Don’t fall for this VPN scam, huge attacks on WordPress sites and lessons from a data breach
Welcome to Cyber Security Today. It’s Friday June 5th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Criminals are taking advantage of the increasing use of virtual private network software by people working at home to spread malware. A VPN may be required by employers for safely logging into company applications. Knowing that, hackers are sending targeted email to people pretending to be from the IT department of their employer. The message suggests the included link is for a VPN software update. To get it the victim is asked to click on the link and log in. But according to a security firm called Abnormal Security, which discovered the scam, the link goes to an Office 365 website that captures the victim’s username and password. Some 15,000 fake update messages have gone to Office 365 users.
What should you do? First, if your employer doesn’t require you to have a VPN ignore messages like this. Second, whenever you get any email with a link check where the email came from. It’s easy for the sender’s name to be a fake, but the full email address of the sender will show where it really came from. Sometimes the email address is a giveaway: It’s so different from what you expect. Other times criminals make the effort to register a look-alike domain, so ask yourself if it’s the same email address you usually get messages from a company or a friend. Security experts constantly emphasize the need to be careful with any message that has a link. When in doubt, phone your company or friend for confirmation — don’t use the phone number in the email. And if in doubt, rather than click on a link go to your company website and log in. If the update is legit it will show up there.
With people worried about the pandemic there are not only email scams but phone scams as well. A person I know got one this week that claimed to be from “region health care” doing a “health awareness.” The questions started with “How do you keep yourself active during the day?” Probably the conversation would have led to being offered medical products for a donation, or a COVID-19 test kit for a fee. Be suspicious of calls that ask for personal information.
A few months ago the Zoom videoconferencing service was criticized for not being up front with customers about the level of protection it offers. While there is encryption, it’s not end-to-end encryption, leaving the possibility a session can be overheard by others. Zoom CEO Eric Yuan said the company would toughen protection in a number of ways. But this week he said the upcoming end-to-end encryption would only be available to paying customers. Those using the free service get existing encryption, which is a lower level of protection. Keep that in mind if you or your company needs a conferencing solution with the best protection because conversations involve personal or financial topics.
Last weekend someone launched a huge wave of attacks on 1.3 million websites running the WordPress content management system. This automated attack came from 20,000 different Internet addresses, probably infected computers and routers. What the attacker was trying to do was exploit holes in older WordPress plugins and themes to access databases like customer names, passwords and credit cards. Plugins that had been recently patched were safe. It’s another example of why regular patching of your applications is vital. In fact, Roger Grimes, a defence evangelist at a security awareness firm called KnowBe4, noted this week that up to 40 per cent of data breaches could be blamed on unpatched software. He says the biggest problem is people falling for phony pitches in email and text messages.
That doesn’t mean other serious mistakes don’t cause data breaches. Here’s an example: San Francisco’s Employees’ Retirement System admitted this week it suffered a data breach. Why? Because an outside company that works on the system was allowed to use a real database with 74,000 member accounts on a test system. That was the first mistake: Test data should never be real data. Second, the outside company didn’t secure its sever properly and the database was hacked. That happened in February. The outside company didn’t realize it had been hacked until almost a month later. Lesson to all companies: Test data has to be anonymized or encrypted, and anything that runs on a test server has to be secured.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon