Data Privacy week reminder, corporate Instagram accounts held for ransom, and more
Welcome to Cyber Security Today. It’s Wednesday, January 26th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
This is Data Privacy Week, culminating in Data Privacy Day on Friday. I’ll have a few stories on ITWorldCanada.com aimed at businesses and data privacy professionals. Meanwhile some experts have sent me things for listeners to think about: Jason Needham, CEO of Cloudentity says that if firms haven’t already done they should have an open dialogue with employees about data privacy. That conversation must start at the leadership level. A user’s experience around their privacy preferences is now critical to a company’s bottom line, he says. Keith Nelson, technical evangelist at CloudSphere, says data asset management has to be a firm’s top priority. If you don’t know where and what your data is, you can’t protect it.
Meanwhile, Canada’s federal privacy commissioner wants parents to remind children how to protect their privacy. The office has a blog showing how a family can have a tech talk about privacy, and a graphic novel aimed a kids aged eight to 10 on how to recognize the risks of being active online. For more go to the Office of the Privacy Commissioner of Canada.
Organizations take efforts to protect their servers and websites. They also have to protect their social media sites from being hacked. The latest threat has been identified by researchers at Secureworks. They’ve discovered a phishing campaign aimed at hijacking corporate Instagram accounts, as well as accounts of influencers who have a large number of followers. The threat actor then tries to extort payments from the victims to get back control of the accounts. The phishing messages seem to come from Instagram and pretend to be a warning about a potential copyright infringement. If a victim clicks on a link to find out what the allegation is, they see a message threatening to close the account unless they click on an appeal button. To get more information the victim has to fill in their password — which, of course is what the crooks want to take over the account. Remember, use of multifactor authentication can reduce the odds of staff falling for this scam. But they also need to be reminded to watch for scams.
With many organizations using Google’s Gsuite or Workspace for email and other communications, crooks are taking advantage by hosting malicious documents on Google Drive. That way they look like they come from trustworthy sources. To protect users, over the next two weeks Google will start inserting warning banners for files in Google Drive that appear to be phishing attempts or include malware. The Bleeping Computer news service notes Google announced this was coming in October.
Two weeks ago I reported that malicious QR codes were being pasted on parking meters in Texas. Now the FBI has given a general public warning not to take the safety of QR codes for granted. Crooks can churn out QR codes that include malware lead to malicious links. These can be pasted on top of legitimate QR codes on restaurant menus, brochures, telephone poles or included in online ads purporting to be from legitimate companies. So if you scan a QR code check the URL it goes to and make sure it’s the intended site. Think twice about entering your username and password or financial information from a site you get taken to after scanning a QR code. And you don’t have to download a scanner app. Most smartphones come with an app that works with the camera.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.