New Facebook Chat Phishing Scam Discovered

If you have a Facebook account and follow the news, you are likely to already have heard of a new Facebook chat phishing scam that has been devised by online criminals in an effort to get you to part with your credit card information.

It is no surprise that another Facebook chat phishing scam has been uncovered, but what is particularly interesting is the amount of effort that has gone into the latest scam. The latest Facebook chat phishing campaign shows how sophisticated the campaigns are becoming, and how easy it is to fall for one of these scams.

Convincing Facebook Chat Phishing Scam Uncovered

The criminals behind the latest Facebook phishing scam are trying to obtain a considerable amount of data and, if successful, will obtain credit card numbers, expiry dates, CSC codes and login names and passwords. The scam was discovered by Kaspersky Labs, and it operates via the Facebook chat function. Phishing is more commonly associated with randomly sent spam emails, targeted emails, and malicious websites, yet the techniques work equally well on social media websites. Perhaps even better.

In this case, the Facebook chat phishing scam is not just convincing, it is scarily good. The scammers compromise a Facebook account, and alter the account name to ‘Facebook security’.  They then use the chat function to send a message to the entire contact list of that person, warning them that their account has been compromised. If login details are not confirmed, their account will be shut down. Since the message comes from “Facebook Security”, it appears legitimate.

The message also contains a link that must be used to confirm the account details. Clicking on that link will direct the soon to be victim to a mock up Facebook site that looks reasonably legitimate. The victim then enters their login credentials to access that site and, by doing so, gives the scammer access to their entire account, including their contact list. In this case that is not all. The fake website then asks the user to confirm their email password, compromising that account as well.  Since users often share passwords among many different online sites, other accounts could all to easily also be compromised as well. Kaspersky Labs has also reported that this Facebook chat phishing scam then requires users to make a payment, for which they will need to divulge their credit or debit card number, expiry date and CSC code.

Of course, this last step should get alarm bells ringing, as Facebook does not charge users for the service it provides. However, many will fall for this scam out of fear of loss of their account. Sometimes, reason flies out the window and only after information has been divulged do users wonder if they may have been scammed. Even if credit cards are not provided, the scammers will have access to contact lists to try the scam on others

This scam is complex, but it relies on the user falling for the initial Facebook security message. However, it is important to remember that Facebook or any other reputable company, will not ask for a credit card (plus expiry date and CSC code) to verify identity. You should also bear in mind, that it is not in Facebook’s interests to shut down your account, and highly unlikely that they would do so and prevent you from gaining access to it again.

Be Wary Online – Criminals are Devising Ever More Complex Ways of Obtaining your Data

Phishing is used by online criminals to obtain your data, and the campaigns take advantage of technical and social vulnerabilities. The situation is only likely to get worse, yet even with the current high risk of attack, not everyone is implementing measures to protect themselves, in fact many are leaving themselves wide open to identity theft and fraud. All it takes is one successful phishing scam and everything can be lost. For businesses the problem is just as bad. Fraud and network damage can be considerable, and in many cases catastrophic.

Unfortunately for businesses, all it takes is for one employee to fall for a phishing scam and a network can be compromised, and that can come from a Facebook chat phishing scam just as easily as a bogus email attachment. Once access to a PC has been gained, a network can be accessed and sabotaged, or data and corporate secrets can be stolen.

It is therefore vital for companies to take precautions. Training staff about phishing avoidance is advisable, and continued training essential, but to reduce the risk of employees’ phishing identification skills being put to the test, it is worthwhile installing powerful web filtering software as well as email security software.

Refuse to Pay a Ransom: Expect a Wave of Phishing Attacks

Ransomware is all the rage these days. Employees are fooled into downloading malware onto work computers, and hackers lock company data with powerful encryption software. Once encrypted, the data can only be accessed by using a security key. Unfortunately, they are all held by the hackers and will not be released unless a ransom is paid. Agree to pay the ransom and the data will be unencrypted. There is no guarantee that this will happen of course, but companies are often given no choice.

Ransoms are also demanded following the theft of corporate data. The criminals responsible are not looking to use the data personally. They just want a quick and easy payout. AmeriCash Advance, a well-known U.S. Pay Day loan provider, was recently attacked and had customer data stolen by a hacking group called Rex Mundi.

The group asked for a ransom to be paid, but AmeriCash refused to give in to the demand for $15,000. The company had been warned that if it didn’t pay up the stolen data would be posted online. Loan applicants and the company’s customers would then have their financial information sent out via Twitter and social media networks. This would place those individuals at a high risk of suffering fraud, having their identities stolen, or being targeted by phishers and scammers. That would likely result in customers taking their business elsewhere.

The refusal to pay means that is likely to now happen. Previous applicants for loans and AmeriCash customers must therefore be on their guard.

How much risk do victims face?

The level of risk depends on the data that have been stolen. If credit card numbers, full bank account information, Social Security numbers and account logins have been compromised, the risk of identity theft and fraud being suffered will be very high.

Any individual affected would need to put a credit freeze on their accounts, register for credit monitoring services and be extremely careful responding to emails and divulging any information. In the case of the latest attack, individuals had the last four digits of their Social Security numbers exposed, the amount of money they requested or had had loaned, and their names and email addresses. In this case only a small quantity of data was stolen and, although customers are still at risk, it could have been a whole lot worse.

Any person in possession of the data is unlikely to be able to steal the identities of the victims without obtaining further information. The first 5 digits of the Social Security number for example along with a date of birth. Criminals who have purchased data will likely attempt to obtain the further details they need. For that they will use phishing scams. These aim to fool users into revealing sensitive information and the campaigns can be very convincing.

What can be done to reduce risk following a successful cyberattack?

According to a report on CNet, AmeriCash did what all companies should to. The company made sure that its systems were secured to prevent further attacks. The relevant authorities were contacted and law enforcement agencies were notified.

Customers also needed to be advised that their data have been compromised and warned of the risk of phishing campaigns. That process was also performed.

Offering affected individuals free credit monitoring and identity theft resolution services can help reduce fallout. Some state laws demand that this is offered if Personally Identifiable Information (PII) or Protected Health Information (PHI) is exposed.

It is also wise to increase security measures to prevent future attacks. Web filtering solutions and anti-spam protection can reduce the risk of suffering data breaches. It can also prevent employees from falling for phishing campaigns that give hacking groups the information needed to gain access to corporate networks.

Have you Planned for the 2012 European Football Championships?

The European Football Championships are almost upon us, which is fantastic news for football (soccer) fans, but terrible news haters of ‘The Beautiful Game’. It is also something of a nightmare for employers.

It is easier to manage than the World Cup of course. There are only a very limited number of time zones across Europe, so no matter where the games are played, most kick-off times are outside of normal business hours. Unfortunately, standard business hours are becoming a thing of the past for many workers and not all qualifying games are played in the evening. Many employees will face a dilemma. Watch the game at work and risk the ire of an employer, or miss out on some live football action. A great many will choose the former and will use streaming websites to see the games live.

IT security risks are introduced during major sporting events

Major sporting tournaments have a knock on effect on productivity, but that is actually a relatively minor issue compared to the increased network security threat that comes from sports streaming websites. Streaming websites breach copyright laws. The owners of websites showing live sports games run a risk of arrest, heavy fines and even prison terms for their deeds. They must therefore make enough money to make it worthwhile.

To do this they show adverts on their sites. However, few people click on standard adverts. They go on the sites to watch sports, not click on links. The site owners therefore have to be sneaky. They make it hard for the adverts to be closed. The put multiple X’s in the adverts, which launch pop ups. This means that your standard football addict will end up clicking on multiple adverts in an attempt to close them.

Cyber criminals are well aware of the tactics used by the site owners, and know that ad’s will be clicked by everyone using the sites. If they are able to get their adverts on ad networks, getting visitors to their malicious websites could not be easier. That means more individuals will inadvertently download their malware, more computers will be infected, and they will make more money.

So are the European Football Championships all bad news for employers?

The European Football Championships mean owners of streaming websites will make money, it’s a win for cyber criminals and hackers, and great for Football fans. Employers don’t fare too well, and neither to IT security professionals. Bandwidth is chewed up by employees streaming games, the malware risk increases and it is a potentially unproductive time for a few weeks.

That said, it’s not all bad for employers. Research conducted by Robert Half Technologies shows that there are positives. In a poll of HR directors, 44% thought that the European Football Championships would actually have a positive impact on morale and employees would be more motivated. This happened during the Olympics. IT professionals were not so complimentary about the benefits. In fact, 57% will be banning access at work due to the high network security risk and bandwidth issues.

A ban can be implemented easily. All it takes is an email, or a mention in a staff meeting. But how can the ban be enforced?

How can you block streaming websites, control Internet usage at work, and manage risk?

There are many ways to block website access, but it can be time consuming to set up. It is also hard to block access to ALL websites used for streaming. These often change or are shut down and new ones opened. Blanket bans can result in legitimate websites being blocked, and setting rules on individual browsers is just not an option. It is far too time consuming, and too easy for users to change their own settings to allow temporary access.

The best solution is to use web filtering software. This allows internet usage to be centrally controlled by a system administrator. You could even block all games apart from those involving those played by your home country. It really is very simple to have that level of control (if you have the right web filter installed).

SpamTitan Technologies web filtering solutions have highly granular controls, which will allow you to:

  • Block websites by domain, category, URL pattern, or content
  • Prevent users from downloading certain file types
  • Block or permit certain websites for specific groups or individuals
  • Set restrictions based on time-frames – i.e. allowing workers to stay after work to watch games, but block access during working hours for groups or individuals
  • Prevent end users from visiting links to malicious websites
  • Block malicious adverts from being displayed
  • Blocking all streaming services, including music and video
  • Block online gaming websites
  • Compile reports to see who is trying to access banned sites.

Add a SpamTitan Technologies Anti-Spam solution and you can also block the barrage of spam and phishing emails that are sent whenever major sporting events take place.