Written by Phil Muncaster, guest writer at ESET
The new year is a new opportunity to rewire your digital life. An increasingly important part of this is cybersecurity. In fact, 2021 is already shaping up to have been one of the most prolific years yet for cybercriminals. Almost 19 billion records were exposed in the first half of the year alone. Better security should mean you’re more insulated from the risk of identity fraud and financial loss. The cost of these scams reached a record $56bn in 2020, with most of this coming online. Although the organizations you interact with have a duty, and often a legal responsibility, to keep your data protected, it’s important to do your bit.
If you’re still feeling reluctant to find new ways to protect your digital world, consider this: a third of US identity crime victims have claimed they didn’t have enough money to buy food or pay for utilities last year as a result of fraud, according to the U.S. Identity Theft Resource Center.
Be alert, be proactive and break these 10 bad habits to improve your cyber-hygiene in 2022:
Using outdated software
Vulnerabilities in operating systems, browsers, and other software on your PCs and devices are one of the top ways cyber-criminals can attack. The problem is that more of these bugs were discovered in 2020 than any year previously: over 18,100. That amounts to more than 50 new software vulnerabilities per day. The good news is that by switching on automatic update functionality and clicking through to update when prompted, this task needn’t intrude too much on day-to-day life.
Poor password hygiene
Passwords represent the keys to our digital front door. Unfortunately, as we have so many to remember these days – around 100 on average – we tend to use them insecurely. Using the same password for multiple accounts and easy-to-guess credentials gives hackers a massive advantage. They have software to crack weak encryption, try commonly-used variants and attempt to use breached passwords across other accounts (known as credential stuffing). Instead, use a password manager to remember and recall strong, unique passwords or passphrases. And switch on two-factor authentication (2FA) on any account that offers it.
Using public Wi-Fi
We’re all getting out-and-about more these days. And that brings with it a temptation to use public Wi-Fi. But there are risks. Hackers can use the same networks to eavesdrop on your internet usage, access your accounts and steal your identity. To stay safe, try to avoid these public hotspots altogether. If you must use them, don’t log in to any important accounts while connected.
Not thinking before clicking
Phishing is one of the most prolific cyber threats out there. It uses a technique known as social engineering, where the attacker tries to trick their victim into clicking on a malicious link or opening a malware-laden attachment. They take advantage of our hard-wired credulity and often try to force rapid decision-making by lending the message a sense of urgency. The number one rule to thwart these attacks is to think before you click. Double-check with the person or company sending the email to make sure it is legitimate. Take a breath. Don’t be pressured into taking over-hasty action.
Not using security on all devices
It goes without saying that in an era of prolific cyber-threats, you should have anti-malware protection from a reputable provider on all of your PCs and laptops. But how many of us extend the same security to our mobile and tablet devices? Research suggests we spend nearly 5,000 hours each year using these gadgets. And there’s plenty of opportunities to come across malicious apps and websites in that time. Protect your device today.
Using non-secure websites
HTTPS sites use encryption to protect the traffic going from your web browser to the site in question. It has two purposes: to authenticate that website as genuine and not a phishing or fraudulent web property; and to ensure cybercriminals can’t eavesdrop on your communications to steal passwords and financial information. It’s not a 100% guarantee nothing bad will happen as even many phishing sites use HTTPS these days. But it’s a good start. Always look for the padlock symbol.
Sharing work and personal lives
Many of us have spent a large part of the past two years merging a once clearly defined line between our work and our personal lives. As the line has become more blurred, cyber risk has crept in. Consider the use of work emails and passwords to register on consumer shopping and other sites. What if those sites are breached? Now hackers may be able to hijack your corporate account. Using unprotected personal devices for work also adds extra risk. Keeping business and pleasure discrete is worth the extra effort.
Giving out details over the phone
Just as email and SMS-based phishing use social engineering techniques to trick users into clicking, so voice phishing, also called vishing, is an increasingly popular way to elicit personal and financial info from victims. The scammers often disguise their real number to add legitimacy to the attack. The best rule of thumb is not to hand out any sensitive info over the phone. Ask who they are and where they’re calling from and then ring the company directly to check – not using any phone numbers provided by the caller.
Not backing up
Ransomware is costing businesses hundreds of millions annually. So it’s sometimes easy to forget that there are still variants lying in wait for consumers. Imagine if you were suddenly locked out of your home PC. All the data on it, and potentially cloud storage, could be lost forever – including family photos and important work documents. Regular backups, according to the 3-2-1 best practice rule, provide peace of mind in case the worst happens.
Not protecting the smart home
Nearly a third of European houses are fitted out with smart gadgets like voice assistants, smart TVs, and security cameras. But by fitting them with connectivity and intelligence, these devices also become a more attractive target for criminals. They can be hijacked and turned into botnets to launch attacks on others, or used as a gateway to the rest of your devices and data. To keep them secure, change default passwords on start-up. Also, be sure to choose a vendor who has a track record of fixing known vulnerabilities in their products and research potential security flaws before purchasing a gadget.
How Scammers Subscribe Mobile Users to Unwanted Paid Services
With an ever growing number of smartphone users, the development of mobile applications has become a booming industry. Today there are millions of apps, helping users with almost every c of their everyday life – from entertainment to banking and billing. With this in mind, cybercriminals are working hard to develop their own apps and benefit from unsuspecting users.
Kaspersky researchers have observed fraudsters actively spreading Trojans, which secretly subscribe users to paid services, disguised as various different mobile apps, including popular games, healthcare apps and photo editors. Most of these Trojans request access to the user’s notifications and messages, so that the fraudsters can then intercept messages containing confirmation codes.
Users aren’t knowingly subscribing to these services but are, rather, falling victim to carelessness. For instance, a user fails to read the fine print and, before they know it, they’re paying for a horoscope app. These victims often don’t realize these subscriptions exist until their mobile phone account runs dry earlier than expected.
According to Kaspersky researchers, the most widely spread Trojans that sign users up to unwanted subscriptions are:
Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download a legitimate app from the store, add malicious code to it and then re-upload it under a different name. In most cases, these trojanized apps fulfill their purpose and the user never suspects that they’re a source of threat.
So far in 2022, Jocker has most frequently attacked users in Saudi Arabia (21.20%), Poland, (8.98%) and Germany (6.01%).
MobOk is considered the most active of the subscription Trojans with more than 70% of mobile users encountering these threats. MobOk Trojan is particularly notable for an additional capability that, in addition to reading the codes from messages, enables it to bypass CAPTCHA. MobOK does this by automatically sending the image to a service designed to decipher the code shown .
Since the beginning of the year, MobOk Trojan has most frequently attacked users in Russia (31.01%), India (11.17%) and Indonesia (11.02%).
Vesub Trojan is spread through unofficial sources and imitates popular games and apps, such as GameBeyond, Tubemate, Minecraft, GTA5 and Vidmate. This malware opens an invisible window, requests a subscription and then enters the code it intercepts from the victim’s received text messages. After that the user is subscribed to a service without their knowledge or consent.
Most of these apps lack any legitimate functionality. They subscribe users as soon as they are launched while victims just see a loading window. However, there are some examples, such as a fake GameBeyond app, where the detected malware is actually accompanied by a random set of functional games.
Two out of five users who encountered Vesub were in Egypt (40.27%). This Trojan family has also been active in Thailand (25.88%) and Malaysia (15.85%).
Unlike the Trojans mentioned above, this one does not subscribe victims to a third-party service – instead it uses its own. Users end up subscribing to one of these services by simply not reading the user agreement carefully. For example, there are apps that have recently spread intensively on Google Play, offering to tailor personal weight-loss plans for a token fee. Such apps contain small print mentioning a subscription fee with automatic billing. This means money will be deducted from the user’s bank account on a regular basis without needing any further confirmation from the user.
“Apps can help us stay connected, fit, entertained and generally make our lives easier. There are multiple mobile apps appearing every day, for every taste and purpose – unfortunately, cybercriminals are using this to their advantage. Some of the apps are designed to steal money by subscribing users to unwanted services. These threats are preventable, which is why it’s important to be aware of the signs that give away Trojanized apps. Even if you trust an app, you should avoid granting it too many permissions. Only allow access to notifications for apps that need it to perform their intended purposes, for example, to transfer notifications to wearable devices. Apps for something like themed wallpapers or photo editing don’t need access to your notifications,” explains Igor Golovin, security expert at Kaspersky.
Here’s what you need to do, to stay protected:
- Checking the permissions of the apps you’re using and thinking carefully before granting additional permissions.
- Using a reliable security solution to help detect malicious apps and adware before they achieve their goals.
- Updating your operating system and any important apps as and when updates become available. Many safety issues can be solved by installing the updated versions of software.
Three Most Dangerous Types of Android Malware
Written by Lukas Stefanko, Malware Researcher at ESET
These days, the device in your pocket can do far more than call or send text messages. Your smartphone stores almost every aspect of your life, from memories, captured as photos to personal notes and schedules, log-in details, and various other kinds of sensitive data.
Android-powered devices command more than 70 percent of the mobile operating system market. Add to that the open nature of the Android ecosystem and it’s clearer why these devices bear the brunt of malicious attacks on mobile devices and remain a lucrative target for attackers.
Google has, of course, introduced a number of privacy- and security-enhancing features for Android devices. Just a few days ago, the company announced that it had stopped 1.2 million policy-violating apps from reaching Google Play last year, among other measures aimed at cracking down on malicious apps.
However, this is not to say you should let your guard down when it comes to all sorts of dangers that lurk especially in third-party app stores.
Malware comes in various forms and works in various vicious ways. Watch the video to learn more about some of the most dangerous types of malware affecting Android devices, including:
- Malicious software that can hold your device and data hostage, possibly “on behalf of the FBI”
- Malware that steals login credentials and can in some cases bypass two-factor authentication
- Android nasties that give hackers control over your entire device
Netflix Wants All of Us to Understand the Cost of Password Sharing
Written by Steven Hope, CEO, Authlogics
Have you ever shared your Netflix password? If so, you are not alone. But have you stopped to think about the impact it is having? Earlier this week, it was revealed that the streaming service has lost in the region of 200,000 of its 221 million global subscribers, with millions more expected to depart in the coming months. The resulting fall in the Netflix share price (at one point 35%) was a shock for many investors, but with many of us ‘boxsetted out’ by the pandemic, and a cost-of-living crisis looming for many, what can the company do to stem the tide?
It seems one of the big bugbears for Netflix is the habit of sharing account passwords and a survey conducted by time2play in the US, indicates just how widespread it has become. In fact, more than 50% of residents in 17 states including California, Illinois, Ohio, Texas, and Wisconsin, admitted to using another person’s Netflix account.
Some may argue that it is an innocent and victimless crime rather than theft. After all, Netflix’s revenue in 2020 was $24.9 billion, more than doubling since 2017, a trend not currently looking likely to continue. So, what harm does sharing a password with family and friends really do? Sure, the company may miss a ‘few’ dollars, Euros, pounds, and so on, but would those benefitting ever actually become a customer? I suspect for many the answer is no.
Speaking as someone that has spent over a decade campaigning for businesses and people in general to practice safe passwords, the Netflix situation highlights to me how little value is placed on the password, yet how costly they are. This is especially true if there is no perceived risk to the person who owns that credential. You only need to look at the lists of the top four passwords – “123456”, “123456789”, “Qwerty” and of course “Password” – to see how much effort goes into devising something un-hackable!
Poor password practice is of course not isolated to streaming services, it is commonplace in a busy workplace. How often have you said or been asked ‘Can I borrow your login details as mine are not working?’. To make matters worse, with so many people still working from home, usernames and passwords are copied and pasted into emails, SMS, and chats with little thought of the consequences.
So, when Netflix warned that prices would need to rise if the rules continued to be broken, I was struck by how they were able to communicate to the global masses in a matter of days, the link between password abuse and financial ramification, in a way that as security professionals we could never do. However, this may have the opposite effect as inflation is everywhere right now, and I suspect more subscribers may balk at an increase, cancel and switch to using illegal logins instead to cut their household costs.
The reality is that the likes of Netflix will struggle to move to a different authentication mode other than passwords for practical reasons. Would you use a streaming service that requires you to authenticate each time they want to watch, using a One Time Password, PIN, or Code for example? I think not.
While the suggestions of advertising revenue may seem to plug some of the Netflix revenue gaps, they ought to tread carefully. Paying customers don’t want to see ads, and some cost-conscious paying customers may well downgrade and accept ads to save money. However, I would urge Netflix to take a close look at technologies available that could protect its content from exploitation and piracy, without compromising the user experience of those who pay for it.
Whatever Netflix decides to do, it needs to do it quickly. The more all of us feel the squeeze on our finances the more likely we are to cancel such services or be willing to participate in the illicit sharing of passwords. But I would also urge any organisation that uses password-based logins to look at what is happening to Netflix and ask just how much is going on in your business?
Review: HONOR X9
HONOR launched its HONOR X Series a while ago and we had reviewed the X8, as well. This time around...
Review: Amazon Echo Show 10
The Amazon Echo Show 10 (3rd Gen) is the company’s new smart display and speaker, powered by the Alexa voice...
Video Review of the POCO F4 GT in the UAE
POCO’s new F4 GT is a gaming smartphone that packs in top-notch specs at a pocket-friendly price. The F4 GT...
Review: Samsung Galaxy Tab S8 Ultra
Samsung’s new Galaxy Tab S8 Ultra tablet is possibly one of the biggest out there on the market with a...
Review: Bose QuietComfort 45 Noise Cancelling Smart Headphones
Bose’s new QuietComfort 45 headphones replace the successful QuietComfort 35 II. The new pair of headphones come with noise cancellation...