Featured Posts

Is GDPR a Win for Cybercriminals?

GDPR represents a massive paradigm shift for global businesses. Every organization that handles data belonging to European residents must now follow strict security guidelines and businesses are now subject to hefty fines if data breaches are not disclosed....

American Cybercrime: The Riskiest States in 2018

Nearly 50 percent of Americans don’t use antivirus software That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky...

Bad Apps: Protect Your Smartphone from Mobile Malware

Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially...

Is GDPR a Win for Cybercriminals?

Reading Time: ~3 min.

GDPR represents a massive paradigm shift for global businesses. Every organization that handles data belonging to European residents must now follow strict security guidelines and businesses are now subject to hefty fines if data breaches are not disclosed. Organizations around the world have been busy preparing to comply with these new regulations, but many internet users are unaware of how GDPR will impact them. While this new oversight enhances user privacy protection, its implementation also opens the door for GDPR-specific cyber threats.

Anyone with even the slightest online presence has been subject to a barrage of new terms and conditions released by companies concerning GDPR, which became effective on May 25, 2018. Criminals are taking advantage of this overwhelming surge of new terms of agreements to execute scams.

A phishing scam purporting to come from Apple is the most popular that we’ve seen. It declares that “For Your Safety, Access To Your Apple ID Has Been Restricted”, then prompts users to update account information before being allowed back in. This particular campaign was designed to capitalize on fatigue from the myriad of updated terms of agreement and privacy policy notifications internet users have encountered in the weeks leading up to GDPR, hoping to catch them off guard. The idea behind the scam is that potential victims are less alert and more likely to agree to and click through anything related to updated terms and conditions. Here’s what the phishing page looks like:

Source: hxxps://www.securitycentre-appleid.com [phishing URL]

When victims click “Update Your Account”, they’re then presented with a fake login page designed to capture their Apple ID credentials.

Source: hxxps://www.securitycentre-appleid.com/Locked.php [Phishing URL]

Targeted Ransomware

Beyond simple phishing scams, GDPR brings new pressure criminals can leverage concerning personal data that companies are responsible for. Targeted ransomware has become popular recently, especially through the RDP attack vector. Cybercriminals are now in a much better position to demand substantially larger ransoms when dealing with company data belonging to EU residents than before.

Were criminals to target an organization handling EU resident data, they’d be in a position to leverage a ransom amount closer to fines meted out under GDPR laws once they’ve breached and encrypted the data. We expect to see an increase in targeted ransomware hoping to exploit the hefty GDPR fine structure.

Another win for cybercriminals comes in the form of the recent change to the WHOIS lookup, made in response to GDPR data privacy restrictions. The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that manages the global domain system, has removed crucial bits of data from public WHOIS lookups to comply with GDPR.

Before this change, when queries were made on domains using WHOIS lookup, information such as registrant’s name, address, email, and phone number was accessible. This proved invaluable when tracking malicious domains linked to malware campaigns. Now, with GDPR, that information will no longer be available publicly, giving cybercriminals another edge. ICANN has since filed a lawsuit seeking to clarify the law as it relates to WHOIS data collection, according to Threatpost.

GDPR Fails

We’ve also seen some unfortunate failures from legitimate companies sending emails trying to educate and inform their customers of GDPR-related changes—and actually violating the regulations while doing so.

Source: @ashstronge on Twitter

In sending this email on blast to their contacts, the company above failed to hide email addresses, thereby sending their users’ contact information to everyone on their email list. A mistake like this may carry costly consequences under the EU’s new rules. It should serve as a reminder to businesses of all sizes– there’s a lot at stake when handling personal data. With only 42 percent of organizations in the U.S., U.K. and Australia reporting they are ready to comply with recent privacy regulations, ramping up information security safeguards will continue to be imperative in 2018.

Be on alert for scams related to GDPR. Interact carefully with the many privacy policy updates you’ve likely received in recent weeks. Remember to practice good cyber hygiene, and always double check website URLs whenever entering personal data.

What do you think about GDPR’s implications for the evolving threat landscape? Let us know in the comments below or join our Tech Talk discussion in the Webroot Community.

American Cybercrime: The Riskiest States in 2018

Reading Time: ~4 min.

Nearly 50 percent of Americans don’t use antivirus software

That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky online behaviors are. We did a survey of people’s internet habits across the United States, and the numbers aren’t pretty.

For reference, some very common (and very risky) online behaviors include:

  • Not using antivirus software
  • Sharing your account passwords
  • Using too-simple passwords, or reusing the same password for multiple accounts
  • Not using an ad or pop-up blocker
  • Opening emails, clicking links, and downloading files from unknown sources
  • Not installing security on mobile devices

State-by-state Breakdown of the Riskiest Cyber Behaviors

We analyzed all 50 states and Washington, D.C., to rank them on their cyber hygiene habits. This ranking system uses positive and negative survey questions weighted by the relative importance of each question. These questions address several topics, including infection incidents, identity theft, password habits, computer sharing, software update habits, antivirus/internet security usage, backup habits, understanding of phishing, etc.

*Read the full report here.

Florida wins the dubious distinction of riskiest state with the worst cyber hygiene. But before anyone pokes fun, we’d like to point out that the average resident of any state in the nation has pretty poor cyber hygiene. Only 6 states in the nation had good cyber hygiene scores.

Impacts of Risky Behavior

When you engage practice poor cyber hygiene, you’re not just running the risk of getting infected or losing a few files.

In our research, we asked respondents who had suffered identity theft, “what were the main consequences of the identity theft incident?” Some of the self-reported fall-out was both surprising and tragic, including responses like divorced spouse, bankruptcy, failed to obtain mortgage, had to get second job, had to sell house, increased alcohol consumption, delayed retirement, and diminished physical health.

When we consider that identity theft can mean such devastating consequences as divorce, bankruptcy, and even damage to our health, it becomes clear just how important good cyber hygiene really is.

What the Riskiest States are Doing Wrong

Stats from the 5 riskiest states (Florida, Wyoming, Montana, New Mexico, and Illinois):

  • Identity theft had little to no impact on their cyber hygiene habits. That means even after learning the consequences first hand, very few people changed their habits.
  • These states had the highest per-person average (28 percent) of having experienced 10+ malware infections in a single year.
  • 50 percent+ of respondents in Florida, Illinois, Montana, and 45 percent of respondents from New Mexico and Wyoming said they don’t use any kind of antivirus or internet security.
  • 47 percent of respondents never back up their data.
  • An average of 72 percent share their passwords.

What the Safest States are Doing Right

The 5 safest states had many behaviors in common that kept them ahead of the malware curve.

  • Following cases of identity theft, nearly 80 percent of respondents from the 5 safest states reported that they had altered their online habits, and almost 60 percent changed their passwords.
  • Only 14.4 percent of respondents the safe states experienced 10 or more infections a year.
  • The safest states typically reported running paid-for antivirus/security solutions, rather than freeware, unlike their risky counterparts.
  • Finally, nearly half (43 percent) of the 5 safest states automatically update their operating systems, and 35 percent of respondents regularly back up their data, either on a daily or continuous basis.
  • And of the top 4, password sharing was hardly an issue (88 percent of respondents from those states reported they don’t share passwords at all.)

Find out which state your cyber hygiene puts you in. Take the survey below:

Please note that this survey is hosted by a third party, Typeform, SL. (“Typeform”). Your use of the Typeform survey platform will be subject to their Terms and Conditions. Any information you provide in answering the survey questions will be anonymized so that it cannot be used to identify you.

The Role of Demographics and additional findings

Given Florida’s reputation as a retirement hotspot, we wanted to point out that 50 percent of Florida’s respondents in our study were age 30 or below, and the national average of respondents aged 30 or below was 47 percent. This means age demographics in our survey were consistent throughout all 50 states and D.C. and our responses actually skew younger rather than older.

How to Increase Your Personal Cyber Hygiene Score (It’s not too late!)

Here’s a quick to-do list that will help keep you safe from malware, identity theft, and other online risks. It’s not as hard as you might think.

  1. Use antivirus software. And keep in mind, while there are plenty of free tools out there that are better than nothing, you get what you pay for. Your online security, and that of your family, is worth a little investment.
  2. Create strong passwords for each account, change them often, make sure each one is unique, and, if possible, add spaces for increased security. If you’re worried about keeping track of them all, use a password manager.
  3. Stop sharing your login credentials with friends, family, and coworkers. We mean it.
  4. Closely monitor your financial accounts for any fraudulent activity, and consider using a credit monitoring or identity protection service.
  5. Regularly update your operating system and software applications. Lots of infections start by exploiting out-of-date systems.
  6. Don’t open emails from people you don’t know, and don’t download anything from an email unless you’re certain it’s legitimate. And if you get a message that appears to be from an official or financial institution asking you to take an action, don’t click any links. Go straight to the institution’s official website, or call them to confirm whether the message you received was real.
  7. Back up your files and important data regularly to a secure cloud or physical drive.

There are a lot of risks out there, and as an internet user, you have a responsibility to use good judgement when you work, bank, shop, browse, and take other actions online. But by following these easy tips, you can dramatically change your cyber hygiene score, and reduce your risk of falling victim to cybercrime.

Bad Apps: Protect Your Smartphone from Mobile Malware

Reading Time: ~2 min.

Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially dangerous apps lurking around in app stores determined to outsmart your smartphone. With the average user having 35 apps installed on their phone, according to Google, it’s easy to see why smartphones can be such a easy target.

But my iPhone is safe, right?

Both Apple iOS and Android devices are targeted by hackers, and while the latter is a more popular target,  both platforms are both susceptible to various types of cyberattacks. After all, Apple’s latest version of iOS 11 was cracked just one day after its release via vulnerabilities in the Safari web browser, according to ZDNet.

Protect yourself from bad apps:

All of this means that unprotected smartphones are soft targets for cybercriminals, with weaknesses that hackers can ultimately exploit to generate revenue. The first defense is knowing that you can’t trust all apps. These tips will also help you stay protected as you search for the good ones:

  1. Download apps from reputable stores. The major, reliable providers are Galaxy Apps (Samsung), the App Store (iOS), Amazon App Store, and Google Play (Android).
    Google Play, for example, scans 50 billion apps daily to detect malware before publishing new ones.
  2. Disable “Unknown Sources” for Android devices, which prevents installing apps from sources other than the Google Play Store. So, if you use Amazon App Store, you’ll need to enable “Unknown Sources”. In that case, be mindful before allowing any other app or website to install something on your phone. It should also be noted that changes to this functionality are coming with the latest update to Android’s Oreo operating system.
  3. Keep Android USB debugging off. It can prevent outside malware from accessing your phone through corded connections, such as from a public charging station.
  4. Don’t jailbreak your iPhone. Allowing access and changes to your phone’s software can allows outsider apps that may not be trustworthy.
  5. Beware of any website, text, email, or anything asking you to install an app. Search for your own apps at the store and research all apps before installing.
  6. Beware of granting excessive permissions. Apps that perform basic functions, such as a flashlight, don’t need to access your personal information, for example.
  7. Read app reviews before installing, and review and report sinister apps. Users working together as a community can help alert unsuspecting victims to phony apps.
  8. Be cautious about providing your credit card or banking information. Avoid making transactions over apps that are not well known to you or the user community and be careful about hidden charges such as microtransactions.
  9. Install OS and other software updates. It always recommended to keep your OS and apps updated with the latest patches. It’s also smart to consider phones from vendors that release prompt security patches. Many software updates are designed to defend against malware and other emergent threats.
  10. Use trusted internet security software. No matter how careful you are, it is wise to employ a reputable layer of online security.

Prevention, prevention, prevention.

Sometimes free mobile apps, including free security software apps from unknown providers, are suspect. The convenience of a quick download and excessive trust are not worth saving a few seconds or cents. Do your research, follow these 10 tips, and protect your well-being on any mobile device.