Thursday, January 16, 2025
Home Blog Page 67

Top warning signs your identity has been stolen

By
Steven Black (n0tst3)
-
0
cybersecurity 1
cybersecurity 1

By spotting these early warning signs of identity theft, you can minimize the impact on you and your family

We’re all spending more of our time online. Last year, US adults spent one hour more per day on digital activities across all of their devices than they did in 2019. By the end of 2022, we may be spending more than eight hours in the digital world each day. An unfortunate consequence of this behavioral change is that we’re sharing more of our personal data and login credentials with the companies we do business with than ever before. And cybercriminals, in turn, are stealing that data from these organizations, as well as directly from us.

In the US this year, by the third quarter there had already been nearly 1,300 publicly reported breaches of this kind in 2021, more than for the whole of 2020. Hundreds of millions of victims were put at risk of identity theft as a result. So how do you know if you’ve been affected by one of these incidents? By spotting the early warning signs, there are ways to minimize the impact on you and your family.

The cybercrime economy is worth trillions of dollars annually today. There are many constituent parts and participants. The criminals who breached data from an organization in the first place are unlikely to be the same ones who attempt follow-on identity fraud, for example. Typically, the stolen data is sold on specialized dark web forums. Then it is bought en masse and tested by identity fraudsters. They may sell the pre-tested data onwards again, or use it themselves.

Depending on the type of identity data, it could be used to:
Given the large number of possible identity theft scenarios, it pays to stay alert. Of course, the biggest warning sign that your identity data could be in danger is if you receive a breach notification letter. It goes without saying that you should read it carefully to understand the possible implications. Other tell-tale signs include:
Even small discrepancies can sometimes indicate fraud, as scammers often check the validity of stolen cards with innocuous-seeming purchases before ramping up their activity. If something doesn’t look right, put a freeze on the card/account. This can often be done via your mobile banking app. Then immediately contact your banking/card provider.
If attackers get hold of your log-ins, the first thing they’ll do is change the password in order to lock you out. Alternatively, if they’ve managed to trick your mobile operator, they will get them to port your number to a device under their control. This is known as SIM swapping and is particularly dangerous as it means they’ll be able to intercept any one-time SMS passcodes often used by banks to validate your identity.
Another common strategy is to use stolen Social Security numbers and other personal details to file personal taxes early, impersonating the victim. The hacker is then able to fraudulently claim any tax refunds due. If you find you’re unable to file your taxes, this could be the reason.
If you get a medical bill for services you never received, or try to submit a claim but it’s rejected because you’ve already reached the limit pre-assigned by your provider, identity thieves could be to blame. Especially in countries with private healthcare systems, such scams can be highly lucrative.
If an identity thief has racked up a huge credit card bill or similar debt in your name and then vanished, it’s only a matter of time before the lender asks a collection agency to investigate.
What to consider if your identity has been stolen
The first step is not to panic. Inform your bank/card provider/insurer immediately, and report any suspected crime to the authorities. In the US, report an incident and receive a recovery plan at: IdentityTheft.gov. See below for authorities in other countries:
UK: CIFAS and Action Fraud.
Canada: Canadian Anti-Fraud Centre
New Zealand: Contact the police or one of these specialist organizations.
Australia: ReportCyber

There’s only so much you can do to prevent breaches if they’re targeted at the organizations you do business with. But there are some preventative steps you can also take in case fraudsters try to target you directly. Consider the following:
We’re all likely to experience some form of identity theft in our lifetime. The key is to do as much as possible to minimize the chances of it happening. And to stay alert, so that when the bad guys do get hold of your data, you can shut down any scams ASAP.

source

Bookmark
Please login to bookmarkClose

Over 7k SOL ($1.2M) got lost on Solana NFT mint due to a hack

By
Steven Black (n0tst3)
-
0
cropped Cybersecurity1 1 1
cropped Cybersecurity1 1 1

