Crafty email scammers, bad webcam security and watch out for ‘fleeceware’
Welcome to Cyber Security Today. It’s Friday September 27th, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
To hear the podcast click on the arrow below:
With all the malware distributed by email you’d think security companies could make a product that can scan a company’s email for suspicious links and issue alerts. Actually there is. It’s called a secure email gateway. Several companies sell them. However, according to a security firm called Confense, criminals have come up with a response: They’ve found a way to hide the real destination of a malicious email address. The scam works like this: The victim gets an email from what looks like a big company saying there’s an invoice. There’s a link to view the invoice. Click on it, and the victim gets taken to a fake Microsoft Office web site where you have to log in. The game, of course, is to steal usernames and passwords. The con is that the link to the invoice is disguised to fool secure email gateways. So, be wary of email with an invoice you’re not expecting. Be especially wary if you have to log into something after clicking on a link in an email.
Here’s another warning about the poor security of webcams in your home. A security company called Wizcase says it found 15,000 on the Internet in countries around the world that a hacker could break into. The problem is surveillance cameras are made to give the owner remote access. But many don’t come with tough security. So before you buy, ask about the security features of a webcam. And when you install one, make sure the default configuration and password are changed.
Administrators of the vBulletin software for website comment forums are being urged to take their systems offline until a security patch has been installed. Reports of a vulnerability that will allow an attacker to take over vBulletin were released earlier this week, and according to news reports was quickly being exploited. Users of the cloud version of vBulletin aren’t affected.
You’ve heard of malware. You should also beware of “fleeceware.” That’s what security company Sophos calls Android apps that fleece you into paying big bucks for using them. Here’s how it works: The app says it can be used for a short trial period, after which you have to pay. The thing is, to get the app you have to give a credit card number. To cancel the app, not only do you have have to uninstall it, you also have to tell the developer it isn’t wanted anymore. If you don’t do both, you get charged hundreds of dollars. Google has removed 14 of these apps, but more are still in the Play store. Many of these apps are QR or barcode readers, calculators, tools to make animated GIFs, or photo editors. As Sophos notes, there are free versions available for all these utilities from well known and trusted developers.
Apple released iOS 13 and iPad OS only this week and already there’s a bug: Some third-party keyboard apps could give themselves full access permission to anything you type, even if you’re turned full access off. This is important for people who don’t like the keyboard that iPhones or iPads come with. Instead they download another keyboard, like Gboard, Grammarly or Swifkey. Some of these never ask for full access, so they aren’t a problem. Other keyboards that have the option of full access are the problem. If you’re worried, you could uninstall the keyboard app and use the one that comes with the device until Apple issues a fix. That should be coming shortly.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.