Home + Mobile

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

‘Smishing’: An Emerging Trend of Phishing Scams via Text Messages

Text messages are now a common way for people to engage with brands and services, with many now preferring texts over email. But today’s scammers have taken a liking to text messages or smishing, too, and are now targeting victims with text message scams sent via shortcodes instead of traditional email-based phishing attacks.

What do we mean by shortcodes

Businesses typically use shortcodes to send and receive text messages with customers. You’ve probably used them before—for instance, you may have received shipping information from FedEx via the shortcode ‘46339’. Other shortcode uses include airline flight confirmations, identity verification, and routine account alerts. Shortcodes are typically four to six digits in the United States, but different countries have different formats and number designations.

The benefits of shortcodes are fairly obvious. Texts can be more immediate and convenient, making it easier for customers to access links and interact with their favorite brands and services. One major drawback, however, is the potential to be scammed by a SMS-based phishing attack, or ‘Smishing’ attack. (Not surprisingly given the cybersecurity field’s fondness for combining words, smishing is a combination of SMS and phishing.)

All the Dangers of Phishing Attacks, Little of the Awareness

The most obvious example of a smishing attack is a text message containing a link to mobile malware. Mistakenly clicking on this type of link can lead to a malicious app being installed on your smartphone. Once installed, mobile malware can be used to log your keystrokes, steal your identity, or hold your valuable files for ransom. Many of the traditional dangers in opening emails and attachments from unknown senders are the same in smishing attacks, but many people are far less familiar with this type of attack and therefore less likely to be on guard against it.

Text messages from shortcodes can contain links to malware and other dangers.

Smishing for Aid Dollars

Another possible risk in shortcodes is that sending a one-word response can trigger a transaction, allowing a charge to appear on your mobile carrier’s bill. When a natural disaster strikes, it is common for charities to use shortcodes to make it incredibly easy to donate money to support relief efforts. For instance, if you text “PREVENT” to the shortcode 90999, you will donate $10 USD to the American Red Cross Disaster Relief Fund.

But this also makes it incredibly easy for a scammer to tell you to text “MONSOON” to a shortcode number while posing as a legitimate organization. These types of smishing scams can lead to costly fraudulent charges on your phone bill, not to mention erode aid agencies ability to solicit legitimate donations from a wary public.

Another common smishing technique happens during tax-filing season and involves IRS-themed requests for the taxpayer to update personal and financial information. An uptick in these scams after the pandemic prompted the FBI to post public warnings.

Protect yourself from Smishing Attacks

While a trusted mobile security app can help you stay protected from a variety of mobile threats, avoiding smishing attacks demands a healthy dose of cyber awareness. Be skeptical of any text messages you receive from unknown senders and assume messages are risky until you are sure you know the sender or are expecting the message. Context is also very important. If a contact’s phone is lost or stolen, that contact can be impersonated. Make sure the message makes sense coming from that contact.

Related Resources:
Webroot blog: Smishing Explained: What It Is and How to Prevent It

Webroot blog: What’s Behind the Surge in Phishing Sites? Three Theories

After the Hack: Tips for Damage Control

According to the Identity Theft Research Center, in 2017 alone, nearly 158 million social security numbers were stolen as a result of 1579 data breaches. Once a cybercriminal has access to your personal info, they can open credit cards, take out loans that quickly ruin your credit, or leave you with a giant bill. But that’s not all. Many people don’t realize that, depending on how much information a hacker gets and what their intentions are, you could lose a lot more than money. From sending malware to your contacts from your account to spamming your coworkers with phishing attacks to compromise your employer’s network, the damage a hacker can wreak on your personal and professional life can extend far beyond the monetary bounds.

Additionally, according to Dave Dufour, VP of Engineering and Cybersecurity at Webroot, we’re seeing more evolution in cybercriminal tactics that take advantage of internet users and their trust:

“What’s happening lately is that people are hacking social media accounts. Why would anyone want your social media information? One reason is that, if I have access to one of your social media accounts, I can spread malware to all your followers who trust you. Pretending to be you, I can send out a link, your followers click it, and my malware is now on all of their devices.”

So, what do you do if you’ve been hit with malware, ransomware, phishing, or a social media attack? First, don’t panic. Second, follow these steps to deal with the fallout.

You’ve been hacked. Now what?

Change your passwords
The first step is one you’ve probably already heard: change all your passwords. Yes, all of them. Don’t forget make them strong by using at least 12 characters, changing out at least two or three of the characters to uppercase, using numbers or symbols (e.g., replacing an A with a @ or an S with a 5), avoid using places you’ve lived, acquaintances names, your pets, birthdays, or addresses—and don’t even think about using ABC or 123. If you have trouble keeping track of your passwords, we recommend you use to a secure password manager application that saves your credentials in an encrypted database and automatically fills them in when you log into a site.

Turn on two-factor authentication
Most accounts that house your personal information, such as email or banking, offer two-factor authentication. This provides an additional layer of security that goes beyond your username and password by asking you to confirm your login with an extra step, such as a short-term security code sent via text message or phone call. You can turn on two-factor authentication from the login screen of the account.

Check for updates
One of the best ways to keep your devices protected is to update your operating system regularly and ensure that any applications you use are patched and up to date. If you have questions, you can always call your device provider’s helpline. To make things even easier, most systems and software allow you to set up Automatic Updates, so you don’t have to worry about remembering to check for them manually.

Install antivirus protection and run a scan
Antivirus software is an extremely beneficial tool that doesn’t just help detect and remove malicious software that could be lurking on your computer, it can also stop threats before they infect your device in the first place. But be careful: avoid the temptation to download a free antivirus program, as these often come bundled with malware or potentially unwanted applications. Instead, invest in a reputable option. Once installed, be sure to run a scan and turn on automatic scans and updates.

Delete sensitive data from the compromised account
As soon as you realize you’ve been hacked, go to the compromised account and delete any sensitive data you can. For example, if you know you’ve stored your credit card information, bank statements, social security number etc. in your email or on any retail site, immediately delete them from those locations. This also goes for any personal photos or information you wouldn’t want released. And don’t forget to clear out your folders on any cloud services, such as Dropbox, Google Drive™ or iCloud®.

Monitor bank statements and account activity
One of the top motivations of a cyberattack is to steal your money or identity to go on a shopping spree or use your financial accounts in some way. Be vigilant about monitoring your accounts for recent activity and check to make sure no new shipping addresses, payment methods, or accounts have been added. Also, call your bank and let them know about the incident so they can have their fraud department monitor your accounts.=

Deauthorize apps on Facebook, Twitter, Google, etc.
To protect your accounts and remove malicious individuals, check which apps are connected to your social media accounts and deactivate all of them. Did you sign into a site using your Facebook so you could see which historical figure you look like? That’s an example of something you should deactivate. You can find directions on how to do this for each account in its help or settings section or by contacting the associated customer service line.

Tell friends you’ve been hacked, so they don’t become victims, too
Another important step to take after you’ve been hacked is to alert your contacts. Many social media and email attackers will send messages from your account that contain malicious links, attachments, or urgent requests for money. Letting contacts know right away that your account has been compromised, and what to watch out for, can save them from the same fate.

Because technology continues to advance and the number of connected devices is growing exponentially, being the target of a cyberattack or identity theft is becoming more commonplace. But we’re here to help. Learn more about protecting yourself and your family online, and what you can do to stay safe from modern cybercrime.

Home Sweet Hackable Smart Home

We live in the future. Not one with teleportation, time travel, or flying cars, but one where talking to inanimate objects is the “normal,” even “cool” thing to do.

According to The Smart Audio Report from NPR and Edison Research, 39 million people now own an interactive, voice-activated smart speaker and, in just a few short years, the smart speaker has been joined by countless other smart gadgets, forming a network of connected devices known as the internet of things (IoT). These connected household devices have evolved from assisting with simple tasks like having Alexa play music, to having the ability to control nearly every part of the home, from the ambient temperature to the food that’s purchased for your refrigerator.

It’s pretty amazing, as long you remain in the captain’s chair. But what happens when you’re no longer the one in control?

They see you when you’re sleeping, know when you’re awake

Imagine coming home on a hot day to find your thermostat set to Phoenix-in-August-like temperatures and realizing you can’t change it. Or discovering your internet-connected appliances have been hijacked to do the bidding of cybercriminals in a DDoS attack by a massive IoT botnet. And what could be worse than finding out hackers have the ability to peek into the feed from the nursery webcam? These examples may sound like fear-mongering or idle, worst-case-scenario musings. But they’ve all already happened.

The more consumers buy and use internet-connected home devices, the more opportunities are created for hackers to break in, both digitally and physically. Since IoT products include everything from to fitness bands and home security cameras, to lights, doors, and cars, we run the risk of painting a detailed, time-stamped digital portrait of our daily lives for any hacker with the know-how to access these devices. All they need to access your entire network is one weak link.

Hacked by default

Why are IoT products so vulnerable? According to Webroot senior threat researcher Tyler Moffitt, “the underlining problem with all these emerging IoT devices is that the vendors are only focused on functionality, and have little to no budget for security vetting. Minimum viable product for maximum profit.”

The result? More vulnerabilities leading to more opportunities for attackers to hack your home. The proliferation and widespread adoption of IoT devices presents hackers with billions more targets than previously available, and their success rate need not be high. A single security oversight on a mass-produced device can be devastating.

For example, many smart home devices like Nest Learning Thermostat devices come with a default username and password that most consumers don’t think to change. In some cases, that’s simply not an option, as passwords are sometimes hardcoded into the firmware. Oftentimes, hackers can easily find default login information online and sneak onto your device. Then, with the help of a little malware, they can gain control of your entire fleet of smart-home devices. And hundreds of other people’s.

Patches and updates are another gaping door left open to hackers. Many IoT devices either simply can’t be patched to protect against the latest threats, or their manufacturers don’t have the budget or resolution to release prompt updates. In an up-and-coming market segment filled with startups, there isn’t even a guarantee your device manufacturer will be around to release a much-needed security update when an emergent threat comes knocking.

Secure is the new smart

Before you run home and to rip your Nest or other IoT connected device off the wall, read on. There are ways to keep your home smart and secure.

“Smart homes are still a new space as far as security goes,” says Moffit. “Down the road, we expect security to be protecting internet connected devices. But for now, we recommend a layered approach and taking all the proper precautions. Similar to antivirus, pay for the well-reviewed, vetted products.”

Here are a few more tips for being a smart IoT consumer:

Update login info

Update your usernames and passwords (the stronger the better). Do this for every device you have, and avoid using the same password twice. While you’re at it, change the passwords on your other accounts, too — especially if you’ve had the same one since you opened your first email account in 1998.

Secure wireless networks

Set up two different networks to help reduce the risk of hacking across devices — one for smartphones, computers, and tablets, and another for your smart home products. Add a strong password and give your home network a random name having nothing to do with your username, password, or address. Also, make sure your home network is protected by the Wi-Fi Protected Access II (WPA2) protocol, disable guest access, and most importantly, disable remote access. 

Update software and firmware

Updating helps ensure the latest security measures are being implemented by your device. Many smart home devices don’t update automatically, so check for them about once a month.

Install security software and malware protection

Because there is no singular solution for protecting your smart home products themselves, it’s important to use a layered approach for your security measures. Safeguarding your network, for example. Adding security apps and software to your computer and smartphone can protect against attackers accessing information via a malicious site or app.

Invest in proven solutions

Since so many companies are trying to get on the smart home train and many aren’t keeping security top-of-mind, it’s important to invest in proven solutions and stick to well-known brands that have a reputation for being secure. This helps guard against the aforementioned problem of timely updates not being available, too.

Oh, and you know those home gadgets that come with a hard-coded password? Don’t buy them.

Malvertising: Avoid Bad Ad Invasion

The way people shop has changed drastically over the last 10 years. E-commerce continues to boom. In fact, 80% of Americans made an online purchase in the past month, according to the Omni-Channel Retail Report from BigEcommerce. Because what’s not to love about shopping online, receiving your items in just two days, and not having to put pants on?

Not surprisingly, the increase in online shopping has been accompanied by a spike in online advertisements. And in recent years, thanks to malvertising, things like display ads and social media promotions have gone from annoying to dangerous.

A Threatening Combination

The term malvertising is a merger of two words, malicious and advertising. It is defined as the use of online advertising as a vehicle to spread malware.

Malverts are created when cyber criminals embed malware-laden or malicious code into normal-looking online ads like pop-ups (fake browser updates, anti-virus programs, etc.), paid ads using Google AdWords, display ads, drive-by downloads, in-text or in-content advertising, and more.

These ads are then placed on the pages of legitimate websites — such as The New York Times, the BBC, MSN, and AOL, to name a few—by an agency or an automated ad server. Infections are then very difficult to avoid when you visit a site running malverts. In fact, users don’t even have to click on anything to have their device compromised. Sometimes, all it takes is loading the page.