What an upside-down for the Solana community, especially for MK holders. There was a scheduled party with Steve Aoki to celebrate the new minting collection, but it ended up really bad.
Just before the real mint, a big hack happened over the Monkey Kingdom Solana NFT project. Over $1.2 million is hacked from thousands of people who tried to mint and some individuals are reporting that they lost 650 SOL (~$100,000).
It’s not sure how the hack actually happened but seems that the malicious bot sent an official announcement with a malicious link, which looked exactly like the original website. Here is a domain name: https://whois.domaintools.com/baepes.com
Since minting such a big project is a race of fast fingers, a lot of people didn’t pay attention to what is going on. The website asked for permission from a Phantom wallet, and it actually drained all SOL from their wallet.
Monkey Kingdom is one of the known “Bluechip” projects in Solana NFT space, currently sitting at 45 SOL FP, but reaching the floor price up to 100 SOL (~$18,000).
This seems like a well-planned attack. They reported earlier that malicious links were spreading via DM, so they announced to not click anything except the official announcement channel. And that is what happened, the malicious bot sent the announcement from the official channel, and people were rushing like crazy to be the first one to mint. They also reported a DDOS attack on their website, which made it unavailable, just before the mint.
They are investigating with Discord developers what happened, and also said they will make it up to all victims, but let’s see what will happen.
To prevent such things in the future, be sure you have a burner wallet. The burner wallet is just another account, which is there to hold your temporary funds allocated for minting. For a better explanation, check this video below 👇
UI/UX, Web/Mob Dev, Growth hacking
1
1
Written by
Deep internet diver, who have experience in a lot of IT segments. Mind behind http://vanila.io, https://automatio.co
UI/UX, Web/Mob Dev, Growth hacking
Written by
Deep internet diver, who have experience in a lot of IT segments. Mind behind http://vanila.io, https://automatio.co
UI/UX, Web/Mob Dev, Growth hacking

source

Bookmark

Please login to bookmarkClose

9 hot tips for staying safe online

By
Steven Black (n0tst3)
-
0
cef131419d91f0f5369b283c7db888f5
cef131419d91f0f5369b283c7db888f5

Starting in early November, pre-holiday-season email campaigns were already starting to hit my inbox. The National Retail Federation’s survey on the holiday shopping season, which includes Black Friday and Cyber Monday, shows an estimated increase of up to 4.8% in spending this year compared with 2017. The majority of consumers surveyed, 55%, stated they will shop online—equaling the number intending to shop in department stores.

As shopping moves online, it’s also getting more mobile: mobile web and in-app purchases now account for 61% of online transactions, leaving just 39% of online shoppers using desktop devices, according to data from Criteo’s Global Commerce Review.

Cybercriminals also seek to take advantage of this shift to online shopping and grab the opportunity to make more money with fraudulent phishing emails, scams and fake websites. With the ever-increasing number of data breaches exposing your personal information and payment card data, it’s never been more important to stay vigilant. Below are 9 tips to staying safe when shopping online this holiday season:

1. Shop with retailers you recognize. If you see an offer in a promotional email or in search results that is too good to be true, then it probably is. Finding an item from an unrecognized vendor with the best price and immediate shipping is cause for concern. Limit your online shopping to websites of online retailers that you recognize and trust.

2. Look for the padlock and, on a desktop device, the https:// at the beginning of the website address. These indicate that communication between you and the site is encrypted and any data you send can’t be seen by anyone intercepting the traffic.

3. Don’t make purchases while using public Wi-Fi networks. They are indeed “public.” Hackers can lurk on public networks and intercept traffic or redirect you to sites that may look like the one you expected but are fake. Also, in public places, someone can look over your shoulder and copy your password and account information as you type it in.

If you need to make a purchase when not at a secure Wi-Fi location (such as your home), utilize your cell phone’s mobile network—not a public Wi-Fi hotspot. Using your cell phone’s mobile network provides a private internet connection.

4. Use secure payment services like Apple Pay, Android Pay, PayPal or other trusted payment methods. Never use a debit or credit card that is linked to your primary bank account. If you are using a credit card, make sure it has a low spending limit to reduce the risk of fraud.

5. Be cautious of email offers. Cybercriminals can create elaborate phishing campaigns that look like those of a trusted brand but actually take you to a fake site. Instead, open a browser and type in the website address yourself.

6. Never over-share personal data. If you don’t purchase often from a retailer, check out as a guest rather than creating an account. Reducing the number of people storing your data will help reduce your risk of being affected by a breach. Limit shared data to the essentials—it’s unlikely a site needs your SSN, so don’t include it.

7. If you do create an account, protect it with two-step authentication. This ensures that in addition to requiring a password, the company will text a code to you to verify your identity.

8. Review bank and credit card statements to ensure your account has not been compromised. You can also “opt in” to smartphone notifications of transactions.

9. Keep your devices up to date and have security software installed and fully operational. Software updates fix known vulnerabilities, so be sure to install them when prompted.

Bookmark
Please login to bookmarkClose

More than 1,000 arrested in a global crackdown on online fraud

By
Steven Black (n0tst3)
-
0
fraud
fraud

The INTERPOL-led operation involved law enforcement from 20 countries and led to the seizure of millions of dollars in illicit gains

Law enforcement agencies from around the globe have swooped down on hundreds of people suspected of committing various types of online crime, including romance scams, investment fraud and money laundering operations. The international effort led to the arrests of more than 1,000 individuals and the seizure of almost US$27 million in illicit gains.


The operation, spearheaded by Interpol and dubbed HAECHI-II, was carried out over a span of four months and involved law enforcement from 20 countries, as well as authorities from Hong Kong and Macao. The authorities were able to apprehend 1,003 individuals, close 1,660 cases and block 2,350 bank accounts linked with illicit funds gained from cybercrime, as well as identify ten new tactics utilized by cybercriminals.


“The results of Operation HAECHI-II show that the surge in online financial crime generated by the COVID-19 pandemic shows no signs of waning. It also underlines the essential and unique role played by INTERPOL in assisting member countries combat a crime which is borderless by nature.

Only through this level of global cooperation and coordination can national law enforcement effectively tackle what is a parallel cybercrime pandemic,” said INTERPOL’s Secretary General Jurgen Stock in a press statement lauding the success of the operation.
Online financial crime has evolved into a global threat. Here’s how we’re fighting back ⬇️

More than 1000 arrested source: Twitter post Interpol.


A 20-country operation coordinated by INTERPOL has led to 1,000 arrests & $27 million in illicit funds intercepted 💵
Read the full story on Operation HAECHI-II ➡️ https://t.co/zB9OK4XyxJ
— INTERPOL (@INTERPOL_HQ) November 26, 2021In one case, a Colombia-based textile company was defrauded out of more than US$8 million by cybercriminals using a sophisticated business email compromise (BEC) attack. The scammers posed as legal representatives of the company and ordered that over US$16 million be wired to two Chinese bank accounts.
Half of the funds were already transferred before the defrauded company caught on to the scam and alerted the Colombian authorities. Fortunately, over 94% of the funds were intercepted thanks to the quick reaction by INTERPOL’s offices in Hong Kong, Beijing and Bogota.
Meanwhile, in another case, a Slovenian company was tricked into wiring over US$800,000 to money mule accounts in China. In cooperation with foreign authorities, the Slovenian Criminal Police were able to intercept and return the funds.

The operation also yielded substantial information on emerging development in online financial crime. Authorities in Colombia were able to uncover a malware-laced mobile application that masqueraded as being affiliated with the Netflix hit series Squid Games. Once the victim downloaded the trojan, it hacked the user’s billing information and opened subscriptions to paid premium services, with the user being none the wiser.
“Online scams like those leveraging malicious apps evolve as quickly as the cultural trends they opportunistically exploit,” warned INTERPOL’s Criminal Networks Assistant Director José De Gracia. He went on to add that sharing information of emerging threats is key for law enforcement to be able to protect victims of financial cybercrime.

