malware can’t just auto-execute itself once downloaded. Windows warns you nowadays when you download a .exe file – but unsigned applications can still run, and sometimes browsers don’t mark downloads.  These days, Windows has much better security provisions and features. Third-party antivirus software, which can flag malicious websites for you – is much more popular. What's more, operating systems like macOS and Android are gobbling up a larger market share of OS devices every year – so it’s no surprise that the former, for instance, isn’t considered as impenetrable as it once was, and that more hackers are making malware for Apple products now.

I have a Windows Device…Should I Be Worried?

Worried? No – unless you’re more broadly concerned with the unstoppable tide of malware that’s inevitably going to destroy the internet as we know it and the rest of humanity along with it. But don’t worry – you’re not alone on that one.  The kernel of truth in that overdramatic catastrophic vision is that everyone should be concerned about the prevalence of malware on the internet.   Vigilant on the other hand? Yes. With millions of bits of malware out there in the wild designed for your device, it’s important to stay on your toes when you’re online and make sure you have all the necessary security provisions and software installed on your computer, such as antivirus software. VPN software too can prove a valuable too, masking the owners IP address and making it much harder to pinpoint them and infiltrate, as well as offering protection when using public Wi-Fi. Indeed, that’s exactly the same advice one would give to any internet user, regardless of the operating system their device houses. Also, it's vital you install your Operating System's updates as quickly as possible because these will carry important patches for vulnerabilities in whatever system you're using. Original article written by: Aaron Drapkin | tech.co Read the full article

Hacky Holidays: FBI Expects Ransomware Surge Over Festive Period

The US Cybersecurity and Infrastructure Security Agency has warned US businesses: “Threat Actors Don’t Take Holidays.”

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) have warned US businesses about the risk of Ransomware attacks during Thanksgiving and the rest of the holiday season.  Previous years suggest there is a somewhat increased risk of attacks during festive periods, with threat actors taking advantage of complacent businesses relaxing into ‘holiday mode’.  Now more than ever, it’s crucial that businesses are instituting watertight security strategies that include technology like business-grade password managers, and antivirus software. 

FBI Warns: Don’t Become Complacent During the Holidays 

The FBI has released a joint statement with CISA just in time for Black Friday and Thanksgiving weekend, which is expected to be earmarked in the diary of threat actors – although their advice applies to the whole holiday period in general, including Christmas and New Year.  Both organizations were quick to point out that the advisory notice is not linked to inside knowledge about a specific threat actor targeting, say, companies during Thanksgiving, but has instead been released due to a pattern of ‘high-impact” attacks that seem to take place at this time of year.  “Malicious cyber actors have often taken advantage of holidays and weekends to disrupt critical networks and systems belonging to organizations, businesses, and critical infrastructure” – CISA & FBI Advisory Statement.  In the statement, both CISA and the FBI urged companies or organizations that have fallen victim to cyberattacks of all kinds to report it to them directly immediately after it is detected. 

‘Tis the Season to Update Your Security Strategy 

There are a multitude of reasons for the increased risk and frequency of ransomware attacks – as well as other types of large-scale cyberattacks on businesses – during this period. Threat actors know, for instance, that an office is much more likely to be closed on the days surrounding Thanksgiving and Christmas, and that IT team numbers will generally be smaller as staff take annual leave. Hackers and Scammers from other countries study US culture closely, so it's not surprising that they're able to catch out companies and employees ready to switch off for the holiday season. Considering hackers and scammers' intimate knowledge of the US holiday season, it’s concerning that recent research by BitSight revealed that around 75% of online retail businesses may be at increased risk of a ransomware attack due to subpar TLS/SSL configuration management.  What's more, a global survey of companies (including 500 from the UK) conducted recently by CyberReason found that around a quarter (24%) of companies do not have a specific plan for dealing with cyberattacks during a holiday or weekend period.  The survey also found that 60% of respondents believe it takes longer to assess the scope of an attack if it occurs on the weekend or during the holiday, with the downtime allowing threat actors to embed themselves deeper into the networks they’ve infiltrated.  In the same survey, half of those questioned agreed that it took longer to mount an effective response, and a third (33%) said that holiday or weekend attacks required a much longer recovery period. 

A Quick History of Festive-Period Ransomware Attacks 

Companies have reason to be concerned too considering the avalanche of cyberattacks and ransomware attempted when people are on holiday en masse.  Winding the clock back to 2011, private intelligence group Stratfor Global Intelligence had its systems broken into on Christmas Eve. 200GB of emails were stolen.  It’s unlikely to simply be a coincidence that a huge cyberattack on Target in 2013 – one that resulted in the credit card information of 40 million Americans being stolen – occurred the day before Thanksgiving.  Gamers were left incensed in 2014 after Christmas DDoS-for-ransom attacks were carried out by a group called Lizard Squad.  A similar attack was carried out 12 months later by an organization called Phantom Squad, with the goal to once again disrupt gamers at Christmas. Meanwhile, Linode, a cloud computing company, was facing barrages of attacks that took its services offline.  More recently, the SolarWinds attack that made national news headlines due to its severity took place in December of last year, just days apart from Christmas – and reared the threat actors behind the assault reared their ugly heads once more in a less successful campaign that took place on Memorial Day.  This year, there’s already been a direct ransomware attack on a US company on Independence day weekend. Florida-based software company Kaseya and hundreds of other companies were targeted by hacking group REvil. 

How Can I Protect My Business During The Holiday Season?

The FBI and CISA have put together a few points of advice for companies looking toward the festive season with a watchful eye on their company’s data.  The first bit of advice is to account for this heightened risk of attacks during your Christmas holiday planning. Ensure you have IT staff on hand to help out on important holiday days and have worked out would be available to respond to an attack if it occurred on a date like Christmas Day.  Another vital step that all companies have to take is to institute multi-factor authentication for remote access but also all other platforms or accounts where this is available. Strong Passwords are also a must for every person in your organization, CISA says – and nowadays, the best practice is to keep them tucked away inside a secure password manager for businesses. As many passwords as possible should be updated before the holiday season in line with strict criteria on things like the number of characters staff should be using  Other recommendations include updating incident response plans and going back over what a suspicious email looks like with staff members. You can't stop a hacking group from targeting your business, but taking these steps at a bare minimum will increase the chances that you and your company will emerge unscathed. Original article written by: Aaron Drapkin | tech.co   Read the full article

Beginning next year, Apple will send you parts and tools to fix your iPhone and Mac at home

Image Credits: Apple Here’s a pleasant — and frankly unexpected — update from Apple. The company just announced Self Service Repair, a new program designed to let users perform common repairs on devices at home. Through the program, users with damaged devices will be sent “Apple genuine” tools and components — same as the ones they use at the Genius Bar. The company will also be offering up online repair manuals (text, not video), accessible through the new Apple Self Service Repair Online Store. The system is similar to the one the company rolled out for Independent Repair Providers (of which there are currently 2,800 in the U.S. plus 5,000 Apple Authorized Service Providers), beginning with the iPhone 12 and 13, focused on display, battery and camera fixes. A similar service for M1Macs will be launching “soon” after. “Creating greater access to Apple genuine parts gives our customers even more choice if a repair is needed,” COO Jeff Williams said in a release tied to the announcement. “In the past three years, Apple has nearly doubled the number of service locations with access to Apple genuine parts, tools, and training, and now we’re providing an option for those who wish to complete their own repairs.” Sponsored Content Apple hasn’t listed specific prices yet, but customers will get a credit toward the final fee if they mail in the damaged component for recycling. When it launches in the U.S. in early-2022, the store will offer some 200 parts and tools to consumers. Performing these tasks at home won’t void the device’s warranty, though you might if you manage to further damage the product in the process of repairing it — so hew closely to those manuals. After reviewing that, you can purchase parts from the Apple Self Service Repair Online Store. The news comes during a time of increasing push for right to repair legislation that has been opposed by some of the biggest names in consumer electronics. The Library of Congress recently approved exemptions to the DMCA that blocked user repair. Even the president has gotten in on the act, following a May letter to Congress from the FTC, which noted, “To address unlawful repair restrictions, the FTC will pursue appropriate law enforcement and regulatory options, as well as consumer education, consistent with our statutory authority. The Commission also stands ready to work with legislators, either at the state or federal level, in order to ensure that consumers have choices when they need to repair products that they purchase and own.” Advocates of increased repairability cite numerous concerns, including lowering the pricing burden of planned obsolescence, as well as growing global concerns around e-waste — the latter of which has been a cause championed by Apple over the past several years. As smartphone tech has become more advanced, the devices have become increasingly more difficult to repair at home. It’s a long way from the days of swappable batteries — concerns that have given rise to a boutique crop of products like Fairphone, which put user repairability out front. Apple’s new program will be rolling out to additional countries later next year. The company is clearly still encouraging users to bring their devices in for repair at a licensed shop when circumstances allow (particularly in the case of those covered by AppleCare+), but for the many who’d rather take matters into their own hands, this is a nice a step. Original article written by: Brian Heater | TechCrunch Read the full article