Fake government procurement websites found, protect your Ring surveillance camera, a production company hacked and more
Welcome to Cyber Security Today. It’s Monday December 16th. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast, click on the arrow below:
Some group is putting a lot of effort into a sophisticated scheme for stealing login passwords and usernames of people who use government departments around the world. The particular targets are the procurement websites where governments issue notices for buying everything from desks to trucks. A security company called Anomali says it has found fake websites of Canada, the U.S., Mexico, South Africa, Sweden and Australia. Two international courier web sites are also being imitated. The scam starts with a company receiving a fake email invitation to bid on a government contract. Usually companies entitled to see offers have already registered with the government, including creating a username and password to let them log in. The email includes a link to what is supposed to be the procurement site, but instead the victim goes to a very convincing looking copy. Then the victim is given a choice of logging with email credentials from providers like Microsoft, Google and Yahoo. There are a variety of reasons why an attacker wants to steal login credentials of a business supplier. The best reason is to log in themselves and infiltrate a government department.
What makes this campaign tricky for businesses is the Internet addresses of the fake sites are also convincing. Anomali says that right now none of the fake sites are active, but that doesn’t mean they won’t be shortly. Companies that do business with governments at all levels have to make sure their purchasing staff follow rules. One is never log into a government site from a link in an email. Instead go directly to the procurement site. Depending on the government, it may also be suspicious if the site asks an employee to log in using email credentials like Microsoft Office or Gmail.
The online store of Rooster Teeth Products, which makes online video shows including Red vs Blue, has been hacked. People who bought things on or around December 2nd may have had their credit card numbers stolen because they were switched to a fake payment page.
I’ve mentioned before that the credit and debit card payment machines on gas station pumps can be hacked. Visa has just issued an alert reminding gas station owners and drivers of the threat. Companies need to make sure their systems are protected. Consumers should only use credit or debit cards with security chips in all payment machines. Or, just pay cash.
There have been a number of recent news stories about Amazon Ring Internet-connected surveillance cameras being hacked. This is especially serious if a user has a video camera inside the house. That allows the hacker to see who’s home. In one case the camera was in a youngster’s bedroom, so the parent could see and talk to their child from another part of the house. Well, the child was spooked when a stranger started talking to her. As I’ve said before, anything connected to the Internet can be a threat if it isn’t secured right. First, that means having a unique, hard to guess password for every device. Home hackers — those going after Internet-connected computers, smart speakers, TVs and surveillance cameras — will first try to break passwords using lists of stolen passwords and commonly used passwords. Like “password.” Second, if the device offers two-factor authentication for extra login security, use it. The Amazon Ring system offers it. When deciding which smart device to buy for your home consider whether it offers two-factor authentication.
Speaking of two-factor authentication, Mozilla, which is behind the Firefox browser, will soon force developers of add-on applications to enable two-factor login authentication for their accounts. Browser add-ons or extensions can help make skimming through the Internet easier. They are useful things like password managers, spell checkers, PDF readers as well as fun additions to games. But for hackers extensions can also be a way into millions of computers if they can compromise an app. Then anyone who downloads the app or updates it is stung. It’s happened already to developers of Chrome extensions. Making developers use two-factor authentication will make it harder for hackers to use this trick to get into your computer.
Finally, are you a WordPress administrator whose site uses the Ultimate Addons for Beaver Builder or Ultimate Addons for Elemenator? If so, make sure you update to the latest versions. They close a serious vulnerability.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon.