now browsing by tag
Hackers use familiar brands like Dropbox to steal login
credentials and spread malware
It’s funny how hackers, phishers, and scamsters can be blatantly obvious and inexplicably unpredictable at the same time. I’m saying obvious because they target the most widely used services/platforms and lots of users know what they’re up to — not just security professionals, but many ordinary users know about these phishing scams and what to look for. Phishers might be predictable in going after big names but it’s the unpredictability in their approaches that makes them tick. Time after time, they come up with new ways that help them achieve exactly what they want and make them “successful.” The Dropbox phishing scam is a perfect illustration of this.
The Dropbox phishing scam surfaced around a
year ago and made headlines in many popular publications. It hasn’t gotten as
much attention recently, but even after a year, attackers are still targeting
users using this same-old trick. And therefore, you need to know about it.
Let’s hash it out.
Dropbox Phishing: It All Starts
with a Simple Email
This is how it all starts: You receive an
email (either text or HTML-based) from a person saying they have shared an
important document with you. The email looks a lot like an official Dropbox
email and has a link to access the document. To make it look authentic, some of
these emails include actual links to Dropbox in the footer of the email. These
Here’s a pretty simple example:
Check the “From” Details Carefully
As you can see in the screenshot above,
this phish email has “Dropbox” as its sender’s name. It’s easy to fall prey to
this as the sender name and the email style make it look like an actual Dropbox
However, if you look closely, you’ll see
that the from email address and the embedded link are clearly not Dropbox.
However, if you’re skimming through your
email (as many of us do), it’s easy to fall for this Dropbox phishing scam.
Once you click the link, the URL takes you to a web page that looks almost
exactly like an actual Dropbox login page.
More advanced Dropbox phishers take the
scam to the next level…
Check URLs Carefully — Even If They Include “Dropbox”
Some Dropbox scammers are carefully picking
URLs that look official at first glance.
For example, they will include common keywords such as “Microsoftonline” or “Dropbox” in the domain or subdomain to make it look like a genuine domain:
HTTPS URLs Aren’t Always Safe
And the cherry on the top is how phishers
use fake HTTPS URLs. So, the link that you’re being redirected to isn’t an
HTTPS link. It has HTTPS in the link text, but not as the protocol. If an SSL
certificate protects a website, it will look like this: https://www.(website name).com/. The
fake Dropbox URL looks like www.https-(fake website
name).com. See the difference?
Another trick that phishers have recently adopted is using an HTTPS website. No, the previous sentence doesn’t contain any technical error; it’s a fact that most phishing websites feature HTTPS now. In such cases, users are more likely to fall for it as they’re trained to look for that secure padlock.
Phishers are a Poor Man’s Magicians: Here’s How to Catch Them
What do magicians and phishers have in common? Well, they both take advantage of our psychological limitations to distract us and make us look where they want us to.
However, the silver lining here is that the
phishers are far from good magicians. A great magician can take their secrets
with them to the grave. But with a bit of concentration and training, you can
catch almost every phisher.
So, here’s how you can CATCH the PHISHers
(Got it ?).
Check the Email Address
First of all, you should always check the email address of the sender. Is the email sent by someone you know? Is the email coming from Dropbox’s (or any service provider’s) list of official domains? This is the first thing you must check, and you should not proceed further if the email is not familiar and/or it’s been sent from a domain that’s not been mentioned in Dropbox’s list of its official domains.
experience, doing this one check will protect you from most email phishing
attacks as hackers shouldn’t have access to Dropbox’s official domains.
However, you should be cautious even if the email appears to be from an
official Dropbox domain as some email servers are not configured to check
SPF/DKIM records, so spoofed emails will be let through.
Check the Link URLs
If the email
passes the first security check, then you should check the links in the email:
- View the web page in your
browser and check for “https” at the start of the URL. It should look like https://www.(website name).com/. (Note: Google Chrome
hides the https:// until you double click in the address bar.)
- Once this check is done, you
should again go back to Dropbox’s list of official domains and then check if this
domain is on the list.
- To double-check the
authenticity of the website, you should also check the SSL certificate Dropbox
uses. As you can see in the screenshot, Dropbox.com is protected by a DigiCert
EV (extended validation) SSL certificate and this certificate has been issued
to Dropbox, Inc.
means that the certificate authority (DigiCert, in this case) did an extensive
verification of Dropbox, Inc before issuing the certificate. This way, you can
be sure that the website you’re on actually belongs to Dropbox.
What Could Happen If You Fall Victim to the Dropbox Phishing
the data of more than 500 million users and 200,000 businesses, and it’s the
most significant cloud sharing and storage company in the world. Putting a
malicious file in just one employee account could be a brutal blow to the
privacy of an entire organization. And it’s not just the privacy, but the
existence of a business could be at stake—that’s a good enough reason to take
your Dropbox security pretty seriously, don’t you think?
Unfortunately, that’s not where it stops. A phisher who has taken complete control over your account and associated data using malware could demand a significant ransom if you want your account back. In technical terms, this is called ransomware.
The consequences of Dropbox phishing could be even more brutal if you’re one of those persons who uses the same password pretty much everywhere. Every bit of information you have on the internet could be in the hands of the attackers. Just think about it!
Hackers may also
scan your account to automatically find valuable data in your saved documents.
This could include customer data, payment details, login credentials for other
platforms, or anything else you might have that’s sensitive.
Last Word on Dropbox Phishing
All scammers — whether in the real world or online — take advantage of our human limitations. Either they make us see and feel something that isn’t there, or maybe they give us some lucrative incentive to distract us (we’ve all heard of the Nigerian Prince scam, haven’t we?). With a little bit of awareness and concentration, you can be a step ahead of all the phishers.
Tip of the day: Remember to look where you want to, not where they want you to.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/dropbox-phishing-scam-dont-get-fooled-by-fake-shared-documents/
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Facebook ‘Secret Sister Gift Exchange’ Is Illegal Scam, Better Business Bureau Warns
A Facebook post that resurfaces around the holiday season has been declared as an illegal scam, according to the Better Business Bureau.
The post discusses the “Secret Sister Gift Exchange,” where participants are instructed to send one gift in order to receive up to 36 gifts in return. However, it’s easy to see that the math just doesn’t add up.
“These gift exchanges, while they look like innocent fun, are really pyramid schemes – and are considered illegal,” the BBB warns.
The gift exchange first became popular in 2015. Users were encouraged to invite others to participate in the exchange and were told that they would receive information on where to send the gifts.
Eventually, participants will be instructed to send an email or social media invitation to send a modest gift to a stranger along with their friends, family and contacts.
“The cycle continues and you’re left with buying and shipping gifts for unknown individuals, in hopes that the favor is reciprocated by receiving the promised number of gifts in return. Unfortunately, it doesn’t happen,” says the BBB.
In reality, the scam relies on recruitments to remain afloat. When people stop participating, the supply of gifts dwindles, letting down countless people who were expecting gifts.
But it doesn’t end there: the information you provide during the exchange can easily end up in the hands of cyber thieves.
“When signing up, the alleged campaign organizer is asking for personal information such as a mailing address or an email,” says the BBB. “With just a few pieces of information, cyber thieves could expose you to future scams or commit identity theft.”
The BBB recommends keeping the following tips in mind should you receive an invitation to participate in an online gift exchange with people you don’t know:
- Ignore it. Pyramid schemes are illegal in the United States and Canada.
- Report social media posts inviting users to participate in the gift exchange.
- Avoid giving out personal identifying information to strangers.
- Be aware of false claims. Even invitations that claim to be legal and endorsed by the government are false, as the government will never endorse illegal activity.
Click here to sign up for Daily Voice’s free daily emails and news alerts.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Business Mail Compromise: 5 ways to detect this scam and what can be done to prevent it
Source: National Cyber Security – Produced By Gregory Evans Advertisement Millions of dollars and lots of personal information are being stolen by a growing threat known as the Business Email Compromise (BEC). Business Mail Compromise: 5 ways to detect this scam and what can be done to prevent itMillions of dollars and lots of personal […] View full post on AmIHackerProof.com
Airbnb is having one hell of a week. A few days after the company announced a ban on party houses following a tragic shooting on Halloween that left five people dead, the short-term rental platform continues the damage control tour, this time in response to a nationwide scam involving fake listings. Now the company will seek to reauthenticate all seven million listings on Airbnb to ensure they are accurately advertised and meet the company’s standards, the most significant redesign since the brand first started in 2008.
Allie Conti, in a report published by Vice, experienced first-hand an extensive and quite complicated Airbnb scam that left her, and others using the platform, out of a significant amount of money and forced to relocate to expensive hotels on short notice.
Here’s the long and short of it: Minutes before Conti was set to check-in to an apartment she rented on the platform she received a call from the host alerting her that sudden plumbing issues made it so that staying at the listing would be impossible. Luckily, the host had another listing she could stay at that was bigger and wouldn’t cost her anything extra. Unfortunately, the house ended up being a flophouse with a hole punched wall, eerily arranged furniture, and a few other gritty elements that prompted Conti to check-in to a nearby hotel. But because she’d agreed to the change of venue and stayed for a night, she was only able to recoup just $399 of the $1,221.20 she spent.
After Conti returned home, she went over the events surrounding her loss and started to see the red flags surrounding the situation. With some digging, she uncovered a deep web of deception that involves fake companies, fake names, stock photos, and intimidation — the whole thing is a fascinating and disturbing read. In response to the controversies, Airbnb CEO and co-founder Brian Chesky wrote in a company email sent out on November 6th, “Starting now, verification of all seven million listings on Airbnb will commence… We believe that trust on the Internet begins with verifying the accuracy of the information on Internet platforms, and we believe that this is an important step for our industry.”
It’s a process Chesky hopes the company can get done by December 15th, 2020, and he laid out a four-part plan that begins with re-verification and includes a new guest guarantee that provides a full refund for any listing that doesn’t meet accuracy standards, a 24/7 rapid response team that can address any listing at any time, and stricter standards for “high-risk” listings that can lead to unauthorized partying.
In the company email, Chesky also said “Today, we are making the most significant steps in designing trust on our platform since our original design in 2008.” With 12 years under its belt, Airbnb was well overdue for an overhaul as the platform is no stranger to scams — there’s even a website dedicated to Airbnb scams and horror stories. Scary as the prospect of being caught up in a scam is, these sweeping changes to Airbnb’s platform are only a good thing for all potential travelers.
The post #deepweb | <p> Airbnb Will Now Verify Each Listing After Vice Uncovered A Scam <p> appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Netflix email scam tells victims to ‘update your payment information’, news update
Source: National Cyber Security – Produced By Gregory Evans If you receive an email from Netflix telling you to update your payment information immediately, you could be the victim of sophisticated new scam. The streaming giant has once again been embroiled in a phishing email scam, which uses the same branding and username seen with […] View full post on AmIHackerProof.com
#cyberfraud | #cybercriminals | Camden County residents are being warned about a new scam that targets your cellphone
Source: National Cyber Security – Produced By Gregory Evans 0 Camden County residents are being warned about a new scam that targets your cellphone CAMDEN COUNTY, Ga. – We’re always on our smartphones so it’s easy to let our guard down, opening the door for scammers. Now, our cash and identity can be at risk […] View full post on AmIHackerProof.com
Watch out for this iPhone call scam, prominent Germans hacked, Android spyware found and an Acrobat update.
Apple iPhone users should be on the lookout for a phone phishing scam. According to security writer Brian Krebs, it works like this: You get a call and when you look at the phone’s screen to see who it is, the Apple logo, real phone number and real address is displayed. The target in this case didn’t answer the call so a message was left asking her to call a 1-866 number. It probably led to a scammer who would have asked for personal information. So iPhone users, ignore calls purporting to be from Apple. Apple won’t phone you. And for those who use other phones, hang up on anyone who tries to get personal information or passwords.
Hackers somehow have gotten access to private emails, memos and financial information of hundreds of German politicians, reporters, comedians and artists. The information was then published through a Twitter account. At this point no one knows if this was the work of a mischievous activist or a foreign country, or exactly how it was done. But British security writer Graham Cluley suspects victims fell for a phishing lure and gave away a password to one of their email or social media accounts. The hacker then went from there. Victims may have also used the same password for different accounts, which also makes a hacker’s job easier. If so, it’s another example of why you shouldn’t use the same password on more than one site, and, where possible enable two-factor authentication to make sure someone else can’t log into your account. Two factor authentication usually sends a six-digit number to your smart phone that you have to enter in addition to your password. Check your applications’ settings to see if you have it.
UPDATE: According to the Associated Press, a popular German YouTube contributor who was victimized said the perpetrator somehow first gained access to his email account and then convinced Twitter to disable a second security check — presumably two-factor authentication — required to take control of his account on the social networking site.
Twitter didn’t immediately respond to a request for comment and it wasn’t clear how many of those affected by the leak had such “two-factor authentication” enabled for their email or social media accounts, and whether the hacker similarly managed to bypass it.
As hard as Google tries to keep malware out of the Google Play store, criminals manage to find ways to evade detection. Trend Micro reports it discovered spyware hidden in six seemingly legitimate Android applications including a game called Flappy Bird, a presumably copycat called Flappy Birr Dog, FlashLight, Win7Launcher and others. All have been removed from the app store. The spyware would have stolen information like user location, text messages, contact lists and device information as well as try to phish for passwords. Owners of any computing device have to be cautious when deciding what to download, advises Trend Micro.
Finally, Adobe usually issues security updates on the second Tuesday of the month, which is tomorrow. However, it has already issued an emergency patch for Acrobat and Acrobat Reader. So if you use either of these applications check you have the latest versions.
View full post on National Cyber Security
When tax preparer Annette Kraft in Duncan, Oklahoma, checked the status of her clients’ tax returns in January, she was surprised to find all of them had been rejected.
“The code was 902-01,” she said. “That means someone else has already filed a tax return.”
It turns out her clients were victims of a new tax scam intended to cheat them out of their refunds. The criminals get their hands on returns from previous years, then use that information to file new fraudulent returns on unsuspecting victims. After the refund goes into the victim’s bank account, the crooks, posing as debt collectors for the IRS, follow up with a phone call claiming the refund was an error, then directing them to a fraudulent website to return the money.
“I had about $9,015 more than I anticipated,” said Duncan police officer David Woods.
He discovered that supposed refund one day as he checked his bank balance, but it didn’t make sense because he hadn’t filed his taxes yet.
“I didn’t get my W-2 to file my taxes,” Woods said.
He returned the money to the government, but now the IRS says his real refund of $3,000 will be delayed, possibly for months. He’s not alone.
At the local tire shop, 49-year-old Jerry Duvall told us his $5,800 return is more than two months late.
“We planned on taking care of expenses, getting caught up on bills and we counted on it,” Duvall said.
He missed a $200 car payment, and on the very day we spoke with him, he told us his car was getting repossessed.
At least 230 of Kraft’s clients have been hit and face months of delays. Taxpayers like 91-year-old Ray Prothro found out about the scam from the IRS while we were there.
“They ought to go to jail,” Prothro said.
It’s not just one tax preparer in Duncan. There may be as many as 100 tax preparers across the country affected by this scam. Those are just the ones that they know of, so the real number could be tens of thousands of taxpayers.
IRS agents showed us where criminals buy those tax returns on the dark web. One seller offered an example: A Midwestern couple’s full 2016 tax return.
As for Kraft, she says the scam has turned her business upside down.
“My clients are more like a family,” Kraft said. “I want them to know that they can trust me, that I can trust them, it hurts.”
Although the IRS says preparers are the ones being hacked, Kraft’s own experts told her she was not hacked. But the IRS says there are a variety of ways for hackers to break in and steal information.
If you see an unexpected refund pop into your account, call your bank and the IRS, and get the money sent back to the Treasury. If you keep money you’re not entitled to, the IRS will require you pay it back.
The post New #tax scam #targeting preparers #tricks #clients with #fraudulent #returns appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Source: National Cyber Security – Produced By Gregory Evans In this year of horrendous cyberheists — Equifax the most prominent — you’ve probably taken at least a few precautions: changed passwords, stopped opening files and links from unknown senders, upgraded your computer security measures, maybe put a freeze on your credit reports. But if you’re […] View full post on AmIHackerProof.com | Can You Be Hacked?
A new Ethereum phishing campaign, targeting users of the online Ethereum wallet website Myethereumwallet.com, has been uncovered. The scam saw hackers make away with over $15,000 (£11,308) in just two hours.
According to security researcher Wesley Neelen, who identified the campaign when he received a phishing email from the cybercriminals, the scam involved hackers sending out phishing emails purporting to be from the Myetherwallet.com website. The email was designed to trick victims into clicking on malicious links that would redirect them to a fake version of the website. The victims would then be prompted into divulging their account passwords, which the hackers would later use to transfer out all the coins in the victims’ wallet.
Although the fake Myetherwallet.com site was designed to look similar to the legitimate site, keen observers would likely notice that the fake site contained a small comma beneath the “t” in the site’s address. According to Neelen, the cybercriminals used a Unicode trick that allowed them to register domains that looked like Latin characters. This ploy in turn, allowed the hackers to create fake sites that can convincingly look like legitimate sites to unsuspecting users.
According to Neelen, some people have unfortunately already fallen victim to the scam. Neelen and his colleague Rik van Duijn, discovered a log file that contained a list of all the wallets stolen by the hackers. The security experts determined that the cybercriminals had stolen a total of $15,875.65 in Ethereum and had then proceeded to transfer the stolen coins to three different wallets operated by the hackers.
Ethereum’s growing popularity has made it an attractive target for cybercriminals. So far, there have been around four incidents involving hackers stealing millions of dollars worth of ether from various wallets. Oddly, in one such Ethereum heist, a hacker who stole nearly $7m of Ethereum from CoinDash later returned around $3m in stolen funds, sparking further mystery about the heist.
View full post on National Cyber Security Ventures