PC PORTAL

Experienced. Trusted. Solutions.

social media

By

Charity Scams to Watch Out for During the Holidays

Reading Time: ~5 min.

‘Tis the season of giving, which means scammers may try to take advantage of your good will. A surprising fact about American donation habits is that everyday folks like yourself are the single largest driver of charitable donations in the United States. Giving USA’s Annual Report on Philanthropy found that individuals gave $286.65 billion in 2017, accounting for 70 percent of all donations in the country.

Last year, Giving Tuesday donations alone grew by 22 percent, with an average household donation of $111. With the seventh annual Giving Tuesday on November 27 fast approaching and technology that makes it increasingly easier to support your favorite causes, it’s more important than ever to keep your guard up before you click the “donate” button.

Charity Scams

Unsolicited donation requests are fairly normal during the holiday season —especially since non-profits depend on year-end giving for the success of their organizations—but look out for a few behaviors as red flags. Overly aggressive pitches including multiple phone calls and emails, or high-pressure tactics that require your immediate donation, should always be avoided. Be on high alert for “phishy” emails and links; make sure to check the sender’s email address and hover over links to reveal their true destination before clicking on them. Even if a website looks legitimate, it may be a spoofed. Check that the domain matches the company you intended to visit. This can be trickier than it sounds. For instance, stjudehospital.com may appear to be genuine, but an easy Google search of “St. Jude Hospital” reveals their actual site to be stjude.org.

If you’re donating to a charity you’ve never worked with before, do a little research before committing your funds. Charity Navigator is a particularly useful resource; just type in the organization’s name and check out their rating. If they are not listed on Charity Navigator, it’s probably best to err on the side of caution and donate your hard-earned dollars elsewhere. Also, be sure to only enter sensitive or personal information into websites that have an SSL certificate; you’ll be able to tell if a page is secure if the link begins with “https”. (This is a great tip for shopping online this holiday season too.) Finally, before making any online donations, make sure you have a strong antivirus program installed that can detect phishing sites and that it’s up-to-date on all your devices.

If you are contacted by a charitable organization by telephone and want to make a donation, don’t give them your credit details over the phone. Have them mail you a donation form for you to evaluate and mail back. Remember: no legitimate charity will ask you to wire them money or pay them in gift cards. If you encounter a charity that is urging you to do so, cut all contact and block them on all platforms.

Bear in mind that not all charity scams are out for money, either—some are hoping to skim personal information. There is absolutely no reason to provide a charitable organization with information like your Social Security Number or driver’s license number—these are major red flags. Also, be especially cautious of requests to send an SMS code to donate via text message.

Social Media Scams

Social media is an easy and typically secure way to donate to legitimate charitable organizations, but scammers know how to use these platforms as well. Social media scams are on the rise, but a little bit of common sense goes a long way with donations on social channels. If you’re looking to donate to someone through a crowdfunding site, be sure the campaign fully answers these questions:

  • Can you verify if the organizer of the campaign has an existing relationship with the intended donation recipient?
  • Is there a plan for how the funds be used to aid the intended recipient?
  • Are verifiable friends and family of the intended recipient making donations and leaving supportive comments?
  • How will the intended recipient access the funds?

If you cannot easily find the answers to these questions, we recommend you avoid donating to that campaign.

Another pervasive social media scam is celebrity imposters who pretend to raise funds for charities or disaster relief. These imposters use the familiar faces of some of our favorite media personalities to gain our trust and access our wallets. If you have been solicited by a celebrity for donations, stop and take moment before you give. Make sure it’s their official social media page, which can be often verified on Twitter and Facebook by a small blue checkmark next to their name. You may also Google the celebrity’s name and “scam” to see if others have already reported a trap.

Source: @PatrickDempsey on Twitter

Attacks Targeting Seniors

While scams that target our aging loved ones are a problem year-round, the Consumer Financial Protection Bureau says scammers tend to ramp up their efforts during the holidays to take advantage of seasonal generosity. Most charity scams that target seniors are similar to the ones we all face, including phishing emails, phishing sites, and false charities. However, “Grandkid Scams” are a unique variety.

For this type of fraud, an older adult is contacted by a someone pretending to be a family member in desperate need of money or assistance, often impersonating a grandchild. Speak with the older adults in your life about the common signs of scams, like misspelled emails and requests for wire transfers, and teach them how to hover over a link to check its destination. Remind them to verify whether a family member is reaching out for money, and check in with them more often leading up to the holidays to catch any potential security issues early.

Stop Attacks Early

Vigilance is key in stopping a potential security breach in its tracks. If you believe you may have unwittingly sent money to a scam charity, reach out to the organization you used to send the money, such as your bank or credit card company. Tell them the transaction was fraudulent and ask them to cancel it, if possible. If you believe your personal information was exposed, you can freeze your credit to prevent any long-term damage. Also, if you think you may have encountered a charity scam of any type, be sure to report it to the FTC to help keep others safe.

Even if you don’t think you have suffered a breach, keep an eye on your credit score and monitor your banking and credit accounts closely this holiday season. Paying a little extra attention will help you act quickly if your information has been compromised, potentially saving you and your family major holiday heartache. For an added layer of protection, secure all of your family’s devices behind a trusted VPN, which will keep your private data encrypted and safe should anyone try to intercept information you send over WiFi.

Do you know of a common scam we missed? Have some advice you think we should have included? Let us know in the comments!

The post Charity Scams to Watch Out for During the Holidays appeared first on Webroot Blog.

By

Cyber News Rundown: Facebook Reveals “Clear History” Feature

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Cyberattack Shuts Down Mexico Central Bank

Within the past week, several payment systems associated with Mexico’s central bank were compromised for an unspecified amount of time. The impacted systems led to delays with money transfers and processing of transactions for central bank customers, but officials claim no funds or data were stolen. It is still unclear how the attackers accessed the systems, though the issue has heightened awareness of possible security flaws.

Facebook Implementing History Removal Tool

In the wake of the data mishandling scandal that tarnished Facebook’s privacy standards, the company announced it’s working on a new tool that will allow users to clear browsing history and cookies from within Facebook, along with opting out of allowing Facebook to gather future browsing data. While this tool is still being created, Mark Zuckerberg has said Facebook hopes to give more privacy controls back to the users who trust the site.

Fitbit Adopts Google Healthcare API

Recently, Fitbit announced they will be integrating their current systems to incorporate the Cloud Healthcare API from Google in order to give healthcare providers better access to important data. Fitbit has been working towards this for some time by constantly improving their data analysis and providing better feedback to users and their health professionals. The partnership with Google’s API allows them to use an industry-compliant system, without the trouble of creating one from the ground up.

Northeast School District Pays Hefty Ransom

Following the April 14 cyberattack that encrypted much of a Massachusetts school district’s computer systems, local police recommended the district pay the $10,000 ransom to restore the system. While it paying ransoms is normally suggested only as a last resort, it would appear that the district wasn’t capable to restoring the systems on their own. In the end, it opted to pay the requested amount in hopes the criminals stay true to their word.

DVRs Being Compromised

A researcher recently released a tool that would allow anyone access to several brands of DVRs and illicitly obtain both device credentials and live video recordings. Using Shodan, the researcher was able to identify nearly 55,000 unique, accessible DVR devices that could be exploited with his tool using a previously discovered flaw for DVR devices.

The post Cyber News Rundown: Facebook Reveals “Clear History” Feature appeared first on Webroot Blog.

By

Cyber News Rundown: Hacktivists Strike YouTube Music Videos

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Music-Oriented YouTube Channels Hacked

Within the last week, hackers have defaced multiple YouTube music videos, focusing largely on Vevo channels with high view counts. Most of the videos were quickly taken down after suspicious upload activity was found on several accounts, leaving some videos with the statement “Free Palestine” in the description. Vevo worked quickly to resolve the defacement and is in the process of returning the affected videos to viewable status.

Pen Test Reveals Security Risks for Radar

Researchers have recently been working to determine if radar is truly secure, as industry professionals have claimed, since it doesn’t interact with the Internet. Unfortunately, after a bit of effort, these same researchers were able to successfully breach the core systems for radar on a Navy vessel and modify it enough to set the ship off course without raising alarms. The system, had it been maliciously compromised, could have easily run the ship aground or sent off on a dangerous interception course. In addition to taking control of the vessel, the researchers were also able to remove all radar detections and leave the ship effectively blind in the water.

Majority of Android Users Denied Consent to Facebook over Data Collection

In a recent survey, nearly 90% of the 1,300 users had refused consent to Facebook for collecting SMS and call data. Unsurprisingly, Facebook has replied that the choice was an opt-in rather than out and users should have been asked, though many agree that no choice had ever been presented to them. Some users have even reported seeing over two years worth of call and SMS data saved within their Facebook account’s data.

Facebook Announces Permissions Change

In the wake of the Cambridge Analytica fiasco, Facebook has made multiple changes to its policy on app permissions that collect user data. Any app that hasn’t been accessed within the last 90 days will require the user to go through the Facebook login page and re-consent to any data collection that may take place. These changes will not be immediate, but instead rolled out over a two-week period, giving users time to decide which apps they want to use and letting expired data tokens be deleted.

Department of the Interior Faces Malware Infection

Nearly three years after the data breach within the Office of Personnel Management, the Interior Department is still having issues with properly securing their systems. The latest internal threat stems from a US Geological Survey employee who was found to be watching pornography and saving the videos to an external hard drive, which led to their computer hosting Russian malware. This likely ties back to the department relying on automated security systems, rather than having trained personnel actively monitoring for malicious activity.

The post Cyber News Rundown: Hacktivists Strike YouTube Music Videos appeared first on Webroot Blog.

By

Cyber News Rundown: Linux OS Hacked onto Nintendo Switch

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Hackers Run Linux OS On Nintendo Switch

When gaming consoles get hacked, it’s usually by someone who wants to play pirated games. Not this time. Recently, a group of hackers found an exploit that allowed them to deploy a full Linux OS onto the Nintendo Switch. The flaw is contained within the specific Tegra X1 chips used by the Switch for core functionality. These are not easily patched and would likely require a recall if the flaw becomes a major problem.

California Employee Data Breach

Employees working in the Department of Fish and Wildlife for California were recently notified that their Social Security numbers had been exposed in a data breach from late last year. The breach appears to have stemmed from a former employee downloading the data and removing it from the premises, prior to having left the company. This type of breach is extremely common, as many companies don’t enforce more strict data policies for current and former employees.

Facebook Bug Spams Users With 2FA System

In the last week or so, several Facebook users have taken to other social media platforms to announce a nearly endless stream of spam being sent to the phone numbers they had used for 2-factor authentication. The spam then began posting the user’s replies to their Facebook wall, even after multiple attempts to stop the messages. While Facebook has since resolved the issue, they have remained vague about when they’ll finally discontinue the program functionality that caused the issue in the first place.

 

Don't Get Hacked

Crypto-miners Found on Tesla Servers

Following the breach of Tesla’s cloud server last year, company engineers have been discovering cryptocurrency miners on several of their internal servers. The initial breach occurred because their Kubernetes console lacked a password, and, once in, the hackers set up a complex mining operation that used multiple techniques to avoid detection.

FedEx Breach Exposes Personal Information

Over the last few days, officials have confirmed that over 119,000 individual forms of scanned identification belonging to Bongo International, an international sales broker that was bought by FedEx in 2014, were left exposed to the public. The data, which was found on an Amazon S3 server, was likely forgotten about amidst the acquisition and was available for an unknown amount of time.

The post Cyber News Rundown: Linux OS Hacked onto Nintendo Switch appeared first on Webroot Threat Blog.

By

Just Keep Swimming: How to Avoid Phishing on Social Media

From Facebook to LinkedIn, social media is flat-out rife with phishing attacks. You’ve probably encountered one before… Do fake Oakley sunglasses sales ring a bell?

Phishing attacks attempt to steal your most private information, posing major risks to your online safety. It’s more pressing than ever to have a trained eye to spot and avoid even the most cunning phishing attacks on social media.

Troubled waters

Spammers on social media are masters of their craft and their tactics are demonstrably more effective than their email-based counterparts. Up to 66 percent of spear phishing attacks on social media sites are opened by their targets, according to a report by ZeroFOX. This compares to a roughly 30 percent success rate of spear phishing emails, based on findings by Verizon.

In a whitepaper published last year, Facebook warned of cybercriminals targeting personal accounts in order to steal information that can be used to launch more effective spear phishing attacks. Facebook is taking steps to protect users’ accounts from hostile data collection, including more customizable security and privacy features such as two-factor authentication. The platform has also been more active in encouraging users to adopt these enhanced security features, as seen in the in-app message below.

Facebook In-Product Security Message

Types of social phishing attacks

Fake customer support accounts

The rise of social media has changed the way customers seek support from brands, with many people turning to Twitter or Facebook over traditional customer support channels. Scammers are taking advantage of this by impersonating the support accounts of major brands such as Amazon, PayPal, and Samsung. This tactic, dubbed ‘angler phishing’ for its deepened deception, is rather prevalent. A 2016 study by Proofpoint found that 19% of social media accounts appearing to represent top brands were fake.

To avoid angler phishing, watch out for slight misspellings or variations in account handles. For example, the Twitter handle @Amazon_Help might be used to impersonate the real support account @AmazonHelp. Also, the blue checkmark badges next to account names on Twitter, Facebook, and Instagram let you know those accounts are verified as being authentic.

Spambot comments

Trending content such as Facebook Live streams are often plagued with spammy comments from accounts that are typically part of an intricate botnet. These spam comments contain URLs that link to phishing sites that try to trick you into entering your personal information, such as a username and password to an online account.

It is best to avoid clicking any links on social media from accounts you are unfamiliar with or otherwise can’t trust. You can also take advantage of security software features such as real-time anti-phishing to automatically block fake sites if you accidently visit them.

Dangerous DMs

Yes, phishing happens within Direct Messages, too. This is often seen from the accounts of friends or family that might be compromised. Hacked social media accounts can be used to send phishing links through direct messages, gaming trust and familiarity to fool you. These phishing attacks trick you into visiting malicious websites or downloading file attachments.

For example, a friend’s Twitter account that has been compromised might send you a direct message with a fake link to connect with them on LinkedIn. This link could direct to a phishing site like the one below in order to trick you into giving up your LinkedIn login.

An example LinkedIn phishing site

While this site may appear to look like the real LinkedIn sign-on page, the site URL in the browser address bar reveals it is indeed a fake phishing site. 

Phony promotions & contests 

Fraudsters are also known to impersonate brands on social media in order to advertise nonexistent promotions. Oftentimes, these phishing attacks will coerce victims into giving up their private information in order to redeem some type of discount or enter a contest. Know the common signs of these scams such as low follower counts, poor grammar and spelling, or a form asking you to give up personal information or make a purchase.

The best way to make sure you are interacting with a brand’s official page on social media is to navigate to their social pages directly from the company’s website. This way you can verify the account is legitimate and you can follow the page from there.

The post Just Keep Swimming: How to Avoid Phishing on Social Media appeared first on Webroot Threat Blog.