March Cyber Bytes

Look out for identity theft and fraud crimes as tax season begins

Source: Help Net Security on March 3, 2022

Now more than ever, life happens online. But, with greater connectedness comes enhanced risk. Millions of Americans fall victim to identity theft and fraud each year, resulting in billions of dollars in losses. “In today’s digitally connected world, cyber fraud and identity theft have become the ultimate crimes of opportunity: as quickly as vulnerabilities are detected and protected against, new ones emerge. Yet, few resources exist to help Americans, experts and the news media understand digital fraud and the latest attacks,” says Emily Snell, President of Allstate Identity Protection.

To help solve for this, Allstate Identity Protection is launching a report designed to shine a light on the latest lines of attack being utilized by identity fraudsters.

Many falling victim to identity theft and fraud

Between October and December 2021, total identity theft and fraud cases increased by 11%, led by rapid spikes in instances of fraudulent credit and/or loan account creation, inquiries, and applications. Fraudulent creation of new credit and loan accounts grew by 61% from 2020 to 2021. By December 2021, this type of fraud accounted for over half of our total identity theft cases. Another 42% of cases from October to December 2021 were instances of credit and loan applications.

Be on the lookout for disability fraud

After defrauding the government agencies that handle unemployment fraud, scammers may be turning to the state-level agencies that oversee disability benefits. Between November and December 2021, there were open cases involving false disability insurance claims in California double compared to previous months. As this year’s tax season gets underway, Americans should watch out for signs of disability fraud. Victims may receive a letter related to disability benefits for which they did not apply, or an employer may notify the victim that someone has filed for disability in their name.

Unemployment fraud on the decline

Reports of unemployment and tax fraud continue to decline, with both constituting just 1% and 0.6%, respectively, of total remediation efforts between October 1, 2021 and December 31, 2021. Fueled by the pandemic, unemployment fraud at one point accounted for nearly three-quarters of all remediation cases. “Though steep drop-offs in unemployment and tax fraud are encouraging, we expect to see both on the rise again this tax season, as many victims of these types of fraud do not realize they have been targeted until they file taxes,” says Allstate Identity Protection VP of Product Lewis Bertolucci.

Beware of QR Code Scams

It’s so easy to click on a QR code. Criminals are counting on it.
Source: Heidi Mitchell, The Wall Street Journal on March 19, 2022

During the Super Bowl in February, one ad grabbed a lot of attention: a mysterious bouncing QR code that enticed viewers to point their phones at their screens and click through to an unknown website. (Spoiler alert: It was for Coinbase. COIN -1.40% ) Within seconds, more than 20 million people had done just that, crashing the cryptocurrency-exchange platform. The incident illustrated just how willing people are to click on QR codes, but unfortunately for consumers, marketers aren’t the only group that understands this. Two months before, in December, a much darker scenario involving QR codes unfolded when malicious actors placed QR-code stickers on parking meters in major Texas cities, directing drivers to a fraudulent website where they supposedly could pay for parking.

“People were tricked into putting in their credit-card information,” says Eric Chien, security threat researcher at Symantec, part of Broadcom Software’s security technology and response division. “It was a really well-done attack.”

While QR-code scams aren’t common, the risks are rising, security researchers say. The Better Business Bureau’s Scamtracker site lists just 46 QR code-related attacks in the U.S. since March 2020. But as consumers become more accustomed to using QR codes—there has been a 750% increase in QR-code downloads since around March 2020, according to link-management service Bit.ly—security officials expect more attacks. The FBI even released a statement in mid-January about QR-code schemes to raise awareness.

In a typical scenario, scammers post a notice—often posing as a business or other organization that people recognize and trust—that includes a quick-response code, a type of matrix bar code that stores information. When scanned with a camera or app, the code leads to a webpage that might ask unsuspecting users to enter personal information such as a credit card, which is then stolen, or it may install malware to gain access to victims’ devices in perpetuity.

Going phishing

Originally devised in the 1990s by a subsidiary of Toyota to track cars and parts during manufacturing, QR codes replaced things like menus, tickets, brochures, package-tracking numbers and boarding passes as the country moved to “touchless” interactions when the Covid-19 pandemic hit. Rather than handing out menus, for example, a restaurant might ask patrons to simply scan a square matrix bar code with their smartphone cameras, which would lead them with one click to a website where they could view the menu. Now those squiggly squares are seemingly everywhere.

When they’re malicious, QR code scams are essentially a new form of phishing attack, where scammers direct victims to a bogus website, and proceed to ask for personal information. Most smartphones “just read the code and open the link without ensuring that it is safe or that it is, in fact, what it says it is,” says Justin Fier, director of cyber intelligence and analytics at artificial-intelligence cybersecurity firm Darktrace, so users may not know they have been had. What’s more, he says, adept attackers can use a QR code to send users to a spoof site for exploitation, then pass the information users enter on to the authentic site—an action called a “man-in-the-middle” attack” in cybersecurity parlance.

Scammers are exploiting a decision-making mechanism smartphone users have taken for granted: urgency bias. “A QR code is a tool to encourage a quick action from a consumer,” says Jason Cheung, principal fraud analyst at Digital River, which helps brands navigate the back-end processes of online selling. Ads like the Coinbase Super Bowl spot, he says, normalize the point-and-click response. “I couldn’t help my hand wanting to click on my phone and scan the QR code, and that is dangerous,” says Mr. Cheung. “It’s so unconscious, you have to really train yourself out of the habit.”

More work for scammers

Some experts expect QR code scams to remain rare. While it’s easy to make a QR code that sends users to a URL that looks authentic and asks for login credentials or bank information, “the good news is that criminals are lazy,” says Mike Benjamin, vice president of security research at Fastly, a cloud-computing and security services provider. “Having to physically place QR codes around a city and making them look perfect, rather than just sending simple phishing emails, is extra work,” he says. Symantec’s Mr. Chien says having to be physically located nearby to swap out restaurant menus or put stickers on meters doesn’t lead to a good return on investment compared with, say, “breaking into banks and stealing the account information of millions of people in minutes.”

According to security researchers, there are some simple rules to follow to avoid being had by a QR phishing scam. Mr. Chien says to only scan QR codes that are “baked in,” meaning they are printed on a device or other informational material at the time of manufacturing, not stuck on after the fact.

“Most legitimate QR codes are not a sticker someone has added on,” he says. If you do scan one, check the domain that pops up on most smartphones before clicking. The parking-meter scam in Houston, for example, sent users to now-defunct “passportlab.xyz,” that then directed them to log into a “Quick Pay Parking” system. That should have been a red flag, he says, since a legitimate QR code from a city would likely lead the user to a municipal website, usually ending in .gov or .org, or to an obviously city-run app (typically advertised by being printed on metal and affixed to a pole).

The best way to thwart would-be scams is to manually input the desired website when a QR code seems fishy or untrustworthy. Installing a QR-code scanner app with added security can also help identify swindlers, should you choose to scan. The rest comes down to standard cyber hygiene and practices everyone should employ to prevent against any manner of phishing attack: Use a password manager, which won’t autofill your credentials on a suspicious site; make sure your credit cards have functions to protect against theft and fraud; don’t input personally identifiable information on an unknown website.

When in doubt, says Digital River’s Mr. Cheung, go old school. “QR codes usually have redundant options,” he says, so ask for a printed menu or pay with cash. “Anything that can be encoded, people will figure out how to turn into a scam,” says Mr. Benjamin.

Help protect against harmful apps with Google Play Protect

Google Play Protect helps you keep your device safe and secure.
Source: Google Support

  • It runs a safety check on apps from the Google Play Store before you download them.
  • It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.
  • It warns you about any detected potentially harmful apps found, and removes known harmful apps from your device.
  • It warns you about detected apps that violate our Unwanted Software Policy by hiding or misrepresenting important information.
  • It sends you privacy alerts about apps that can get user permissions to access your personal information, violating our Developer Policy.

Check your app security status

  • Open the Google Play Store app Google Play.
  • At the top right, tap the profile icon.
  • Tap Play Protect.
  • Under "Play Protect certification," find out if your device is Play Protect certified.

Turn Google Play Protect on or off

Important: Google Play Protect is on by default, but you can turn it off. For security, we recommend that you always keep Google Play Protect on.

  • Open the Google Play Store app Google Play.
  • At the top right, tap the profile icon.
  • Tap Play Protect and then Settings.
  • Turn Scan apps with Play Protect on or off.

Send unknown apps to Google

If you choose to install apps from unknown sources outside of the Google Play Store, turning on the “Improve harmful app detection” setting will allow Google Play Protect to send unknown apps to Google to protect you from harmful apps.

  • Open the Google Play Store app Google Play.
  • At the top right, tap the profile icon.
  • Tap Play Protect and then Settings.
  • Turn Improve harmful app detection on or off.

How Google Play Protect works

Google Play Protect checks apps when you install them. It also periodically scans your device. If it finds a potentially harmful app, it might:

  • Send you a notification. To remove the app, tap the notification, then tap Uninstall.
  • Disable the app until you uninstall it.
  • Remove the app automatically. In most cases, if a harmful app has been detected, you will get a notification saying the app was removed.

Phishing attempts against smartphones are on the rise. And those small screens aren't helping

We use smartphones for almost everything - cyber criminals know this and are looking to exploit it.
Source: Danny Palmer, The Wall Street Journal on March 19, 2022

Danny Palmer
Written by Danny Palmer, ZDNet, March 15, 2022
There's been a big rise in phishing attacks designed to specifically target smartphones as cyber criminals look to exploit our increased reliance on tiny screens. Previously, many phishing websites were device agnostic, set up to steal usernames and passwords regardless of whether the user was clicking the link from a computer or mobile. But cybersecurity researchers at Zimperium have analyzed hundreds of thousands of phishing websites and found that there's been a significant rise in websites designed specifically for mobile phishing attacks, now making up three-quarters of all phishing sites.

