Executives targeted with Office365 scam, update Unix and Linux systems, phone numbers stolen from Facebook and advice for Data Privacy Day
Welcome to Cyber Security Today. It’s Wednesday January 27. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Executives in Canada, the U.S., Europe and other countries are being targeted with a phishing scam aimed at stealing their Microsoft usernames and passwords. According to the security firm Trend Micro, the scam works like this: The victim gets an email that pretends to be from an IT administrator warning their Office365 password is about to expire. To continue using the same password they have to click on the option ‘Keep password.’ But that leads to a phony Office login web page. If the executive enters their credentials they are captured by the crooks, who sell them for between $250 and $500 each.
Those behind the scheme are investing a lot of time finding targets. At least one victim seems to have been chosen using information from his LinkedIn biography, including his email address. The report notes that a number of hacker platforms sell lists of information on C-level people including email addresses, Facebook profiles and more which those behind this scheme can use for targeting.
One lesson is executives should be careful about what they post on LinkedIn, Facebook and other social media sites, including on their personal sites. That information — work projects, favourite vacations, hobbies, family members — can be used against them.
This scheme works in part by compromising web sites so unwitting companies host the fake Office365 login page. Organizations have to do a better job of securing their websites and constantly looking for suspicious code. Anyone clicking on a link that takes them to a page asking for their username and password should check carefully where the page is hosted. And remember legitimate service providers and vendors will never ask you for details like your login credentials.
If you got a suspicious call on your cellphone lately the number may have been stolen from Facebook. The news site Motherboard reports that someone on a criminal forum is selling crooks access to a database of phone numbers of Facebook users. The person advertising the service says it contains data on 500 million people. Facebook told the news site that the data was exposed by a vulnerability it fixed in 2019.
This may relate to a scam going around where crooks call a cellphone number and quickly hang up, hoping you will call back to see who it was. That triggers a $50 charge to your account. If someone calls and doesn’t leave a message, don’t call back.
Attention Linux and Unix system administrators: A serious vulnerability has been found in almost all versions of these operating systems. This vulnerability has been there for a decade before being discovered. A security company called Qualys found this bug and warned Linux developers. Make sure you’re running the latest versions.
Finally, tomorrow, January 28th, is the annual international Data Privacy Day. I’ve written a long article for ITWorldCanada.com aimed at companies. But for individuals I have a few tips: Enable two-factor authentication to protect your email, bank and social media logins. Use a password manager to keep track and protect your passwords. Don’t use passwords that can be easily guessed. Protect your cellphone by locking it with a password or a fingerprint so no one else can use it. Further protect your cellphone from being taken over by someone impersonating you at your carrier by having a unique PIN number on your cellphone account.
If you’re an executive or really worried about privacy here’s a few tips from the National Security Agency, which advises U.S. government employees on using smartphones safely: Don’t use public Wi-Fi systems in hotels, malls, arenas; disable Bluetooth when you’re not using it; use a protective case that covers and muffles the microphone when the phone isn’t in use; install only applications you need, and only from the Google Android or Apple app stores; make sure the phone has the latest updates; power the device off and on once a week. And be careful what you say on the phone.
That’s it for today.