Two churches become cyber victims, Outlook attacks increase, a phony Android game site discovered and news on password managers.
Welcome to Cyber Security Today. It’s Friday May 3rd. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com. To hear the podcast click on the arrow below:
Criminals have no heart. That was demonstrated with news of two recent cyber heists at churches. The pastor at a Catholic parish in Brunswick, Ohio has sent a letter to parishioners telling them the church has lost $1.75 million from its renovation fund. An attacker pretending to be from the construction company had hacked into the church’s email and sent messages to someone looking after finances. They said the construction company was changing banks and that monthly payments should go to an account in a different financial institution. The lesson here is those who handle money for organizations have to be suspicious when getting email or a phone call telling them to change a regular payment process. Independent verification is important.
Meanwhile CTV news reported that at least one member of a Catholic church in Stratford, Ontario lost hundreds of dollars in an email gift card scam. The victim got an email from what appeared to be the pastor asking for donations of iTunes gift cards for hospital patients. So she bought them and emailed card serial numbers to the person who sent the message. This is an increasingly common scam where someone in an organization emails staff asking them to buy gift cards for holidays, birthdays or charity. The cards, of course, go to a criminal who uses them. Be careful if you get an email with requests to buy gift cards. These messages can look real because the sender’s email has been hacked.
Both of these incidents are another reminder of why two-factor authentication is so important to protect email. Often attackers will hack an email and then pretend to be the sender. Recipients of messages are fooled because the email address of the sender is legitimate. Organizations and individuals should look into whether their email provider offers two-factor authentication, which is an extra step in addition to a username and password for verifying your email login. The extra step is usually a six digit code sent to your smart phone, or a fingerprint. If you don’t understand what two-factor authentication is, do an Internet search.
Speaking of email, security vendor Barracuda Networks notes there’s been a rise in attacks on people who use Office 365. Just because you have a cloud-based email service doesn’t mean you can slack off and use weak passwords. Barracuda says some people were victimized because they had used the same username password somewhere else, where it was harvested in a data breach. Then criminals try the combination everywhere they can. Other victims just had unsafe passwords. Others fell for phony messages pretending to be from Microsoft that asked for their login credentials. What happens after getting into your email is criminals look for ways to dupe you into sending them money, or use your email to launch attacks on others. So protect your email with two-step authentication.
The Google Play store has a wide variety of apps, but it’s not the only place you can get Android apps. The problem is other app stores can be risky. A report this week from security vendor Zscaler tells why: A site called “Smart Content Store” seems to have a bunch of games, but when you try to download one, it appears a blank icon has been installed on your phone. Click on it and victims see a screen that says “Smart World” free content, and Sexy World. Click on either button and it starts a chain of events where victims gets asked for administration privileges, then goes on to scan the phone book and contact list. Be careful where you download apps from.
Finally, I’ve talked about the importance of password managers to keep track of all the passwords you have. This week PC Magazine has a helpful article rating a number of managers. You can find it at pcmag.com. Remember, when you get a password manager it needs to be protected with a strong password or passphrase. And yes, it has to be protected with two-step authentication.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.