More ransomware, another clumsy employee, beware of these social media tricks and online gamers under attack.
Welcome to Cyber Security Today. It’s Friday September 25th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
 |
 |
 |
Ransomware gangs continue to claim they have successfully invaded organizations and stolen data. According to a cyber firm called Risk Based Security, one of the latest is a U.S. based company that creates and sells displays to businesses for trade shows. As of the recording of this podcast the company hasn’t confirmed the attack so I’m not naming it. However, researchers say a criminal gang is showing over 200 gigabytes of files it says were copied from the victim company. The data includes people’s names, credit card numbers, social security numbers, and bank account information of businesses. With ransomware and other cyber attacks increasing executives have to be seriously discussing encrypting all data they hold for protection against theft or destruction.
If companies aren’t victims of attacks they’re often victims of clumsy employees who leave data open on the Internet. One of the latest examples is Town Sports, an American chain of fitness clubs. A security researcher came across an unprotected database with 600,000 records of members and employees. Data included names, addresses, email addresses, billing histories and some payment information. This database apparently had been sitting open for 11 months. It’s unknown if any crooks also found it.
Accidents like this often happen because some employee starts compiling customer information on a databases and forgets to put a password on it in violation of company training.
Criminals continue trying to trick social media users into giving away their passwords. The news site Bleeping Computer has come across a new one: Sending Twitter and Instagram users messages pretending to be from those companies offering to give them verified checkmarks beside their usernames. These checkmarks have become valuable because they convince people your account is real. Beware of messages like this. If you want your account verified, go to Twitter or Instagram’s home page, login there and find the verification process. Don’t log into a site from a link or a message you’ve been sent.
Another trick is sending a message that one of your posts has violated Twitter or Instagram’s copyright rules. You have to login to the form supplied and dispute this claim. Again, ignore messages like this, or go to the home page yourself and log into your account for confirmation. It also helps to enable two-factor authentication on your social media and email accounts in case you make a mistake.
I’ve mentioned before that online video gamers are often targeted by hackers. They want users’ names, passwords, credit card numbers and email addresses. A new report by researchers at Akamai and DreamHack notes attacks have been going up since the spring, when more people began working from home — and they also started spending more time playing online games. One common tactic is throwing lists of stolen passwords at logins in an attack called credential stuffing to crack a password. Another is suckering people into clicking on attachments in an email which leads them to a fake game website where their password is stolen. And there are direct attacks trying to compromise the websites of online games. The report notes online gamers are targeted because they often have disposable income. Gamers need to take precautions including using two-factor authentication if available to protect their all logins. And, like everyone else, they shouldn’t use the same password on more than one site. Meanwhile game companies have to take more protections including offering two-factor authentication to users and their website administrators.
Finally, if you haven’t updated Instagram in a while make sure you do now. Security company Check Point Software identified a problem earlier this year and tipped off parent company Facebook. It was fixed in February but word is only getting out now in hopes that all users have installed the latest version by now.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.