Thursday, February 15, 2018

In This Issue

#bitcoinCRAZE—ScamsGalore!Don't Break Your Bank orYour Heart(BEC)… Another SocialEngineering Scam!Confusion in the HTTPSWorld

This Month's Tips:Do not trust Twitter or other socialmedia for investment advice sincefake news is a pitfall.

Report phishing scams, and don'tshare or forward the lure to others.

Be wary of social engineeringattempts to steal your credentials.

Avoid using two-factorauthentication via SMS texts,rather use Google Auth.

#bitcoinCRAZE—Scams Galore!

As the market shares of Bitcoin take us on arollercoaster ride, e-wallets, cryptoexchanges, and other cryptocurrencies arepopping up. New "crypto" apps offer miningservices, exchange services, and evenbanking services. How will you navigate thepotential security pitfalls of cryptocurrencyscams?

Let's examine some of the various ways bad actors are skimming thecoffers of cryptocurrencies and what you as a consumer can do to avoidthem.

Cryptocurrency Hack Attacks

Fake News

With the era of social media and online news, fake news pushers mimicmainstream media web pages with catchy links: "Click here to earn oneBitcoin a day!" They bait users and get them to enter their personal dataand credit card information. Always remember, think before you click! If itsounds too good to be true, then it usually is.

Phishing Scams

Another popular scam is specialized phishing lures to penetratecryptocurrency storage systems, such as mobile wallet apps, onlineexchanges, or trading apps. Think twice before clicking. Do not fall forphishing scams or ads laced with malicious links.

Miner Malware

Electricity is the number one operational cost to a Bitcoin miner. For thatreason, nefarious hackers have resorted to stealing resources byspreading Bitcoin-mining malware, like WannaMine. Using the "wannacry"ransomware exploits, these hackers are injecting "stealth-mining" bots intocomputers, smart phones, or IoT gadgets creating a system of Malwarebotnets. If you notice your battery is dying faster than usual or your deviceis running slower than normal, then you should scan your system withupdated antivirus/anti-malware software.

p

Timely Advice

Whether you decide to join the craze or sit back and watch therollercoaster's dips and turns, practicing routine cyber hygiene will helpyou avoid the hidden traps lying in wait on the web:

Routinely scan your computers, laptops, mobile phones, and otherdevices using updated and patched antivirus/anti-malwaresoftware. Research before investing to make sure your cryptocurrencywebsite is secure and trustworthy.Closely monitor your cryptocurrency wallets, credit card accounts,and banking accounts.Store your cryptocurrency in an offline wallet that can't be accessedby malware or hackers.

Don't Break Your Bank or Your Heart

With Valentine's Day sitting neatly in themiddle of February, it's important to be awareof the increase in romance-related scams.Romance scams are a form of online fraudwhere criminals pose as attractive partners,begin a romantic relationship, and thenconvince their victims to give them largeamounts of cash. Scammers will use fake profiles on social media ordating sites to find their targets.

The FBI reported that in the US, romance scams result in the highestamount of financial losses of all internet-facilitated crimes. To avoid thesecriminals, it's important to know the indicators.

Typical signs of dating-app scammers:

Many grammatical errors or odd word choices might be signs of aforeign scammer. They don't want to meet in person and might come up with excusesfrom traveling to family emergencies.Falling on difficult times or a specific situation where they need tobe bailed out financially.Quickly falling in love: the goal of scammers is to make youenamored with them as quickly as possible, and if it seems like it'smoving too fast, it might just be.

Cybercriminals love to play with their victims' emotions in order to stealfrom their victims. This is why, during the Valentine's Day season,everyone must stay especially vigilant to avoid falling into their traps.

(BEC)… Another Social Engineering Scam!

Now that Phishing and Spear-phishing email attacksare becoming familiar in the workplace we can now adda new scam to the list: Business Email Compromise(BEC).

What's that?

BEC is a socially engineering scam geared specifically toward companieswherein hackers look to reap large rewards by deceiving authorizedemployees to release payments. This is facilitated by knowing companyinformation, such as titles, email addresses, and other pertinent internaldata. Scams include creating phony email addresses of real executivesand asking for sensitive information such as wire payments and W-2 taxforms. The replies to that email will then be routed back to the attacker'sphony mailbox. Another example could be the attacker posing as a vendorsending your accounting team an invoice with the correct billing total,purchase order number, and date but with a different set of wireinstructions.

What's the damage?

Simply put… BEC's have proven a larger financial return for attackers.The FBI's Internet Crime Complaint Center (IC3) which intercepts Internetcrime related complaints received a total of 298,728 complaints, withreported losses over $1.3 billion in 2016. BEC scams average a loss ofaround $30,000 while romance and confidence scams average $1,700.Although most businesses use an antivirus program or spam filter, they donot prevent ALL email identity fraud or social engineering attacks.

Prevention?

There are a number of different technologies that can be put into placesuch as a DMARC (Domain-based Message Authentication, Reporting &Conformance) program to prevent attacks by using an organization'sname or by posing as an employee through email. This will also protect itscustomers and partners from the deception and attack. However, nothingwill replace vigilance on the behalf of the email receiver. Every companyshould have checks and balances in place with respect to wire paymentsand established processes before any funds are moved betweenaccounts. The extra diligence and time investment is worth it in the longrun!

Confusion in the HTTPS World

People and organizations trying to keep upwith security best practices, guidelines, rules,and other recent developments is an oftenhead-spinning endeavor. Advances incybersecurity technology are inevitablymatched with setbacks. One day you thinkyou're safe and the next day you realizeyou're not. Take the https and padlock icon. For users looking for quickassurance that they're visiting a safe website, the "https" and padlock iconin the address bar have provided sufficient reassurance. Tech talkmoment: Hyper Text Transfer Protocol Secure (HTTPS) is the secureversion of HTTP, the protocol over which data is sent between yourbrowser and the website that you are connected to. The 'S' at the end ofHTTPS stands for "secure." It means all communications between yourbrowser and the website are encrypted, so if you provide personalinformation, such as a credit card number, you can be reasonably sure it'snot getting intercepted by a hacker. In order to get the https, websitesmust get an SSL certificate, which is a kind of authentication that thewebsite meets safety standards.

Unfortunately, as hackers catch up and find ways to spoof sites andprocure the coveted https and padlock, users are once again vulnerable tohaving their data stolen. According to Senior Threat Intelligence AnalystJin Xie (via thesslstore.com), hackers will continue to focus on ways toattack SSL certificate authorities. "Due to vital security assets controllingencrypted communication between machines, many cyberattacks willleverage compromised or rogue keys and certificates. A nation-state withthis power can bombard critical infrastructure through increasinglysophisticated variations of attacks, sabotaging core services using attacksderived from Stuxnet and Duqu." What can you do to remain safe whilebrowsing? Try not to click on links; typing in the URL instead of clicking isalways a better bet. Also, if you have any reason to suspect theauthenticity of a site, leave it by closing the browser window immediately.Frequently, the quickest way to close the browser window is to pressALT+F4.

Inspired eLearning | 613 NW Loop 410 | Suite 530 | San Antonio, TX 78216

© 2018 Inspired eLearning, LLC. All Rights Reserved. All organizations with an active Security Awareness license are granted permission to republish any or all of the content in our Security

Awareness Newsletter, as long as distribution of that content is limited to employees within the organization.