Month: June 2021

Google is preparing a series of measures meant to better secure the Google Play Store by ensuring the developers who upload apps and updates are more trustworthy.

The Google Play Store is a vast library of software, and it’s growing by the minute. While the company is doing its best to keep malware and other types of threats on its platforms, it’s not entirely successful. More than once, Google has been forced to pull apps from the store after discovering developers uploaded apps that didn’t respect the license agreement but weren’t malicious enough to trigger the existing protection.

“To keep Google Play safe and secure and to better serve our developer community, we are introducing two new security measures: additional identification requirements and 2-Step Verification,” said Google. “These measures will help strengthen your account security and will help us better understand your needs.”

Creating a new developer account on the platform is now a little more complex, with a few extra steps that would discourage, hopefully, developers with malicious intent. Now, developers have to provide an email address and a phone number. 

Moreover, owners of developer accounts will have to tell Google whether it’s a personal or enterprise account, and disclose the name of the holder and a physical address. Also, the existing emails and phone numbers on file will have to be verified.

Having real people, with real names, behind accounts will help keep the official store a little safer. Google will occasionally email or call the developers to check if the information provided is real. While all of these measures are positive, they won’t offer 100% protection against attacks. Running a security app such as Bitdefender Mobile Security at all times is always recommended.

The Government Accountability Office (GAO) sent a letter to NASA in an effort to make the space agency more resilient to cyberattacks by proposing several security measures that would ensure its protection.

NASA is one of the many agencies in the US government considered vulnerable to cyberattacks, making it a prime candidate for essential improvements. Like any big organization, NASA has organizational issues that often translate to security problems. In some respects, NASA faces the same challenges as a private conglomerate, with issues stemming from the huge number of employees.

The proposed measures cover many areas, but it’s worth mentioning that NASA already implemented some of the proposals coming from GAO. In any case, NASA is not the only agency going through these changes.

“We have designated information security as a government-wide, high-risk area since 1997 and subsequently expanded this high-risk area to include protecting cyber critical infrastructure and securing personally identifiable information,” says GAO.

“Accordingly, federal agencies need to take urgent actions to ensure that they have programs in place to protect their information technology systems and sensitive information against increasing cyber risks.”

NASA already agreed to implement GAO’s recommendations, including an organization-wide cybersecurity risk assessment, a typical process that every large organization has to complete. Another request covers NASA Acquisition Management, which incidentally is on GAO’s High-Risk List of government operations with more significant vulnerabilities.

Finally, GAO is urging NASA to cover the rest of the high-risk targets that include improving the management of IT acquisitions and operations, improving strategic human capital management, managing federal real property, and ensuring the nation’s cybersecurity and government-wide personnel security. Some of these measures are already being implemented and should be ready by the end of the year.

Police in the UK are warning WhatsApp users of a surge they have seen in attempts made by fraudsters to steal accounts.

In a tweet posted by Southwark Police in South London, for instance, officers warn that scammers are stealing accounts by tricking WhatsApp users to share verification codes they are sent via SMS.

The scam works like this. Whenever someone tries to register a WhatsApp account on a mobile phone they give WhatsApp a phone number. WhatsApp sends an SMS verification code to the mobile phone number they have been given, to verify that the number is active and that the user trying to register the account really owns the number.

However, a fraudster might contact a WhatsApp user – perhaps pretending to be WhatsApp customer support – and ask them to forward the six-digit verification code that has just been- or is about to be – received on the mobile phone.

Of course, you haven’t requested a verification code. Instead, a scammer has entered your phone number and requested a registration code – in an attempt to hijack your account.

On its website, WhatsApp warns that keeping your verification code secret is an essential part of securing your account:

You should never share your WhatsApp verification code with others. If someone is trying to take over your account, they need the SMS verification code sent to your phone number to do so. Without this code, any user attempting to verify your number can’t complete the verification process and use your phone number on WhatsApp. This means you remain in control of your WhatsApp account.

Of course, if someone does manage to seize control of your WhatsApp account they will then be able to see any future messages you receive, and pretend to be you.

WhatsApp says that for this reason you should never share your verification code with anyone, even if they are friends or family.

“If you suspect someone else is using your WhatsApp account, you should notify family and friends as this individual could impersonate you in chats and groups. Please note, WhatsApp is end-to-end encrypted and messages are stored on your device, so someone accessing your account on another device can’t read your past conversations.”

For a higher level of security on WhatsApp, you are advised to not only never share your six-digital registration code, but also enable two-step verification, restrict who can view your profile photo, and be cautious about transferring money with contacts unless you have confirmed their identity.

WhatsApp offers further advice on how to recover your account if it has been stolen from you, and recommends that you log out of all computers from your phone if you still believe someone might be using your account via WhatsApp Web/Desktop.

On June 22, the profile details of 700 million LinkedIn users were put up for sale on an underground forum.

The same thing happened on April 6 for 500 million LinkedIn users. The exposed data contained profile information such as e-mail addresses, job descriptions, social media profile links and phone numbers.

On April 3, the phone numbers and associated profile info of over 530 million Facebook users were leaked online. The leaks included geographical location and even phone numbers, including Mark Zuckerberg’s.

What Happened

In all three cases, threat actors used the same method — web scraping. Automated tools harvested all the information from user profiles, abusing various APIs made available by the platforms. They attempted to pull much more than would typically be available without special privileges, such as the privileges given to a user connected to the victim.

It’s important to note that the services were not “hacked”, at least not in the way we’ve grown to understand the word. No database was stolen, and no platform internals were exposed. In fact, users’ passwords are still safe. But any information that could be shared was shared in the process – including data that users believed only close friends could see, like e-mail addresses or phone numbers.

Here’s what YOU need to know

The incidents highlight two points to understand and remember.

First and foremost, the moment you hand out a business card or post information on an online profile, the information becomes public. It’s been repeatedly proven that privacy settings don’t always work. This problem is amplified by the massive size of our “private circle” of connections or friends on these platforms.

Check how many people you have in that “private circle.” Phone numbers, e-mail addresses, Social Security numbers, and home addresses are data points we’re constantly forced to share with an increasing number of people and organizations. It’s only a matter of time before they’re exposed publicly.

Now more than ever, it’s crucial to KNOW when that happens. And, here, the Bitdefender Digital Identity Protection tool can help. Our service lets you take control and minimize your digital footprint by continuously monitoring for data breaches, publicly exposed information and social media impersonators.

Secondly, be mindful of your ever-growing (and never-shrinking) online dossier/file, and take some time to brush up on doxxing. Every piece of relevant information about you can (and probably already is) added to a file with your name on it.

This information can later be used in:

• identity theft (buying things, getting credit or simply causing damage to you and your loved ones by doing illegal things in your name)
• selling your data to advertising networks, less legitimate than the ones you’re already willingly providing it to
• stalking/domestic violence. It may be an uncomfortable scenario, but it DOES HAPPEN

Just check your digital footprint and learn if an ill-intended actor can do carry out the acts in any of the three bullet points above or, God forbid, all of them. While LinkedIn and Facebook could have done a better job at preventing scraping bots, system vulnerabilities are exposed daily. Even though the platforms are sometimes quick to patch loopholes found by hackers, as users and members of the digital community, it’s also our job to be aware of the information we willingly expose and how it can be used against us.

NVIDIA patched a GeForce Experience high-severity vulnerability that would have allowed attackers to perform spoofing attacks, leading to the compromise of the user’s login token.

NVIDIA offers an application named GeForce Experience to their GPU users, letting them easily install the latest drivers, change game settings to better fit the PC’s performance, record video, stream and more. The application also requires users to log in for various perks.

It turns out that the application also had a high-severity vulnerability, which the company was quick to fix. Since a remote non-authenticated attacker can exploit the vulnerability via the Internet, it’s a big problem. But the fact that it still required some input from the user, like clicking on a link, kept the severity score to only 8.3.

“NVIDIA GeForce Experience software contains a vulnerability where, if a user clicks on a maliciously formatted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session,” said the company. “Such an attack may lead to these targeted users’ data being accessed, altered, or lost.”

The company explained that the vulnerability was only possible because the application incorrectly parsed specially formatted links.

“A remote attacker can create a specially crafted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session” they added.

Installing the latest version of the application fixes this exploit. It should not be a problem since the update is directly pushed to users who have the app installed, and it’s installed when the app is opened.

GitHub revealed that its Security Bug Bounty Program registered the most submissions in 2020 since its launch in 2014, and 204 vulnerabilities qualified for bounties.

Companies figured out a while ago that it’s better to find the vulnerabilities in their own software than to leave it to hackers or to hope that it’ll work out fine. All software and hardware has vulnerabilities. Sometimes, the good guys find them, but the entire industry can suffer when that’s not the case. In these programs, such as the one GitHub runs, security researchers are encouraged to find and report vulnerabilities in exchange for a bounty.

“2020 was our busiest year yet,” said GitHub. “From February 2020 to February 2021, we handled a higher volume of submissions than any previous year.[…] $524,250 in bounties awarded for 203 vulnerabilities in our products and services. This brings the overall rewards from our program since moving to HackerOne in 2016 to $1,552,004,” GitHub explained.

The company also provided a very interesting example of a bug submission that affected its own platform, GitHub.com, and which could have been used to compromise the OAuth flow of Gist users.

“While the risk is fairly low, this vulnerability could be used to facilitate social engineering attacks by providing a link to GitHub.com that would end up redirecting to an attacker-directed site,” said GitHub.

It’s no surprise that 2020 was such a busy year for submission of vulnerabilities, as many people suddenly switched to working from home. Security researchers paid more attention to some of the more popular apps, and the entire bounty industry is becoming a lot more profitable.

The Bitdefender Antispam Lab has detected an ongoing phishing campaign targeting users of employment website Indeed.

According to our researchers, 48% of the fraudulent emails have reached users in the US, 28% in Ireland, 5% in Finland, 3% in France and India and 2% in Germany.

The cyber crooks use spoofing to trick users into thinking the message was sent from the employment platform, forging the email header to display ’employers-noreply@indeed.com’.

The email asks recipients to confirm their email address by downloading “the attached account update file” and logging into their account.

Accessing the HTML attachment named “Indeed_Update.html” will open a fraudulent login page with the recipients’ email address already filled in.

Indeed users who receive this email should not open the attachment or enter their password into the login page. Instead, delete the email and head to the official company website from your browser. Recipients who unwittingly entered their account password should immediately reset their password on indeed.com and other online platforms that share the same login credentials.

As a reminder, employment-oriented services will not contact you via email and ask for personally identifiable information or financial information such as bank account numbers.

A vast number of online platforms deploy email verification processes. However, according to Indeed, users who sign up on the platform will receive a confirmation email during the setup process. The message asks recipients to confirm their email address by clicking on a link.

If you’re tired of wondering whether the correspondence in your Inbox is genuine, check out our 90-day Bitdefender Total Security trial that offers complete real-time data protection and anti-phishing filtering systems that sniff out and block websites masquerading as trustworthy entities.

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab

According to a newly-published report by the FBI’s Internet Crime Complaint Center (IC3), the elderly are more at risk from falling victim to online fraud and internet scammers than ever before.

In the IC3’s Elder Fraud Report, the FBI detailed that approximately 28% of all fraud losses are sustained by victims who are over 60 years old – with losses totalling approaching US $1 billion.

Worryingly, that figure represents a rise of around $300 million compared to losses reported by seniors in 2019.

According to the FBI, while the average loss per victim was US $9,175, some 1,921 victims aged sixty and above lost more than US $100,000 to online scammers.

Figures released in the report show that not only were the over-60s most likely to become victims of all the age brackets surveyed, but also their total losses were the greatest.

Older adults, the study found, were often defrauded as a result of romance scams, tech support fraud, and investment scams. In addition, data suggests that hundreds of millions of dollars have been lost by companies through business email compromise attacks, facilitated unwittingly by staff aged over 60 years old.

It would be unfair and incorrect to characterise these attacks as succeeding simply because it was a more elderly person has been unlucky enough to fall victim. After all, a romance scam or email account compromise attack doesn’t discriminate between its targets based upon their age.

However, it’s possible that a victim’s age may play a factor in making them vulnerable to some scams – such as romance scams – especially if they have suffered a bereavement.

Furthermore, many of us with elderly loved ones may have found out the hard way that they can be naturally more trusting, compared to those of us who have spent a greater proportion of our lives guarding against internet scammers.

It’s also worth considering the impact that the global pandemic has had.

As the IC3 report explains, many elderly people may have found themselves shopping online for the first time due to Coronavirus lockdown restrictions.

“Elderly victims filed over 14,000 non-payment/non-delivery complaints experiencing losses over $40 million in 2020, making non-delivery of products the second most reported fraud among the elderly.”

In addition, many over-60s may have found themselves joining social networking sites for the first time in an attempt to stay in contact with friends and loved ones that they were not able to meet in person. As a result, they may have been easy pickings for online scammers posting fake adverts or promoting counterfeit products.

In some cases, attacks have taken a particularly dark and sinister nature with victims receiving threatening emails informing them (falsely) that they have been infected with COVID-19, or threatening to infect them with the virus, unless a cryptocurrency payment was made.

The onus lies on all of us to not assume that older members of our families, elderly friends and neighbours, are as clued up as we might be about online threats. We need to do our part to offer sensible advice and guidance to others to ensure that they do not become a soft target for online fraudsters.

Have you ever received a friend request from a person already on your list of friends on Facebook? If so, you were most likely targeted by a cloned Facebook account.

If not, chances are you will. You’ll likely run into a scam artist posing as either you or one of your friends while you’re busy checking your social media feed.

It may be impossible to predict the exact number of fake and impostor accounts on Facebook. However, the social media guru said it took action against 1.3 billion fake accounts in the first quarter of 2021.

What is Facebook account cloning?