Bookmark
Please login to bookmarkClose

FBI email servers compromised to send out fake attack alerts

By
Steven Black (n0tst3)
-
0
FBI Flag scaled 1
FBI Flag scaled 1

Hackers break into the Bureau’s email systems to send out at least 100,000 emails warning recipients of imminent cyberattacks

The Federal Bureau of Investigation (FBI) has had its email servers compromised, with the hackers then sending out tens of thousands of bogus spam emails impersonating the agency and the Department of Homeland Security and claiming that the recipient’s systems have been compromised and their data stolen.
According to BleepingComputer, which broke the story, the emails claimed that the recipients have fallen victim to a “sophisticated chain attack” that led to the theft of their data. The emails were first noticed by security researchers at the international nonprofit organization The Spamhaus Project, which specializes in tracking spam and related threats.
In a Twitter thread, the nonprofit confirmed that the emails were being sent from the agency’s infrastructure using a legitimate FBI email address, “eims@ic.fbi.gov”. However, at closer inspection, the email bears all the hallmarks of a scam, including bad grammar and spelling mistakes as well as the signature with contact information being missing.
These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!
— Spamhaus (@spamhaus) November 13, 2021

Speaking to BleepingComputer, the Spamhaus Project estimated that the fake emails may have made their way to at least 100,000 mailboxes, but the nonprofit added that that was a conservative estimate and the final tally may be much higher.
The phony messages lay the blame square on the shoulders of cybersecurity researcher and CEO of cybersecurity firm Night Lion Security Vinny Troia, trying to implicate him as the perpetrator of the “ attacks”. However, Troia had thoughts of his own about who is trying to tarnish his reputation.
Wow I can’t imagine who would be behind this. #thedarkoverlord aka @pompompur_in https://t.co/Xd6XoZNRnl
— Vinny Troia, PhD (@vinnytroia) November 13, 2021

Meanwhile, the FBI released an official statement addressing the incident, stating: “The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service.”
The law enforcement agency went to add on to assure the public that the threat actors weren’t able to access or compromise any type of data or personally identifiable information (PII) on its networks. Once the bureau was aware of the incident, it went on to quickly shut down the vulnerability, check the integrity of its networks, and inform its partners that the emails were fake and should be ignored.

Bookmark
Please login to bookmarkClose

The triangle of holiday shopping: Scams, social media and supply chain woes

By
Steven Black (n0tst3)
-
0
scam 1
scam 1

‘Tis the season to avoid getting played by scammers hijacking Twitter accounts and promoting fake offers for PlayStation 5 consoles and other red-hot products

As the holiday season beckons, so begins the frantic shopping season to find and acquire the much-wanted gift. This year, depending on what you’re looking to buy, could present some very significant challenges. A Sony PlayStation 5, for example, is one of the countless products to have been severely hit by the shortage of chips and a quick Google search to find available stock will present you price tags twice as high as the manufacturer’s suggested retail price. Many electronic items are in short supply due to the world’s increased demand throughout the pandemic for web cams, laptops, tablets, and other devices needed to effectively work or study from home. Semiconductor manufacturing companies saw increased demand at a time when there was decreased output due to working practice restrictions.
The general shortage at the point of manufacture is further made worse by the distribution issues of actually getting any products, regardless of category, onto retailers’ shelves, be it physically or virtually. Due to the pent-up demand for goods as the pandemic restrictions have been eased, the cost of shipping a container from China to the US recently hit an all-time high. Having recently taken a flight from Santa Ana airport to San Francisco I saw for myself the many cargo ships waiting outside the Port of Los Angeles to be docked and unloaded.
The issue is not unique to the US, however. A shortage of workforce in the distribution channel was also witnessed in the UK with long lines forming at gas pumps for fuel, due in part to a media frenzy stating there would be a shortage of gas – the issue being a shortage of truck drivers. The pandemic has caused people to evaluate where they live and what career path they want to follow, and in the supply chain this is causing very specific issues.

What a great opportunity this creates for cybercriminals. Given the shortage of goods and a holiday season approaching, it’s time to create scam campaigns and advertise we have ‘Turbo Man’ in-stock (for those of you that have not seen the 1996 classic Schwarzenegger movie ‘Jingle All The Way’ – it’s worth a watch!).
Where better to promote a scam than social media? It’s a place where consumers are sharing experiences of not being able to find goods and linking to groups and accounts that keep them apprised of which stores and sites may have stock. So, with a retrospective view, it should not have surprised me, but it did, when I received a frantic message from Jessica, a contact at a PR company contracted to ESET in the US.
As a parent of a teenager looking to acquire, yes, you guessed it, that hard-to-find Sony PlayStation 5, Jessica was delighted to find a trusted source claiming to have a spare one they wanted to sell. The offer to buy it at cost came from a renowned journalist’s verified account followed by 250,000+ Tweeters, stating having a spare console that is not needed for personal use. Vendors often provide journalists product to test and on occasion do not ask for the goods to be returned, so the backstory of this person having a spare console is quite feasible.

This was a ‘Turbo Man’ moment for Jessica, finding a source for one of the most sought-after gifts that teenagers and gamers want to find under the tree this holiday season. Responding to the offer 35 minutes after it was posted and getting a positive response that it was still available should have sounded the alarm bells. With adrenalin pumping, Jessica attempted to move the conversation to a call to get the deal done. This was met with a negative response to keep the conversation on Twitter, which should have been red flag number two. The conversation moved to price and identification of which particular package was being offered, an amount of $499 plus $50 for shipping was agreed; a deal too-good-to-be-true given that re-sale devices are currently priced at $800+.
When questioned about shipping, minds were set at ease when the scammer responded that they have a fixed-fee deal with UPS to ship anywhere in the US for $50. In hindsight this is probably red flag number three – why would a journalist have a shipping deal with UPS? Desperate to secure the deal, they agreed on Zelle, an instant payment system using cell phones. The name provided did not match that of the journalist, but the scammer had already squared this question away up front by saying his assistant was dealing with the transaction. The scammer was thinking ahead and had all the answers to make this all sound legitimate. In the moment, it’s easy to get carried along by the desire to do a deal rather than face the reality of it being a scam. To make sure the details of the transfer were correct, Jessica transferred $10 and they confirmed receipt.
At this point Jessica shared the deal of the day with a colleague who quickly responded with the term no one wants to hear – ‘that’s probably a scam!’. They checked recent articles posted by the journalist and it was apparent he was in Europe, so unlikely to be selling a device in the US while travelling. The colleague suggested emailing the journalist on his work email address to find out if his account had been compromised. It transpired that the scammer had taken over the Twitter account, changed the password and the email associated with the account, so the journalist was having a hard time regaining access to his own account. Jessica responsibly reported the scam to Twitter, who removed the post, and to Zelle, who opened an investigation.
As the current supply chain is making many products hard to find and the holiday countdown is on, scammers will use any means necessary to make a pretty penny. This example, shared by Jessica, demonstrates that the backstory and the answers provided during the scam can all seem very feasible and real, making it very difficult to identify the scam when you are in the middle of the excitement. I should take a moment to thank Jessica for both sharing the story with me and allowing her experience to be published, hopefully, protecting others from being scammed.
To further help highlight the perils of purchasing red-hot products on social media, here’s my own conversation with another verified (though apparently also hacked) Twitter account that now claims to sell PlayStation 5 consoles:
The moral of sharing this story is that it’s important to remember: ‘when something sounds too good to be true then it probably is’ – regardless of the source as it could have been compromised’. For many years, cybersecurity professionals such as myself offer advice on cyber-safe shopping and I hope the message is at least in some form in the depths of everyone’s mind when they transact over this holiday season, and with this story I hope to add a small additional reminder to everyone that social media can be the playground of scammers.

Oh, and one last comment, please make sure all your online accounts, where possible, are secured with two-factor authentication. This limits the possibility of account takeovers and your accounts being the ones used to advertise a scam.

Bookmark
Please login to bookmarkClose

$5.2 billion worth of Bitcoin transactions possibly tied to ransomware

By
Steven Black (n0tst3)
-
0
e0ceba771b945ff0111295a729d80d72
e0ceba771b945ff0111295a729d80d72

Threat actors are increasingly using advanced tactics to obfuscate and launder their illicit gains, a report by the US Government finds

As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants alone, according to a report by the Financial Crimes Enforcement Network (FinCEN) of the United States Department of the Treasury.


The report also looked at ransomware-related Suspicious Activity Reports (SARs), i.e. reports made by financial institutions about suspected ransomware payments, in the first half of this year. “The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million),” said the agency. Not surprisingly, the analysis found that ransomware is an increasing threat to the government, businesses, and the public.


The mean average total amount of suspicious transactions related to ransomware was US$66 million monthly; meanwhile, the median average was US$45 million per month. According to data obtained from these transactions, Bitcoin was the cybercriminals’ preferred payment method. It’s not the only one, however, as FinCEN noted that criminals increasingly demand ransom payments in Monero, an anonymity-enhanced cryptocurrency (AEC).

In total, 17 ransomware-related SARs involved ransom demands in Monero. In some cases, the cybercriminals provided both a Bitcoin and Monero address, however, they demanded an additional fee if the payment was made using Bitcoin. In other cases, the attackers would initially demand ransom fees solely in Monero, but accepted Bitcoin after some negotiation.

Cybercriminals utilize various money-laundering tactics, including increasingly demanding payments in privacy-oriented cryptocurrencies, avoiding reusing wallet addresses for new attacks, and laundering the proceeds from each ransomware attack separately. The report also found that foreign centralized Convertible Virtual Currency (CVC) exchanges are the preferred way for attackers to cash out their ill-gotten gains.
To obscure the provenance of the digital coins, cybercriminals also use “chain hopping”, a procedure that involves exchanging one CVC for another at least once before they transfer their earnings entirely to other services. 2021 has also seen a rise in the use of mixing services – platforms that are used to hide or obscure the origin or owner of the CVC. Interestingly, FinCEN observed that the use of mixer services varies depending on the ransomware variant.
Illicit gains from ransomware are also laundered through decentralized exchanges and various other decentralized finance applications, by payments being converted to other forms of CVCs.

“Some Defi applications allow for automated peer-to-peer transactions without the need for an account or custodial relationship. FinCEN analysis of transactions on the BTC blockchain identified ransomware-related funds sent indirectly to addresses associated with open protocols for use on DeFi applications,” FinCEN said when describing the process.

Bookmark
Please login to bookmarkClose

5 common gift card scams and how to spot them

By
Steven Black (n0tst3)
-
0
giftcard
giftcard

5 common gift card scams and how to spot them

It often pays to look a gift horse in the mouth – recognizing these types of gift card fraud will go a long way toward helping you stay safe from this growing threat not just this holiday season
It’s that time of the year again, when we’re all online looking for presents to give and receive. Gift cards are an increasingly popular choice, which means you might well be buying or receiving them during the festive period. In fact, they’ve become a huge global market projected to grow at a rapid clip over the coming years to reach a staggering US$2 trillion by 2027. Needless to say, the popularity of gift cards hasn’t escaped the notice of cybercriminals and online fraudsters, who’ve developed a whole underground industry focused around gift cards.
Some scams will use the cards themselves as a lure to trick you into handing over sensitive personal and financial information. In other cases, the fraudsters will impersonate officials, demanding payment via gift cards. Whatever the scam, get familiar with these tactics to stay safe online this holiday season.


As mentioned, cyberscammers have a range of tactics at their disposal. Here are five of the most common threats to look out for:
Here, the scammers masquerade as a legitimate official from the government, a utility provider, or another organization. They’ll typically threaten their victims, perhaps by claiming they’re owed unpaid taxes or outstanding bill payment and stress the urgency of payment. This is classic social engineering designed to force the victims into hurrying their decision making.
The scam could arrive in the form of a phishing email, or text, or even a phone call (known as “vishing”). Payment is required by gift card, with the scammers usually specifying the type of card they want to be used for the payment. All of these should be red flags. As the FTC says, no real business or government will require payment via gift card.
Sometimes the bad guys go straight to source, and hunt digitally for a record of your gift card with the issuer. How do they do this? By using automated bots to probe bank-end IT systems at retailers and other organizations for details on card balances and card numbers. With this information, they can use the card as if they were the official cardholder. This is an area ripe for exploitation, as research shows that Americans alone are sitting on as much as $15 billion in unused gift cards and credits.
Scammers don’t just work online. Another popular ploy is to visit stores where gift cards are or sale and steal the numbers/secret PINs. Sometimes they’ll go to extreme lengths to disguise their actions, such as recovering PINs with a sticker. Depending on the card, they may wait until the victim goes online to register and load funds onto the card before using it online or making a duplicate to use in-store.
Another category of scams uses the lure of a promised prize to trick the user into paying a fee via gift card. Unsolicited contact from the fraudster will inform the victim that they’ve won big, but need to pay a small sum to claim their prize. It could be anything from a car to a holiday – it goes without saying that there is no prize.
Gift cards themselves can be used to trick users into handing over their personal details. This is akin to a classic phishing attack, where the recipient is approached via email, text or social media with the offer of a large gift card balance. To claim it they need to fill in some personal and possibly financial details, which the scammer will then sell on the dark web or use themselves for identity fraud.
Raising and maintaining user awareness is a large part of the battle against gift card scams. The following tips will go a long way towards helping you stay safe online:
Remember, the bad guys are constantly thinking of new ways to monetize stolen data. The above is, therefore, by no means an exhaustive list. But it should be a good place to start.

Bookmark
Please login to bookmarkClose

US Government declassifies data to foster would‑be defenders

By
Steven Black (n0tst3)
-
0
Sept 11 Pentagon 21254395151335 1
Sept 11 Pentagon 21254395151335 1

US Government declassifies cybersecurity subjects they want you to learn about, and is hoping to pay you to learn them


Recent initiatives, in response to a scathing study highlighting the lack of workforce pools capable of helping the country’s digital defenses, see the government releasing information about the areas on its wish list to prime the cybersecurity education pipeline. It can’t tell you everything, but hopes to reveal just enough for prospective students’ and educators’ appetites to pump those subjects into curricula willy-nilly, to boost future tech worker pools.
If you’re interested in the things the government’s most interested in – like AI, software development, software engineering, knowledge management, critical infrastructure or data science – and secretly want to learn more, and if the Federal Cybersecurity Workforce Expansion Act bill passes as expected, you just got a big leg up.
Also, since college curricula tend not to age gracefully, the government hopes to keep stoking the fire and paying for the hard work of the curricula’s continual update so students are taught the latest and greatest, citing it as a critical link in the future defense chain.
Nation states have long meddled in education, hoping to engage students’ imaginations and gently steer them toward a future in digital defense, but the recent NSCAI (National Security Commission on Artificial Intelligence) report lit a fire under US Congress members about how dire the situation may become, in the absence of doing something about it now. Congress reacted, and plans to get out the checkbook.

Bookmark
Please login to bookmarkClose

SnapHack: Watch out for those who can hack into anyone’s Snapchat!

By
Steven Black (n0tst3)
-
0
Snapchat Not Working For iPad 828x466 1
Snapchat Not Working For iPad 828x466 1

Oh snap! This is how easy it may be for somebody to hijack your Snapchat account – all they need to do is peer over your shoulder.


After demonstrating in 2020 the ease with which anybody can hijack your WhatsApp, I took a hiatus in ethically hacking people’s accounts. It’s just not the same hacking your own accounts, lockdowns or not. But now as we slowly start to mix with people again, I thought it would be fun to test out my old tricks on unsuspecting victims – I mean friends – to see if it is still possible in well-known apps. I was shocked at how easy it remains.
I recently looked at the top 10 free apps on the Apple App Store and decided to target one to see if I could take control of someone else’s account. These experiments are not just about highlighting how easily it can be achieved, but also about taking the opportunity to show you the prevention methods available to help secure all your accounts.


Snapchat caught my eye due to its target audience of 18-24-year-olds (although many of its users are thought to be younger). Generation Z are often thought of as “tech savvy”, having been the first generation to grow up with technology from their early years.
On the other hand, they’re also sometimes viewed as those who cut security corners – from not setting up two-factor authentication to sharing passwords with friends. So, I decided to see what the security was like on the app and see if it could be as easily dodged as with WhatsApp.
This time round, I used a technique called “shoulder surfing”, which I like to call “shoulder jacking” and which involves someone looking over your shoulder in order to steal your sensitive information such as passwords, PINs or confirmation codes. This simple and yet effective technique remains a huge problem with social media and other accounts, but could someone use it to hijack your Snapchat account?
I haven’t got a Snapchat account but a few of my friends do. I needed an account to test and as expected, I like to ask my colleagues for permission first. My friend, who I will call “Elle”, was indeed interested in my hypothesis, so when I asked her if I could attempt to hack into her Snapchat account, she willingly obliged in the name of cyber-awareness – as long as I didn’t post anything from her account, were I to be successful!
Offering to pay for Elle’s lunch in exchange for my attempt and her generally being a good sport, a few of us went out to lunch in Bournemouth. At the table, I was sat next to Elle and we were both on our phones despite engaging in a conversation. I had previously installed Snapchat on my phone, but had not set up or logged into an account yet. I opened the app on my phone and viewed the following screen to sign in. It has a hacker’s favorite link right there in the middle highlighted “Forgot your password?”.

This is often the first port of call for anyone attempting to hijack an account to test the security and possible entry methods. I clicked on “Forgot your password?” and the app asked me to choose how I wanted to reset the password. The options were “via phone or via email”. I chose via phone, to which it then requested my phone number.

With Elle still on her phone at the table, I proceeded by entering her phone number and then waited eagerly next to her for that moment to “shoulder jack” her confirmation code. As she was looking at her phone in a message conversation, the confirmation code arrived as a drop-down notification at the top of her Apple iPhone screen, and I was able to quickly read the six-digit number and remember it.
I thought at this stage she would have put two and two together, but she just ignored it and carried on with messaging a friend. In fact, when I told her later what I had done, she said she didn’t even notice the message from Snapchat as she gets “so many notifications and they blur into one”.
I input the confirmation code on my phone and I was immediately asked to add a new password that I entered – “JakeIsAwesome.1” seemed like a good choice so she would have to type that in to recover her account later. At this stage, it was as easy as it was to take control of someone’s WhatsApp account in my previous experiment, but Snapchat had one extra layer to fully command control over the account.
Although it didn’t ask for a password (presumably due to being able to create an account without an email and username), this extra security layer was yet another confirmation code sent to her phone number again via text. I wasn’t ready for this having not predicted it, but I was still able to view the SMS message drop into Elle’s notifications again while she was still on it (and oblivious, too). With this code, I gained entry and took full control, even locking her out of the account on her own phone.
I had promised I would not post anything or contact her friends, but my proof of concept had worked. This was easily completed with only knowing her phone number and being able to be within shoulder-surfing distance of her cell phone. Snapchat users need to be aware that their accounts are at risk should someone in their vicinity want to hack them and possibly even hold their accounts to ransom.
Taking this one step further, I believe this attack could even be remotely enabled should a manipulative social engineer choose to call them up and persuade them into handing over the confirmation codes over a voice call. This is something that we are seeing a gradual increase in and people need to err on the side of caution.
Had the only option been to verify the account via email, this experiment would have been near impossible. This would have meant I would have needed Elle to click on the email sent to her and click on the link within the message – two things I presume she would not have done. Snapchat’s password recovery mechanism – using a code sent via an unencrypted messaging service that shows up in the phone’s notification pane – simply opens up an attack vector that is much easier to exploit.
Recovering a stolen Snapchat account is, sadly, not always easy. Everything depends on the changes the hacker has made to the account. If the hacker has only changed the password, you can get your account back by following the same steps again shown above.
However, if they have changed the phone number, email address or added two-factor authentication, there are very limited options and like with most social media, it is difficult to communicate with these companies and gain help with undoing such attacks. If you think your account has been compromised, Snapchat has this advice for you.
Beyond a strong and unique passphrase (which you should use on all your online accounts), make sure to turn on two-factor authentication within Snapchat’s settings, as well as implement it on all other apps that offer it. In Snapchat, head over to Settings and find the Two-Factor Authentication set up – while it’s okay to use SMS-based 2FA, it’s far better to use an authenticator app such as Microsoft Authenticator or Google Authenticator.

You may not have a Snapchat account, but you may know someone who does. Please make those users aware of the ‘SnapHack’ and urge them to apply this advice on all of their online accounts.
Shoulder surfing as such is best thwarted by preventing anybody from covertly looking at your screen when you enter sensitive information into an app or website, especially in public places. Better still, make sure you turn off notification previews, so that they’re hidden from prying eyes when your phone is locked. Also, be sure to actively monitor your SMS messages when using your phone or tablet around other people – this is also what would have foiled my attack at Elle’s Snapchat account.

Bookmark
Please login to bookmarkClose
1...666768...79Page 67 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.