For example, the sender address is more prominent on a desktop browser than on a mobile, meaning that unless a user really examines the email, they might not notice it's being sent from a phony address. It's also more difficult to see the address of links on mobile devices. When using a laptop or desktop computer, the user can hover the mouse curser over the hyperlink, which can reveal the URL – potentially alerting them to it being malicious, particularly if it features poor spelling or large strings of random text. It's much less intuitive to do this to check links on smartphones, making users less likely to check where the email has really come from and more likely to click through if the lure is convincing.

While many phishing attacks arrive by email, targeting mobile devices also offers cyber criminals with an expanded variety of attack vectors including SMS messages, messaging applications, in-app chat links and more, all of which can be used to direct victims to malicious sites. Many of these mobile phishing websites are designed to look indistinguishable from the brand they're imitating. Some of the top brands are most commonly imitated by phishing websites include Microsoft, Amazon, Facebook, and PayPal, as well as a string of delivery companies related to the region being targeted.

"Distributed and hybrid workforces, ever-connected devices, high-speed 5G connectivity, and increased critical data access from remote locations have spread enterprises worldwide," said Shridhar Mittal, CEO of Zimperium. "Today's cybersecurity was not built to support these environments – and attackers know it. Organizations need to come to terms with how to effectively secure this new reality," he added.

Users can help to protect themselves from mobile-phishing attacks by being cautious about what links they follow. If an email alert or text message claims to come from a particular brand, rather than clicking the link in the email, it's often wiser to go to the actual website of the brand in your browser and login to your account from there.  For businesses, it can be helpful to roll out security protections to smartphones used by employees to help detect and prevent threats. The use of multi-factor authentication should also be encouraged because it provides an additional barrier to compromised usernames and passwords being exploited.

Anyone who suspects that one of their accounts has fallen victim to a phishing attack should immediately change their password.

How an 8-character password could be cracked in less than an hour

Advances in graphics processing technology have slashed the time needed to crack a password using brute force techniques, says Hive Systems.
Source: Lance Whitney, Tech Republic on March 7, 2022

Security experts keep advising us to create strong and complex passwords to protect our online accounts and data from savvy cybercriminals. And “complex” typically means using lowercase and uppercase characters, numbers, and even special symbols. But complexity by itself can still open your password to cracking if it doesn’t contain enough characters, according to research by security firm Hive Systems. As described in a recent report, Hive found that an 8-character complex password could be cracked in just 39 minutes if the attacker were to take advantage of the latest graphics processing technology. A seven-character complex password could be cracked in 31 seconds, while one with six or fewer characters could be cracked instantly. Shorter passwords with only one- or two-character types, such as only numbers or lowercase letters, or only numbers and letters, would take just minutes to crack.

On the plus side, even simpler passwords with a greater number of characters are less vulnerable to cracking in a short amount of time, according to Hive’s research. An 18-character password with just numbers would require three weeks to crack, but one with the same number of characters using lowercase letters would take 2 million years to crack. This piece of data shows why passphrases, which use a long string of real but random words, can be more secure than a complex but short password.

A hacker aiming to crack complex yet short passwords quickly enough would need the latest and most advanced graphics processing technology. The more powerful the graphics processing unit, the faster it can perform such tasks as mining cryptocurrencies and cracking passwords. For example, one of the top GPUs around today is Nvidia’s GeForce RTX 3090, a product that starts at $1,499. But even less powerful and less expensive GPUs can crack passwords of a small length and low complexity in a relatively short amount of time.

Hackers who don’t have the latest and greatest graphics processing on their own computers can easily turn to the cloud, according to Hive. By renting computer and graphics hardware through Amazon AWS and other cloud providers, a cybercriminal can tap into multiple virtual instances of a powerful GPU to perform the password cracking at a fairly low cost. Due to the progress in graphics technology, most types of passwords require less time to crack than they did just two years ago. For example, a 7-character password with letters, numbers and symbols would take 7 minutes to crack in 2020 but just 31 seconds in 2022. Given these advances in technology, how can you and your organization better secure your password-protected accounts and data?

Here are a few tips.

  • Use a passphrase instead of a password. A passphrase is a long string of often random words. Passphrases are often more secure than passwords but are usually easier to remember. For example: “sunset-beach-sand” uses words and a dash to separate each word and would take 2 billion years to crack, according to Security.org.
  • Use a password manager. Since creating and remembering multiple complex and lengthy passwords on your own is impossible, a password manager is your best bet. By using a password manager for yourself or within your organization, you can generate, store and apply strong passwords for websites and online accounts.
  • Use a strong master password. If you do adopt a password manager, you’ll want to protect your stored passwords as effectively as possible. The way to do that is through a strong master password. Create a complex and long password or passphrase that you can remember.
  • Test your passwords. To gauge the strength of a potential password, enter it at a site such as Security.org. The site will tell you how long it would take to crack that password.