Facebook cloning happens when scammers scrape your publicly available social media information (such as your profile picture and info) to create a copy of your profile. The imposter then tries to send friend requests to your list of friends to conduct various scams, including:

• Sending malicious and fraudulent links to your friends and family
• Manipulating your friends or family members for financial gain
• Attempting to defraud your acquaintances using advance fee scams

These attempts may compromise your online and real-life reputation. Additionally, the scammer will even try to shut down your profile by reporting you to the social media platform.

How to protect against Facebook account cloning?

You don’t have to be a celebrity to become a target of social media impostors. While most individuals find out about an impersonation attempt from friends, users can also track down potential scammers by searching their own name in the Facebook search field.

Although no measures are bulletproof, adopting more privacy-focused settings on your Facebook account can discourage scammers from attempting to clone it, including:

• Making your friends list hidden
• Removing public visibility on your future posts, photos and profile information such as email address and phone number
• Disable any options that allow anyone to send you a friend request

Living in a social media-driven age, protecting online privacy and personal information is a must. Bitdefender’s Digital Identity Protection tool helps you take control and minimize your digital footprint by continuously monitoring for data breaches and social media impersonators that may ruin your reputation

Our tool proactively scans the web for accounts set up using your data. Each time a new profile is created using your info, you can easily inspect it and stop impersonation attempts before they cause irreparable harm.

Don’t forget to immediately report any impersonation attempts or suspicious activity to the social media platform and immediately inform your friends.

Social media feels like the natural evolution of technology, like something that would have happened no matter what. But there’s a difference between what we would want and what we actually have. It’s too late now to re-model social media, so we have to learn to live with what we have and make better choices from here on out. That’s why the Social Media Day we celebrate on June 30 is a reason to be thankful and wary at the same time.

Today’s social media landscape has its own ecosystem, different from the rest of the internet, with its own rules and users divided by age and interests. Each platform is designed with a niche in mind that seems to coincide with the offerings of the rest but with variations setting them apart. In short, there’s something for everybody, which is why social media is both fascinating and dangerous at the same time.

It would be nice if social media would gather only the good things, but human society is a mix of everything. Like on the rest of the internet, people from all walks of life have access to social media, and, while most use those platforms as intended, others find ways to pervert their original functions to fulfill more malignant goals. 

The Social Media we should have had

Surprisingly, the arrival of social media was foretold in science-fiction novels long before we had the internet. Writers would envision people coming together, talking about current affairs, debating the days’ social issues, talking politics, and influencing each other with poignant and clever remarks.

The online landscape had the potential to elevate the human condition, and some writers believed that’s what would happen. Now, social media has undoubtedly changed the human condition, but no one can say that it was for the better.

Social media should be filled with meaningful ideas, exciting stories and uplifting adventures, all sprinkled with funny images of cats and dogs doing ridiculous things. But we all know there’s a big difference between what we ought to have had and what we actually have.

The Social Media we truly have

While social media has the good things we just mentioned, it’s also filled with the bad stuff in equal measure. It’s also home to hateful people and dangerous criminals. It serves as the perfect medium for malicious campaigns directed by attackers who want to steal what people seem to value the least, their private data.

Private information has to be one of the most undervalued commodities of today’s digital world. People gather so much essential data and metadata about themselves that it becomes difficult to tell what is important and what’s worthless. And the worst part about this is that, sometimes, the data that seems worthless is actually of great value to attackers.

Social media platforms have become so ingrained in our internet life that social media is the internet for many people. Facebook, Instagram, Snapchat, TikTok, YouTube, Tumblr, Twitter, Reddit, and the other platforms all fill various niches, and they all have something in common. They create real-world value with the data they collect and the outlet they offer.

The truth is that these platforms are also great mediums for attackers, who mainly look to steal the data that no one is actually worried about. People post their real-time locations online, answer quizzes that reveal answers to security questions they used for various online services, and keep filling in details in phishing schemes. And that’s not even counting all the malware and offensive content waiting in the shadows.

Our Digital Identity Protection tool allows you to check for data breaches and adjust all of your accounts in minutes if needed. You can also check for social media impersonators and learn more about your digital presence for a more privacy-focused decision.

The Social Media we could have

Yes, social media is filled to the brim with wonderful content and malicious intent. But the negative doesn’t have to outweigh the positive. With the suitable precautions and the proper security solution, the time we spend on social media platforms can lean toward the experience we ought to have and not what we currently have.

We might not have the social media that the science fiction writers promised us, but we can get a little closer by being mindful of what we share online and with whom. Knowing the value of what we post online takes us halfway to more security. An informed user is a powerful user, and the rest of the way is covered by security solutions such as Bitdefender Total Security. You can always check out the 90-day trial that provides complete protection, even when surfing online or looking at funny images of cats and dogs.