Fake Office 365 site, don’t trust strangers and warning on college web site software
Welcome to Cyber Security Today. It’s Mondy July 22nd. I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanda.com.
Cyber criminals want to spread malware as widely as they can, so they look for popular online sites or services to exploit, like Hotmail or Yahoo Mail. According to a news report from Bleeping Computer, a realistic but phony Office 365 website is one of the latest. The goal is to trick you into downloading malware. A few seconds after you get to the fake site a message pops up that your Chrome or Firefox browser needs to be updated. Just click here. That supposed update installs malware that will steal login usernames, passwords and more. So here are two pieces of advice: never install a browser update from anywhere other than the browser itself, usually from the Settings or Help menu. Better yet, turn on the auto-update feature. If you’re an Office 365 user and worry you might have been victimized, do a virus scan — which you ought to do once a week anyway.
Don’t trust strangers on the Internet. That’s one of the golden rules of cyber security. This comes to mind with a report that security company FireEye has detected a resume attack scheme using LinkedIn. A person named “Rebecca” replied to an organization’s requests for resumes. She claimed to be a researcher at the University of Cambridge. At one point in the online conversation “Rebecca” posted a link to a document she wanted the target to read. Clicking on that link would have led to the downloading of malware. FireEye says it’s seen this kind of attack against governments and the energy sector. There are a few lessons here: First, in general, be careful about strangers who try to befriend you by email or on social media, and then want to send you a document. Second, organizations that want people to send resumes through email or social media better be careful. The organization’s IT security may not be up to detecting all threats. If you are sending out requests for resumes, research, white papers and so on, check with your IT security if there’s a safe way to do it.
The U.S. Department of Education says thousands of fake or fraudulent student accounts have been created by attackers exploiting a flaw in the Ellician website software used by 62 universities or colleges. Some of those accounts were quickly used for unspecified criminal activity. The vulnerability allows the attackers to access admissions and enrolment information. Students can use the software to register for courses, apply to classes and edit schedules. Institutions using software from Ellician Company should make sure they have the latest versions.
Finally. if you want your browsing private don’t go to porn sites. That’s the conclusion of university researchers after analyzing the web pages at over 22,000 adult sites. Ninety-three per cent of them sent tracking data like the pages visitors are on to online advertising or web analytic sites. Browsers have incognito mode, but that only means your browsing history is not stored on your computer. The problem is someone might make improper inferences about you based on the porn pages visited. So for better privacy, use an ad blocker. And forget about trusting porn sites’ privacy policies.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon