Twitter hack aftermath, more Android malware, actors on alert and a streaming media warning.
Welcome to Cyber Security Today. It’s Friday July 17th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
This week’s embarrassing hack of celebrity Twitter accounts so crooks could tweet a bitcoin scam should serve as a wake-up to organizations. Several experts I talked to said firms need to toughen security controls for IT administrators who have access to user accounts. The attackers didn’t hack individual accounts. They got into a bunch of accounts by accessing system management tools that were in the hands of a few employees. While Twitter was worried about disinformation and fake accounts on their platforms it forgot to take extra steps to prevent account takeovers. Twitter has given a vague account of what happened. It would be helpful to give a more detailed account so other companies can learn lessons. Meanwhile, consumers can learn too: If a deal sounds too good to be true it probably is, especially on the Internet. Especially if it’s offered by a celebrity. Why would a celebrity give away money? Answer: Because their account was hacked.
Criminals are finding new ways of infecting Android apps to steal money. A report this week from a security company called ThreatFabric details the latest malware. It’s aimed at stealing money and personal data from 337 apps including banks. Called BlackRock it is often distributed as a fake Google Update app, but NOT in the Google Play store. After installation any time a victim accesses their bank account or buy products this malware plants an overlay on top of the screen login screen. Then the malware copies the bank or payment card username and password and forwards it to the crooks. It also interferes with any antivirus software on their phone. Banks in Europe, Australia, the U.S. and Canada are among the targets as well as eBay, Amazon and PayPal. To make sure you’re not a victim limit the number of apps you download, only download apps from the Google Play store and when choosing an app make sure it’s from a reputable company and has been reviewed independently.
Another company has allowed private data to be seen on the internet because an employee left a database unprotected. According to a website called Safety Detectives the company was a U.S. online casting company called My Casting File. Names, addresses, phone numbers and other personal information of about 260,000 actors could have been seen by anyone who knew where to find it. The data could be used for phishing, impersonation or stalking.
Cheating doesn’t pay. It doesn’t pay when you write exams, do your taxes — or try to get around streaming media services. A report out this week from security vendor Kaspersky notes that apps or phishing messages promising free access to Netflix, Disney Plus, Hulu, Amazon Prime or Apple TV Plus without paying come with a price: Malware that steals your payment card data or data on your computer. Crooks use a number of techniques: You may get a phishing message offering free access to the final show of a series for creating a so-called free account. Or see ads offering “Free Netflix Accounts” or “Cheap Hulu Subscriptions.” Or you may go hunting for an unofficial or modified version of a real streaming media app to save money. The five shows most often used as lures are The Mandalorian, Stranger Things, The Witcher, Sex Education and Orange is the New Black.
These types of scams need your greed. But remember also if you’re a legitimate subscriber to beware of email or text messages that ask you to log into your account to check or update your account. Finally, if you do have a legit streaming media account make sure it has a password that’s different from all the other passwords you have. Crooks are always looking to log into streaming media accounts with stolen passwords.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon