Still more COVID-19 scams, Tupperware hack and beware of free Best Buy USB sticks
Welcome to Cyber Security Today. It’s Friday March 27th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The Google Play store is the safest place to get Android apps. However, that doesn’t mean everything in the catalogue is safe. Despite Google’s efforts scammers can sneak in malicious apps before they are found and deleted. With people looking for apps that somehow help them during the coronavirus crisis, crooks have found a quick way to cash in — by changing the name of an existing malicious app in the store. A report this week from security vendor Bitdefender outlines some examples. A bad game called “Bubble Shooter Merge” changed its name to “Bubble Shooter Merge – Wash hands for Coronavirus.” That way it would show up high in Google Play search results for those looking for a virus-related app. The colourful thumbnail and screenshot of the app didn’t change, just the title. Some scammers have also changed their app screenshots in an attempt to fool more people in addition to changing the title. But the underlying bad app is the same.
Google is doing its best to clamp down on this. However, with scammers trying to take advantage of COVID-19 fears you’ve got to be careful more than ever with what you download. There’s lots of legitimate websites for you to use with accurate coronavirus information — the Red Cross, universities, public health authorities, established news sites like the CBC, CTV, CNN, the BBC, newspapers and others.
Here’s another COVID-19 scam: A text or social media notice is going around claiming that due to the coronavirus pandemic Netflix is giving out free passes. All you have to do is click on the link. This has the classic sign of a scam: It urges you to act quickly because the offer will end soon.
And there’s a report of a different type of scam: You type in an address for a web site to go to and suddenly a web page pops up with a message allegedly from the World Health Organization. It asks you to download an app to get the latest information about coronavirus. You’ve already been hacked. Not your computer, your router — the little box that connects your computer to the Internet. The hack interferes with the way the router delivers the web page address you typed in. Attackers are going after routers made by Linksys and D-Link. They get in the router breaking weak or re-used login credentials. So make sure your router management login password is strong, one you haven’t used anywhere else. And, if there is one, make sure the password to the router’s cloud account is also strong. Check your router instruction manual for details.
Have you bought Tupperware from the company’s web sites lately? Your credit card information may have been stolen. According to security firm Malwarebytes the Tupperware payment web pages were hacked perhaps as early as March 9th. Customers should be on the lookout for messages from Tupperware warning them to get new cards. As I’ve said before, companies that sell products online have to keep a very close eye on their web pages to make sure they haven’t been hacked. One common way criminals get onto these pages is by guessing administrative passwords.
Because smartphones have location data people have been thinking of ways mobile devices can be of use during this pandemic crisis. One way might be to notify people to stay away from someone who has been infected. That’s sparked fierce debates in some countries over whether government-approved apps will help people or be used for surveillance. Security reporter Graham Cluley says the Israeli government has released an app that shows how it could be done safely. First, many people volunteer to download the app. A person who has tested positive for COVID-19 agrees to have their location signal used by the app. Now, they’re supposed to stay home and not go out. If they go out with their phone the app triggers a warning to others nearby, so those people know not to get close to them. What’s notable about this app is no location data is sent to the government. Of course, if people with the virus stay home for 14 days, there’s no need for an app. The other thing is if someone has the virus but hasn’t been tested the app doesn’t help. Nor does it help if the infected person leaves the phone at home and goes out. This idea only works if there’s a huge amount of health testing and if there’s huge adoption of the app. But if the pandemic gets really bad expect governments to ponder this kind of solution.
Finally, some scammers don’t do their dirty deeds just by email. They use real mail, too. Security company Trustwave has come across a scam where people get a letter in the mail supposedly from Best Buy with a $50 gift card and a free USB memory stick inside. The key supposedly has a list of products you can spend the money on. Actually, the memory stick is programmed to hack your computer. Not only should you not plug in unexpected USB sticks that you get in the mail, don’t plug them in if offered one at a convention, a fair or found on the ground.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.