Your bank account has been emptied by your phone, you are not getting that promotion and you are the victim of Sextortion. Forget about the best streaming dramas of 2019; do you want to know the top four con-games that might hit you in 2020?
Yes, it’s the time of year to review the top up-and-coming actors for 2020. However these are not just any actors -- these are con-artists!
There are four new information security cons hitting us hard at the end of 2019 and you had better be on the lookout to protect yourself, your company and your family.
Our first new star of the year is... Sim-Jacking!
What might be the biggest new threat of the four is called Sim-Jacking and it is hard to defend against. Sim-Jacking is one of the newest and fastest growing hacks in the world right now and it is moving so fast many people in the industry don’t even know about it yet.
The con-game can be employed by hackers that actually have little technical knowledge other than some good social media savvy. People who re-share click bait websites and use compromised apps on social media can expose personal data that these clever hackers can use to order a duplicate phone SIM card from your cell phone provider.
Once the hacker has a copy of your SIM card, not only can they control a virtual clone of your cell phone, they might also be able to capture its traffic. Some phone apps that we use for security such as multifactor authentication tokens can be hacked with this method.
While nearly everyone is a potential target for Sim-Jacking, the evil hackers currently seem to be concentrating on victims they know have cyber currency (like bitcoin) apps on their phones as this makes hitting your bank account much easier for them.
Because the hacker is interacting primarily with your phone provider, it can be difficult to defend yourself against this new attack. What you need to know and do is part of any good security awareness class or program. In particular for this attack you should not have crypto-currency apps on your phone unless they have reasonable limits set on transaction sizes or access to your back account requires out-of-band authentication. Any large sums of crypto currency should be kept in a “cold storage wallet” (USB or paper account storage). Check your social media privacy settings and make sure you and your family do not post “like farming” posts or links to click-bait sites. Like Farming is a form of social media chain letter (see link at the end of this article). These and other bad social media practices allow non-friends on social media to see your private content and that is how the Sim-Jackers get the information they need.
Businesses should review with cell phone providers what the process is for issuing replacement phones and SIM cards and make sure the process will require a reasonable form of validation.
About that raise and promotion… not a “feel good” movie after all.
Good con-artists want to exploit your emotions. Money or the promise of prosperity are all time favorites for exploiting people’s emotions all the way back even to the days of the invention of horoscopes. The next two hacks on the horizon are phishing attacks that send your employees an email saying that they must complete a form for a raise or fill out an Office 365 survey to be considered for a promotion.
The evil hackers cleverly send these attacks only after discovering the names of important company executives and making the email appear to be an internal company email. The link in the email or attachment appears to be a legitimate company document even including such wonderful subtle touches as asking the employee to agree to a confidentiality agreement about their raise or promotion.
The business account information the employee provides then leads to an attack against employee and/ or corporate resources. Again, like most all of the big new attacks, our first line of defense is a well implemented security awareness program for employees. I would advise letting employees know that no email links or surveys about promotions or raises are used by your company and if they see one they should contact the apparent sender by other means.
Our B-movie pick of the year: The 450,000 Cloud Bots that want to Sextortion You.
Researchers at Check Point and other information security firms have found that several large bot networks (collections of compromised computers around the world) have been given the task of running a unique and effective extortion campaign.
Getting an email from someone claiming that they have hacked your accounts and have private information or photos of you is disturbing enough but what if they prove they have hacked you by including the password to your email account in the message?
The con is quite ingenious. The hackers don’t actually have any photos or any of your documents. What they do have is your password because at some point in the past your email service or a website you have an account with was hacked and the passwords were stolen. So the bots know your email address and your password and nothing else BUT with a clever lie they will make you think they have much more.
Once you know the methodology of these attacks you can now defend yourself and your employees with the wonderful power of knowledge. Good email and security hygiene should have kept this attack from happening in the first place but if you, a fellow employee or a family member gets one of these emails you can let them know it is a scam. Some of the current tag lines are “My malware gave me full access to all of your accounts” or “access to your webcam.” Or it might say “We hacked your computer and saw what you were doing and this (password) proves it”.
Businesses should not use “free” email account systems for their employees and security awareness programs should teach employees how to check their personal email accounts for past password breaches. A great tool for this is the website “Have I been pawned?” If your account has been compromised in the past just change your password. If this con-game is played on you they will display an old password.
In summary, security awareness training is the most effective way to protect yourself from almost all of the new and dangerous attacks. A trusted security advisor can help you find or design the right kind of security awareness training for you. Avoid security awareness products that rely solely on phishing campaigns or video recordings except as refreshers. A good security awareness program will be interesting, fun, apply to the roles and personal information needs of the students and use adult education methods.
Further reading on Like Farming: https://www.thatsnonsense.com/facebook-like-share-photo-scams-dont-make-scammers-rich/