Apple mail warning, Skype scam, ignore free streaming video and more finance scams.
Welcome to Cyber Security Today. It’s Friday April 24th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
To hear the podcast click on the arrow below:
Attention iPhone and iPad users: Executives, reporters and others worry about their security are being warned to temporarily not use the standard email app that comes with those Apple devices after the discovery of a serious vulnerability. A San Francisco security company called ZecOps says the problem allows a hacker to infect a device by sending a specially-crafted email. There’s no attachment that has to be clicked. In some cases a victim will be infected without having to click on the email to read it. ZecOps believes devices of six specific people have already been hacked. Apple has been notified and is expected to release a quick fix shortly. iPhone and iPad users should be looking for it.
UPDATE: Many news services are quoting a statement from Apple casting doubt on the ZecOps conclusion. “We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”
“These potential issues will be addressed in a software update soon,” the statement added.
Attention Skype users: A hacker is trying to infect your device by sending an email that looks like it came from the Skype team. The emails seen by a security company called Cofense have the subject line “Notification” and the victim’s email address. It has the familiar Skype logo. The message says you have a number of pending notifications, and to see them click on the Review button. That will lead to a login page that looks like it’s from Skype. And the website address starts with the phrase “Skype-online.” But its a fake to capture your login username and password. In fact it automatically fills in your email address, so all you have to do is fill in the password. One way to tell its a fake is the website address is “skype-online0345”, which is probably meant to look like Office365. Here’s another: Check who sent the message. In these cases the attacker hacked the email of people victims know and sent it from their email accounts. But if its a message from a friend, why does it appear to come from the Skype team? It shouldn’t, which is why its a fake.
I’ve talked before about scams that trick companies into sending money to a criminals’ bank account instead of the real partner’s account. Security company Check Point Software has discovered another one. Briefly, the scam works like this. Email accounts of targeted employees of a bank or investment company, usually of executives or people in the finance department, are hacked so the criminal gets to know how the company works. Then a lookalike website is set up so the criminal can create an email account similar to the target company. After that the criminals intercept email to create fake money transfer requests from a partner company or create new money requests. In this investigation about a half a million dollars was lost. This type of scam can be defeated with tough email security so accounts can’t be hacked. And those who handle money transfers have to be trained to verify where money is going, particularly if there’s a request to change the usual bank account it goes to.
Finally, beware of free. It may turn out to bite you. That’s the message from security vendor ZeroFox about streaming video scams going around social media. Some are tied to the COVID-19 pandemic, saying there’s a limited time offer of free service to existing streaming customers due to the so-called “quarantine.” One scam distributed across WhatsApp has a link to what looks like a real streaming media site. You know its a con if you have to answer some questions like ‘Are you taking care to prevent the virus from proliferating?’ Then you are asked to share the free offer with 10 other people in order to activate the free subscription. That, of course, just spreads the scam. You enter your subscription username and password, which the crook captures. Then you get sent to the real service provider’s web page. Scams like this are common.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.