Online Wolves in Sheep’s Clothing

To understand how malvertising sneaks onto sites, you first have to understand how online ads are placed. Many large, popular websites use third-party vendors or software called an ad server to find the ad that will make the site the most money. To get an ad on a vendor’s network, oftentimes all you need to do is sign up and submit. Because of this, many cybercriminals will submit clean advertising to ad networks for weeks to gain legitimacy and circulation, and ultimately get their work through the system. Once they do, they quickly switch out their ads for malverts. These booby-trapped ads are usually only active for a few hours before the attackers switch back to legitimate ones.

Since ad servers typically don’t have strict vetting processes or are automated, it’s relatively easy for attackers to slip malverts through without anyone knowing. In fact, the cyber security firm Confiant reported that some attackers, like the Zirconium group, set up 28 fake ad agencies in 2017 through which to create and submit their malverts.

What’s more, these third-party networks often display different ads on the same page, meaning two people could visit the site and only one would be infected — again making malverts even harder to track down and stop.

Defend your devices from malvertising

Even though large, sophisticated malware campaigns were mounted in 2017, there are #cybersmart ways to protect yourself against an attack in the year to come:

  • Use an ad-blocker. Ad-blockers remove all online advertising, significantly reducing malvertising’s effects on the user. There have been cases of sophisticated malverts bypassing ad-blockers, but using one is still a great place to start.
  • Keep your devices updated and secure. Make sure your operating system and plugins are updated, keep software patched, only run the latest browsers, and invest in a good anti-virus or malware detection program.
  • Lock down your Java and Flash settings. Enable click-to-play plugin settings on your browser configuration for Java and Flash, which makes you give your device permission before running those plugins. Or disable Java and Flash altogether. You probably won’t miss them.
  • Stay on top of WordPress. WordPress continues to be one of the most popular targets for hackers. The plugins have been exploited and abused the same way as Adobe, Flash, Java, and Silverlight have. If you use WordPress, protect yourself by keeping your website up to date, updating themes and plugins to the patched versions, and staying aware of the latest WordPress-related vulnerabilities.
  • Practice safe browsing. Since malvertising can affect you even if you’re staying on legitimate sites (i.e. not trying to buy a kidney on the darknet), using safe browsing practices can greatly decrease your risk. Set up browser plugins to increase security and privacy, keep browsers and applications up-to-date, regularly check which plugins are being used and disable unnecessary ones, scan files before downloading, and watch out for phishing attacks.

And of course, using a reliable internet security product is the best way to protect yourself from cybercriminals. For extra credit, here are a few more general tips to protecting your devices.

  • Skip public WiFi networks
  • Pay with credit cards over debit cards online when possible
  • Deactivate Bluetooth in public settings
  • Always back up your files

Cyber News Rundown: Malware Attack Targets 2018 Winter Olympics

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Winter Olympics Disrupted by Malware Attack

The Winter Olympics are in full swing, and cybercriminals seem to be working just as hard as the athletes. Their nefarious minds are focused on distributing malware that targets several internal WiFi and television systems. In addition to a delay during the opening ceremonies, the malware caused major damage to the networks by wiping non-critical network files and using stolen credentials to traverse the networks with ease. With plenty of international information on hand, it’s surprising the attack focused more on destruction over data collection.

Cryptocurrency Scams from Celebrities on Twitter

At least two dozen fake Twitter accounts impersonating celebrities, and others closely tied to cryptocurrencies, have been promising to distribute various currencies to followers. These accounts are all very similar to the real celebrities’ user accounts, barring small spelling changes, and can be found commenting amongst their target’s posts. Although Twitter appears to be working swiftly to remove these types of accounts, more continue to appear.

News Site Offers Compromise to Disabling Ad-Blockers

With the increasing popularity of cryptojacking—the process of using cryptomining scripts on highly-trafficked sites to generate revenue—Salon.com is now offering a choice to visitors: disable your ad blocker or let them use your CPU for cryptomining. While this new offering may seem unusual, it’s likely to become more prevalent, since many sites depend on ad revenue to remain operational. The logic is that most users would prefer to allow mining scripts to run over being subjected to ads.

Telegram Leaves Zero-Day Bug Unfixed for Months

Researchers discovered a vulnerability within the Telegram messenger client that would allow attackers to send malware by using a specific character to mask the actual file without making any additional changes to it. This method can be used to fully commandeer a system by sending victims a simple downloader over SMS. The downloader deploys a variety of malicious tools onto the system itself. Telegram has since resolved documented issues, which appear to have targeted mainly Russian victims from as long ago as March 2017.

Canadian Telecom Firm Faces Security Flaw

A hacker has contacted Canadian Telecom firm Freedom Mobile to inform them of the security risks that their nearly 350,000 customers could face if a flaw in their system isn’t fixed. The flaw would allow any attacker to use a brute force attack on the account login page to compromise customer information. The hacker doesn’t appear to be acting maliciously, and he has posted proof of his findings, along with a strong recommendation that Freedom Mobile re-examine its security offerings.

Use Caution with Free-to-Play Mobile Games

Who doesn’t like a good mobile game? Especially a free one! They allow you to blow off steam while fine-tuning your skills, competing with others or maybe even winning bragging rights among friends.

Free games can be fun to play, yet there are some common-sense guidelines to make sure these apps don’t surprise you with unexpected costs or other problems.

Like anything digital, opportunities for malware and other cyber threats do exist. Here are some things to beware of as you protect your privacy, well-being and wallet.

In-app purchases and unauthorized transactions

Free game providers make revenue by selling upgrades to the games’ cosmetic value or the means to advance to another level of play. For example, on a popular kids’ game, players can buy special coins that help boost their overall gaming experience.

But according to a 2017 Tech Crunch article, Amazon recently agreed to refund millions of these types of in-app purchases because they were technically unauthorized – made by children on mobile devices linked to its site. Much to the parents’ regret, these transactions did not require passwords.

Apple and Google have settled similar agreements with the Federal Trade Commission.

So, keep an eye on transactions, banking records and your kids as they play. Most mobile devices even have the option of disabling or PIN-protecting in-app purchases so the little ones aren’t able to make purchasing decisions on their own.

Little extras can add up to a big cost for mom or dad. Or, in a more malicious case, someone with bad intentions could be purposely adding unwanted charges to your credit card.

Malware and privacy threats

Free mobile apps typically feature advertising and, of course, users can pay a premium to turn that off. That’s another transaction-based upgrade that turns free into not-so-free.

However, beyond the clutter and interruptions caused by real ads, malware can deliver a darker spin on free-to-play games through fake ads.

The Economic Times reports that Google has removed nearly 60 games, many of which were aimed at children, from its Play Store. The games were found to be infected with malware and bogus ads.

The malware displayed images that looked like real advertisements, causing concern and prompting users to download fake security software. The users were then encouraged to click on other links that would require payment.

Along with encouraging users to download scareware and pay for premium services, the malware also stole personal information. Those types of sensitive, personal records could include passwords, device ID’s and credit card information.

And that can lead to identity theft and even larger financial threats.

So remember, only use trusted providers, read the reviews before installing the game and there’s never any need to allow extensive access to your device or personal information. You’re just playing free mobile game apps after all.

Free-to-Play mobile gaming security tips

Transaction-based issues and malicious malware are two of the most common concerns associated with free-to-play mobile games. But by no means do they make up a complete list of potential risk factors.

This doesn’t mean you shouldn’t play free games online. But use caution. Scrutinize games labeled as free and realize that paying a reasonable price for software versus getting it for no charge is sometimes worth it.

Here are some more detailed security tips from US-CERT, the United States Government Computer Readiness Team:

  • Use antivirus software
  • Be cautious about opening web files
  • Verify download authenticity
  • Configure web browsers securely
  • Back up personal data
  • Use strong passwords
  • Update operating and application software

Just Keep Swimming: How to Avoid Phishing on Social Media

From Facebook to LinkedIn, social media is flat-out rife with phishing attacks. You’ve probably encountered one before… Do fake Oakley sunglasses sales ring a bell?

Phishing attacks attempt to steal your most private information, posing major risks to your online safety. It’s more pressing than ever to have a trained eye to spot and avoid even the most cunning phishing attacks on social media.

Troubled waters

Spammers on social media are masters of their craft and their tactics are demonstrably more effective than their email-based counterparts. According to a report by ZeroFOXup to 66 percent of spear phishing attacks on social media sites are opened by their targets. This compares to a roughly 30 percent success rate of spear phishing emails, based on findings by Verizon.

Facebook has warned of cybercriminals targeting personal accounts in order to steal information that can be used to launch more effective spear phishing attacks. The social network is taking steps to protect users’ accounts from hostile data collection, including more customizable security and privacy features such as two-factor authentication. Facebook has also been more active in encouraging users to adopt these enhanced security features, as seen in the in-app message below.

Types of social phishing attacks

Fake customer support accounts

The rise of social media has changed the way customers seek support from brands, with many people turning to Twitter or Facebook over traditional customer support channels. Scammers are taking advantage of this by impersonating the support accounts of major brands such as Amazon, PayPal, and Samsung. This tactic, dubbed ‘angler phishing’ for its deepened deception, is rather prevalent. A 2016 study by Proofpoint found that 19% of social media accounts appearing to represent top brands were fake.

To avoid angler phishing, watch out for slight misspellings or variations in account handles. For example, the Twitter handle @Amazon_Help might be used to impersonate the real support account @AmazonHelp. Also, the blue checkmark badges next to account names on Twitter, Facebook, and Instagram let you know those accounts are verified as being authentic.

Spambot comments

Trending content such as Facebook Live streams are often plagued with spammy comments from accounts that are typically part of an intricate botnet. These spam comments contain URLs that link to phishing sites that try to trick you into entering your personal information, such as a username and password to an online account.

It is best to avoid clicking any links on social media from accounts you are unfamiliar with or otherwise can’t trust. You can also take advantage of security software features such as real-time anti-phishing to automatically block fake sites if you accidently visit them.

Dangerous DMs

Yes, phishing happens within Direct Messages, too. This is often seen from the accounts of friends or family that might be compromised. Hacked social media accounts can be used to send phishing links through direct messages, gaming trust and familiarity to fool you. These phishing attacks trick you into visiting malicious websites or downloading file attachments.

For example, a friend’s Twitter account that has been compromised might send you a direct message with a fake link to connect with them on LinkedIn. This link could direct to a phishing site like the one below in order to trick you into giving up your LinkedIn login.

While this site may appear to look like the real LinkedIn sign-on page, the site URL in the browser address bar reveals it is indeed a fake phishing site. 

Phony promotions & contests 

Fraudsters are also known to impersonate brands on social media in order to advertise nonexistent promotions. Oftentimes, these phishing attacks will coerce victims into giving up their private information in order to redeem some type of discount or enter a contest. Know the common signs of these scams such as low follower counts, poor grammar and spelling, or a form asking you to give up personal information or make a purchase.

The best way to make sure you are interacting with a brand’s official page on social media is to navigate to their social pages directly from the company’s website. This way you can verify the account is legitimate and you can follow the page from there.

3 Tips for Securing Your Home WiFi Networks

Once your home WiFi network is up and running and your family’s devices are connected, it’s normal to turn a blind eye to your router. After all, it’s mostly out of sight and out of mind. Unfortunately, that small, seemingly harmless box isn’t as secure as you may think.

Your router is your gateway to the internet. Once it’s compromised, cybercriminals may be able to view your browser history, gain access to your login information, redirect your searches to malicious pages, and potentially even take over your computer to make it part of a botnet.

Attacks like these are becoming all too common. Last year, we saw a prime example when hackers gained access to routers from various manufacturers and infected consumers’ devices with malicious advertising (also known as malvertising).

In a more recent attack, hackers entered WordPress sites through their owners’ unsecured home routers. After hacking the router, the attackers successfully guessed the password for the WordPress accounts and took complete control of the sites. As security experts noted, this particular hack was made even worse by the fact that most users have little to no understanding of how to secure their home router.

Beef up your home Wifi network security

Here are a few precautionary steps you can take to help deter cybercriminals from infiltrating your home WiFi network:

  • Change the default username and password on your route. (Remember to update your WiFi password frequently!)
  • Configure your router’s settings to use strong network encryption (WPA2 is preferred).
  • Disable your router’s SSID broadcast so it isn’t visible to others.

 

Do you live in one of the most-hacked states?

 

Additionally, Webroot Chief Information Security Officer (CISO) Gary Hayslip recommends enabling a personal firewall.

“Hackers search the internet by using certain tools to send out pings (calls) to random computers and wait for responses,” he said. “Your firewall, if configured correctly, would prevent your computer from answering these calls. Use your personal firewall. The main point to remember is that firewalls act as protective barriers between computers and the internet, it is recommended you install them on your computers, laptops, tablets, and smart devices if available.”

Learn more about how to keep your WiFi connection secure with our Tips for Improving Router Security.

How to Outsmart Mobile Threats

As the holiday season kicks into high gear, keep in mind that shoppers are at an even higher risk of cyberattacks during this time of year. Salesforce projects that mobile users will account for 60 percent of traffic to retail sites around the globe this year. With the increased popularity of shopping on the go, more and more cybercriminals will move to prey on unsuspecting shoppers. Here are a few tips to minimize your chances of falling victim to cybercriminals this holiday season (and all year long). 

Sophisticated attacks on smartphones

The fact is, mobile threats are on the rise. The Webroot 2017 Threat Report revealed a spike in malicious mobile apps, noting that almost half of new and updated mobile apps analyzed over the previous year were classified as malicious or suspicious. That’s nearly 10 million apps, up from a little more than two million such apps in 2015.  

Given the rising frequency of cyberattacks and data breaches year over year, it’s no surprise that we’ve continued to see more sophisticated smartphone attacks. Some of the most common mobile threats users face are mobile web browser-based hacking, adware, remote device hijacking and eavesdropping, and breaches of mobile payment services.  

Why you need a mobile security app 

To avoid becoming a hacker’s next victim, protect your device with a mobile security app. A trusted security app can block infected or malicious apps and file downloads. It can also help protect your identity and personal information if your mobile device is lost or stolen. 

It’s worth pointing out that all mobile security services are not created equal. In October, independent testing firm AV-TEST found that Google’s Play Protect service, which is designed to safeguard Android apps, was found to be “significantly less reliable” than third-party security apps, according to The Next Web. 

 

Don't Get Hacked

 

Outside of a solid mobile security app, Webroot Chief Information Security Officer Gary Hayslip recommends making sure mobile devices are up to date:  

“I recommend getting in the habit of periodically checking for updates and, if any are available, installing them. Updates that are waiting to be installed are accidents waiting to happen; they are doorways that can be exploited to access your devices or steal or encrypt your information. Don’t make it easier for your device to be compromised, keep it updated with the latest patches.” 

Safety measures 

In addition to a mobile security app and frequent updates, you should also be protective of your mobile device’s connections. Follow these two tips to double-down on your mobile safety:  

  1. Turn off your Bluetooth: Bluetooth is a resurgent way for cyber deviants to gain access to your devices and personal information, so be sure to keep your Bluetooth off while out and about doing holiday shopping. 
  2. Data over WiFi: Public WiFi networks are notorious hotbeds for digital attacks. If you have to do your holiday shopping online in public, use your cellular connection instead. If you’d rather not use data, a virtual private network (VPN) is a great way to protect yourself while connected to a public network on your mobile device.  

New Cryptojacking Tactic May Be Stealing Your CPU Power

What if cybercriminals could generate money from victims without ever delivering malware to their systems? That’s exactly what a new phenomenon called “cryptojacking” entails, and it’s been gaining momentum since CoinHive first debuted the mining JavaScript a few months ago.

The intended purpose: whenever a user visits a site that is running this script, the user’s CPU will mine the cryptocurrency Monero for the site owner. This isn’t money out of thin air, though. Users are still on the hook for CPU usage, the cost of which shows up in their electric bill. While it might not be a noticeable amount on your bill (consumer CPU mining is very inefficient), the cryptocurrency adds up fast for site owners who have a lot of visitors. CoinHive’s website claims this is an ad-free way for website owners to generate enough income to pay for the servers. All altruistic excuses aside, it’s clear threat actors are abusing the tactic at the victims’ expense.

An example of cryptojacking

 

In the image above, we can see that visiting this Portuguese clothing website causes my CPU to spike up to 100%, and the browser process will use as much CPU power as it can. If you’re on a brand new computer and not doing anything beyond browsing the web, a spike like this might not even be noticeable. But if you’re using a slower computer, just navigating the site will become very sluggish.

Cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. In case you’re wondering why this script uses Monero instead of Bitcoin, it’s because Monero has the best hash rate on consumer CPUs and has a private blockchain ledger that prevents you from tracking transactions. It’s completely anonymous. Criminals will likely trade their Monero for Bitcoin regularly to make the most of this scam.

CoinHive’s JavaScript can be seen in this website’s HTML:

 

CoinHive maintains that there is no need block their scripts because of “mandatory” opt-ins:

“This miner will only ever run after an explicit opt-in from the user. The miner never starts without this opt-in. We implemented a secure token to enforce this opt-in on our servers. It is not circumventable by any means and we pledge that it will stay this way. The opt-in token is only valid for the current browser session (at max 24 hours) and the current domain. The user will need to opt-in again in the next session or on a different domain. The opt-in notice is hosted on our servers and cannot be changed by website owners. There is no sneaky way to force users into accepting this opt-in.”

For reference, here’s what an opt-in looks like (assuming you ever do see one):

CoinHive Opt-In

Why Webroot blocks cryptojacking sites

Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in—the compromised sites we’ve evaluated have never prompted us to accept these terms. Since CoinHive receives a 30% cut of all mining profits, they may not be too concerned with how their scripts are being used (or abused). This is very similar to the pay-per-install wrappers we saw a few years ago that were allegedly intended for legitimate use with user consent, but were easily abused by cybercriminals. Meanwhile, the authors who originated the wrapper code made money according to the number of installs, so the nature of usage—benign or malicious—wasn’t too important to them.

To protect our users from being exploited without their consent, we at Webroot have chosen to block websites that run these scripts. Webroot will also block pages that use scripts from any CoinHive copycats, such as the nearly identical Crypto-Loot service.

There are a few other ways to block these sites. You can use browser extensions like Adblock Plus and add your own filters (see the complete walkthrough here.) If you’re looking for more advanced control, extensions like uMatrix will allow you to pick and choose which scripts, iframes, and ads you want to block.

 

Update 12/13/17:

CoinHive scripts running rampant

If there was ever any doubt around the severity of this emerging threat and the overall nefarious use of CoinHive’s scripts, it can be put to rest. CoinHive engineers have now essentially admitted that they’ve “invented a whole new breed of malware,” according to a report in the German newspaper Süddeutsche Zeitung.

With the continued price surges in Monero, and the cryptocurrecy market as a whole, it seems cryptojacking becomes a more lucrative opportunity for cybercriminals with each passing day. And recent revelations have shown even more surreptitious methods being used by cryptojacking sites to evade user detection. One website was seen hiding a popup window underneath the Window’s task bar in order to continue mining after users believe they have closed their web browser, according to Bleeping Computer.

CoinHive’s cryptojacking script was even spotted on public WiFi at a Starbucks in Buenos Aires, according to BBC News.

Why You Should Use a VPN on Public WiFi

Working remotely? It only takes a moment on a free WiFi connection for a hacker to access your personal accounts. While complimentary WiFi is convenient, protecting your connection with a VPN is the best way to stay safe on public networks, keeping your data and browsing history secure. 

Are you prepared for today’s attacks? Discover the year’s biggest cyber threats with the annual Webroot Threat Report.

What is a VPN?

VPN stands for “virtual private network” and is a technology that can be used to add privacy and security while online. It’s specifically recommended when using public WiFi which is often less secure and is often not password protected.  

VPN’s act as a bulletproof vest for your internet connection. In addition to encrypting the data exchanged through that connection, they help safeguard your data and can enable private and anonymous web browsing. However, even if you’re using a VPN, you must still be careful about clicking on suspicious links and downloading files that may infect your computer with a virus. Protecting yourself with antivirus software is still necessary.

When and why should you use a VPN?

When checking into your hotel, connecting to the WiFi is often one of the first things you do once settling in. While it may sound like a tempting offer, logging in to an unsecured connection without a VPN is a very bad idea. In July, ZDNet reported the return of hacker group DarkHotel which aims to target hotel guest’s computers after they have logged on to the building’s WiFi. Once compromising a guest’s WiFi, the hacker group can then leverage a series of phishing and social engineering techniques to infect targeted computers. 

Traveling and lodging is just one example of when you can use a VPN to help stay secure and avoid potential attacks, however anyone can benefit from using a VPN.  

From checking Facebook on an airport hotspot, accessing your company files while working remotely or using an open network at your local coffee shop, regardless of the scenario, using a public WiFi can potentially put the data you’re sending over the internet at risk. For business looking to secure their guest WiFi, click to learn more about our DNS protection solution.

Ready to take back control of your privacy? Webroot WiFi Security is compatible with devices running iOS®, Android, macOS® and Windows® operating systems, and is now available to download on the Apple App Store, Google Play store, and Webroot.com.

Two-Factor Authentication: Why & How You Should Use it

Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional security is imperative.

From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.

Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.

Three categories of two-factor authentication:

  1. Something you know, such as a password.
  2. Something you have, such as an ID card, or a mobile phone.
  3. Something you are, a biometric factor such as a fingerprint.

The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).

Protect accounts with an extra layer of security

Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.

While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.

This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.

This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.

Ready to protect your home setup? Explore and compare Webroot’s home cybersecurity solutions here.

Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.

Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.

What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.

Learn how to enable 2FA on your Webroot SecureAnywhere in our Community Knowledge Base.