Home + Mobile

After the Hack: Tips for Damage Control

According to the Identity Theft Research Center, in 2017 alone, nearly 158 million social security numbers were stolen as a result of 1579 data breaches. Once a cybercriminal has access to your personal info, they can open credit cards, take out loans that quickly...

Cyber News Rundown: Russia Bans Telegram

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask. Russia Blocks Millions of IPs to Halt Use of...

Re-Thinking ‘Patch and Pray’

When WannaCry ransomware spread throughout the world last year by exploiting vulnerabilities for which there were patches, we security “pundits” stepped up the call to patch, as we always do. In a post on LinkedIn Greg Thompson, Vice President of Global Operational...

Use Caution with Free-to-Play Mobile Games

Who doesn’t like a good mobile game? Especially a free one! They allow you to blow off steam while fine-tuning your skills, competing with others or maybe even winning bragging rights among friends. Free games can be fun to play, yet there are some common-sense...

After the Hack: Tips for Damage Control

Reading Time: ~4 min.

According to the Identity Theft Research Center, in 2017 alone, nearly 158 million social security numbers were stolen as a result of 1579 data breaches. Once a cybercriminal has access to your personal info, they can open credit cards, take out loans that quickly ruin your credit, or leave you with a giant bill. But that’s not all. Many people don’t realize that, depending on how much information a hacker gets and what their intentions are, you could lose a lot more than money. From sending malware to your contacts from your account to spamming your coworkers with phishing attacks to compromise your employer’s network, the damage a hacker can wreak on your personal and professional life can extend far beyond the monetary bounds.

Additionally, according to Dave Dufour, VP of Engineering and Cybersecurity at Webroot, we’re seeing more evolution in cybercriminal tactics that take advantage of internet users and their trust:

“What’s happening lately is that people are hacking social media accounts. Why would anyone want your social media information? One reason is that, if I have access to one of your social media accounts, I can spread malware to all your followers who trust you. Pretending to be you, I can send out a link, your followers click it, and my malware is now on all of their devices.”

So, what do you do if you’ve been hit with malware, ransomware, phishing, or a social media attack? First, don’t panic. Second, follow these steps to deal with the fallout.

You’ve been hacked. Now what?

Change your passwords
The first step is one you’ve probably already heard: change all your passwords. Yes, all of them. Don’t forget make them strong by using at least 12 characters, changing out at least two or three of the characters to uppercase, using numbers or symbols (e.g., replacing an A with a @ or an S with a 5), avoid using places you’ve lived, acquaintances names, your pets, birthdays, or addresses—and don’t even think about using ABC or 123. If you have trouble keeping track of your passwords, we recommend you use to a secure password manager application that saves your credentials in an encrypted database and automatically fills them in when you log into a site.

Turn on two-factor authentication
Most accounts that house your personal information, such as email or banking, offer two-factor authentication. This provides an additional layer of security that goes beyond your username and password by asking you to confirm your login with an extra step, such as a short-term security code sent via text message or phone call. You can turn on two-factor authentication from the login screen of the account.

Check for updates
One of the best ways to keep your devices protected is to update your operating system regularly and ensure that any applications you use are patched and up to date. If you have questions, you can always call your device provider’s helpline. To make things even easier, most systems and software allow you to set up Automatic Updates, so you don’t have to worry about remembering to check for them manually.

Install antivirus protection and run a scan
Antivirus software is an extremely beneficial tool that doesn’t just help detect and remove malicious software that could be lurking on your computer, it can also stop threats before they infect your device in the first place. But be careful: avoid the temptation to download a free antivirus program, as these often come bundled with malware or potentially unwanted applications. Instead, invest in a reputable option. Once installed, be sure to run a scan and turn on automatic scans and updates.

Delete sensitive data from the compromised account
As soon as you realize you’ve been hacked, go to the compromised account and delete any sensitive data you can. For example, if you know you’ve stored your credit card information, bank statements, social security number etc. in your email or on any retail site, immediately delete them from those locations. This also goes for any personal photos or information you wouldn’t want released. And don’t forget to clear out your folders on any cloud services, such as Dropbox, Google Drive™ or iCloud®.

Monitor bank statements and account activity
One of the top motivations of a cyberattack is to steal your money or identity to go on a shopping spree or use your financial accounts in some way. Be vigilant about monitoring your accounts for recent activity and check to make sure no new shipping addresses, payment methods, or accounts have been added. Also, call your bank and let them know about the incident so they can have their fraud department monitor your accounts.=

Deauthorize apps on Facebook, Twitter, Google, etc.
To protect your accounts and remove malicious individuals, check which apps are connected to your social media accounts and deactivate all of them. Did you sign into a site using your Facebook so you could see which historical figure you look like? That’s an example of something you should deactivate. You can find directions on how to do this for each account in its help or settings section or by contacting the associated customer service line.

Tell friends you’ve been hacked, so they don’t become victims, too
Another important step to take after you’ve been hacked is to alert your contacts. Many social media and email attackers will send messages from your account that contain malicious links, attachments, or urgent requests for money. Letting contacts know right away that your account has been compromised, and what to watch out for, can save them from the same fate.

Because technology continues to advance and the number of connected devices is growing exponentially, being the target of a cyberattack or identity theft is becoming more commonplace. But we’re here to help. Learn more about protecting yourself and your family online, and what you can do to stay safe from modern cybercrime.

Home Sweet Hackable Smart Home

Reading Time: ~4 min.

We live in the future. Not one with teleportation, time travel, or flying cars, but one where talking to inanimate objects is the “normal,” even “cool” thing to do.

According to The Smart Audio Report from NPR and Edison Research, 39 million people now own an interactive, voice-activated smart speaker and, in just a few short years, the smart speaker has been joined by countless other smart gadgets, forming a network of connected devices known as the internet of things (IoT). These connected household devices have evolved from assisting with simple tasks like having Alexa play music, to having the ability to control nearly every part of the home, from the ambient temperature to the food that’s purchased for your refrigerator.

It’s pretty amazing, as long you remain in the captain’s chair. But what happens when you’re no longer the one in control?

They see you when you’re sleeping, know when you’re awake

Imagine coming home on a hot day to find your thermostat set to Phoenix-in-August-like temperatures and realizing you can’t change it. Or discovering your internet-connected appliances have been hijacked to do the bidding of cybercriminals in a DDoS attack by a massive IoT botnet. And what could be worse than finding out hackers have the ability to peek into the feed from the nursery webcam? These examples may sound like fear-mongering or idle, worst-case-scenario musings. But they’ve all already happened.

The more consumers buy and use internet-connected home devices, the more opportunities are created for hackers to break in, both digitally and physically. Since IoT products include everything from to fitness bands and home security cameras, to lights, doors, and cars, we run the risk of painting a detailed, time-stamped digital portrait of our daily lives for any hacker with the know-how to access these devices. All they need to access your entire network is one weak link.

Hacked by default

Why are IoT products so vulnerable? According to Webroot senior threat researcher Tyler Moffitt, “the underlining problem with all these emerging IoT devices is that the vendors are only focused on functionality, and have little to no budget for security vetting. Minimum viable product for maximum profit.”

The result? More vulnerabilities leading to more opportunities for attackers to hack your home. The proliferation and widespread adoption of IoT devices presents hackers with billions more targets than previously available, and their success rate need not be high. A single security oversight on a mass-produced device can be devastating.

For example, many smart home devices like Nest Learning Thermostat devices come with a default username and password that most consumers don’t think to change. In some cases, that’s simply not an option, as passwords are sometimes hardcoded into the firmware. Oftentimes, hackers can easily find default login information online and sneak onto your device. Then, with the help of a little malware, they can gain control of your entire fleet of smart-home devices. And hundreds of other people’s.

Patches and updates are another gaping door left open to hackers. Many IoT devices either simply can’t be patched to protect against the latest threats, or their manufacturers don’t have the budget or resolution to release prompt updates. In an up-and-coming market segment filled with startups, there isn’t even a guarantee your device manufacturer will be around to release a much-needed security update when an emergent threat comes knocking.

Secure is the new smart

Before you run home and to rip your Nest or other IoT connected device off the wall, read on. There are ways to keep your home smart and secure.

“Smart homes are still a new space as far as security goes,” says Moffit. “Down the road, we expect security to be protecting internet connected devices. But for now, we recommend a layered approach and taking all the proper precautions. Similar to antivirus, pay for the well-reviewed, vetted products.”

Here are a few more tips for being a smart IoT consumer:

Update login info

Update your usernames and passwords (the stronger the better). Do this for every device you have, and avoid using the same password twice. While you’re at it, change the passwords on your other accounts, too — especially if you’ve had the same one since you opened your first email account in 1998.

Secure wireless networks

Set up two different networks to help reduce the risk of hacking across devices — one for smartphones, computers, and tablets, and another for your smart home products. Add a strong password and give your home network a random name having nothing to do with your username, password, or address. Also, make sure your home network is protected by the Wi-Fi Protected Access II (WPA2) protocol, disable guest access, and most importantly, disable remote access. 

Update software and firmware

Updating helps ensure the latest security measures are being implemented by your device. Many smart home devices don’t update automatically, so check for them about once a month.

Install security software and malware protection

Because there is no singular solution for protecting your smart home products themselves, it’s important to use a layered approach for your security measures. Safeguarding your network, for example. Adding security apps and software to your computer and smartphone can protect against attackers accessing information via a malicious site or app.

Invest in proven solutions

Since so many companies are trying to get on the smart home train and many aren’t keeping security top-of-mind, it’s important to invest in proven solutions and stick to well-known brands that have a reputation for being secure. This helps guard against the aforementioned problem of timely updates not being available, too.

Oh, and you know those home gadgets that come with a hard-coded password? Don’t buy them.

Malvertising: Avoid Bad Ad Invasion

Reading Time: ~3 min.

The way people shop has changed drastically over the last 10 years. E-commerce continues to boom. In fact, 80% of Americans made an online purchase in the past month, according to the Omni-Channel Retail Report from BigEcommerce. Because what’s not to love about shopping online, receiving your items in just two days, and not having to put pants on?

Not surprisingly, the increase in online shopping has been accompanied by a spike in online advertisements. And in recent years, thanks to malvertising, things like display ads and social media promotions have gone from annoying to dangerous.

A Threatening Combination

The term malvertising is a merger of two words, malicious and advertising. It is defined as the use of online advertising as a vehicle to spread malware.

Malverts are created when cyber criminals embed malware-laden or malicious code into normal-looking online ads like pop-ups (fake browser updates, anti-virus programs, etc.), paid ads using Google AdWords, display ads, drive-by downloads, in-text or in-content advertising, and more.

These ads are then placed on the pages of legitimate websites — such as The New York Times, the BBC, MSN, and AOL, to name a few—by an agency or an automated ad server. Infections are then very difficult to avoid when you visit a site running malverts. In fact, users don’t even have to click on anything to have their device compromised. Sometimes, all it takes is loading the page.

Online Wolves in Sheep’s Clothing

To understand how malvertising sneaks onto sites, you first have to understand how online ads are placed. Many large, popular websites use third-party vendors or software called an ad server to find the ad that will make the site the most money. To get an ad on a vendor’s network, oftentimes all you need to do is sign up and submit. Because of this, many cybercriminals will submit clean advertising to ad networks for weeks to gain legitimacy and circulation, and ultimately get their work through the system. Once they do, they quickly switch out their ads for malverts. These booby-trapped ads are usually only active for a few hours before the attackers switch back to legitimate ones.

Since ad servers typically don’t have strict vetting processes or are automated, it’s relatively easy for attackers to slip malverts through without anyone knowing. In fact, the cyber security firm Confiant reported that some attackers, like the Zirconium group, set up 28 fake ad agencies in 2017 through which to create and submit their malverts.

What’s more, these third-party networks oftend display different ads on the same page, meaning two people could visit the site and only one would be infected — again making malverts even harder to track down and stop.

Defend your devices from malvertising

Even though large, sophisticated malware campaigns were mounted in 2017, there are #cybersmart ways to protect yourself against an attack in the year to come:

  • Use an ad-blocker. Ad-blockers remove all online advertising, significantly reducing malvertising’s effects on the user. There have been cases of sophisticated malverts bypassing ad-blockers, but using one is still a great place to start.
  • Keep your devices updated and secure. Make sure your operating system and plugins are updated, keep software patched, only run the latest browsers, and invest in a good anti-virus or malware detection program.
  • Lock down your Java and Flash settings. Enable click-to-play plugin settings on your browser configuration for Java and Flash, which makes you give your device permission before running those plugins. Or disable Java and Flash altogether. You probably won’t miss them.
  • Stay on top of WordPress. WordPress continues to be one of the most popular targets for hackers. The plugins have been exploited and abused the same way as Adobe, Flash, Java, and Silverlight have. If you use WordPress, protect yourself by keeping your website up to date, updating themes and plugins to the patched versions, and staying aware of the latest WordPress-related vulnerabilities.
  • Practice safe browsing. Since malvertising can affect you even if you’re staying on legitimate sites (i.e. not trying to buy a kidney on the darknet), using safe browsing practices can greatly decrease your risk. Set up browser plugins to increase security and privacy, keep browsers and applications up-to-date, regularly check which plugins are being used and disable unnecessary ones, scan files before downloading, and watch out for phishing attacks.

And of course, using a reliable internet security product is the best way to protect yourself from cybercriminals. For extra credit, here are a few more general tips to protecting your devices.

  • Skip public WiFi networks
  • Pay with credit cards over debit cards online when possible
  • Deactivate Bluetooth in public settings
  • Always back up your files

Cyber News Rundown: Malware Attack Targets 2018 Winter Olympics

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Winter Olympics Disrupted by Malware Attack

The Winter Olympics are in full swing, and cybercriminals seem to be working just as hard as the athletes. Their nefarious minds are focused on distributing malware that targets several internal WiFi and television systems. In addition to a delay during the opening ceremonies, the malware caused major damage to the networks by wiping non-critical network files and using stolen credentials to traverse the networks with ease. With plenty of international information on hand, it’s surprising the attack focused more on destruction over data collection.

Cryptocurrency Scams from Celebrities on Twitter

At least two dozen fake Twitter accounts impersonating celebrities, and others closely tied to cryptocurrencies, have been promising to distribute various currencies to followers. These accounts are all very similar to the real celebrities’ user accounts, barring small spelling changes, and can be found commenting amongst their target’s posts. Although Twitter appears to be working swiftly to remove these types of accounts, more continue to appear.

News Site Offers Compromise to Disabling Ad-Blockers

With the increasing popularity of cryptojacking—the process of using cryptomining scripts on highly-trafficked sites to generate revenue—Salon.com is now offering a choice to visitors: disable your ad blocker or let them use your CPU for cryptomining. While this new offering may seem unusual, it’s likely to become more prevalent, since many sites depend on ad revenue to remain operational. The logic is that most users would prefer to allow mining scripts to run over being subjected to ads.

Telegram Leaves Zero-Day Bug Unfixed for Months

Researchers discovered a vulnerability within the Telegram messenger client that would allow attackers to send malware by using a specific character to mask the actual file without making any additional changes to it. This method can be used to fully commandeer a system by sending victims a simple downloader over SMS. The downloader deploys a variety of malicious tools onto the system itself. Telegram has since resolved documented issues, which appear to have targeted mainly Russian victims from as long ago as March 2017.

Canadian Telecom Firm Faces Security Flaw

A hacker has contacted Canadian Telecom firm Freedom Mobile to inform them of the security risks that their nearly 350,000 customers could face if a flaw in their system isn’t fixed. The flaw would allow any attacker to use a brute force attack on the account login page to compromise customer information. The hacker doesn’t appear to be acting maliciously, and he has posted proof of his findings, along with a strong recommendation that Freedom Mobile re-examine its security offerings.

Use Caution with Free-to-Play Mobile Games

Reading Time: ~2 min.

Who doesn’t like a good mobile game? Especially a free one! They allow you to blow off steam while fine-tuning your skills, competing with others or maybe even winning bragging rights among friends.

Free games can be fun to play, yet there are some common-sense guidelines to make sure these apps don’t surprise you with unexpected costs or other problems.

Like anything digital, opportunities for malware and other cyber threats do exist. Here are some things to beware of as you protect your privacy, well-being and wallet.

In-app purchases and unauthorized transactions

Free game providers make revenue by selling upgrades to the games’ cosmetic value or the means to advance to another level of play. For example, on a popular kids’ game, players can buy special coins that help boost their overall gaming experience.

But according to a 2017 Tech Crunch article, Amazon recently agreed to refund millions of these types of in-app purchases because they were technically unauthorized – made by children on mobile devices linked to its site. Much to the parents’ regret, these transactions did not require passwords.

Apple and Google have settled similar agreements with the Federal Trade Commission.

So, keep an eye on transactions, banking records and your kids as they play. Most mobile devices even have the option of disabling or PIN-protecting in-app purchases so the little ones aren’t able to make purchasing decisions on their own.

Little extras can add up to a big cost for mom or dad. Or, in a more malicious case, someone with bad intentions could be purposely adding unwanted charges to your credit card.

Malware and privacy threats

Free mobile apps typically feature advertising and, of course, users can pay a premium to turn that off. That’s another transaction-based upgrade that turns free into not-so-free.

However, beyond the clutter and interruptions caused by real ads, malware can deliver a darker spin on free-to-play games through fake ads.

The Economic Times reports that Google has removed nearly 60 games, many of which were aimed at children, from its Play Store. The games were found to be infected with malware and bogus ads.

The malware displayed images that looked like real advertisements, causing concern and prompting users to download fake security software. The users were then encouraged to click on other links that would require payment.

Along with encouraging users to download scareware and pay for premium services, the malware also stole personal information. Those types of sensitive, personal records could include passwords, device ID’s and credit card information.

And that can lead to identity theft and even larger financial threats.

So remember, only use trusted providers, read the reviews before installing the game and there’s never any need to allow extensive access to your device or personal information. You’re just playing free mobile game apps after all.

Free-to-Play mobile gaming security tips

Transaction-based issues and malicious malware are two of the most common concerns associated with free-to-play mobile games. But by no means do they make up a complete list of potential risk factors.

This doesn’t mean you shouldn’t play free games online. But use caution. Scrutinize games labeled as free and realize that paying a reasonable price for software versus getting it for no charge is sometimes worth it.

Here are some more detailed security tips from US-CERT, the United States Government Computer Readiness Team:

  • Use antivirus software
  • Be cautious about opening web files
  • Verify download authenticity
  • Configure web browsers securely
  • Back up personal data
  • Use strong passwords
  • Update operating and application software

Just Keep Swimming: How to Avoid Phishing on Social Media

Reading Time: ~3 min.

From Facebook to LinkedIn, social media is flat-out rife with phishing attacks. You’ve probably encountered one before… Do fake Oakley sunglasses sales ring a bell?

Phishing attacks attempt to steal your most private information, posing major risks to your online safety. It’s more pressing than ever to have a trained eye to spot and avoid even the most cunning phishing attacks on social media.

Troubled waters

Spammers on social media are masters of their craft and their tactics are demonstrably more effective than their email-based counterparts. According to a report by ZeroFOXup to 66 percent of spear phishing attacks on social media sites are opened by their targets. This compares to a roughly 30 percent success rate of spear phishing emails, based on findings by Verizon.

Facebook has warned of cybercriminals targeting personal accounts in order to steal information that can be used to launch more effective spear phishing attacks. The social network is taking steps to protect users’ accounts from hostile data collection, including more customizable security and privacy features such as two-factor authentication. Facebook has also been more active in encouraging users to adopt these enhanced security features, as seen in the in-app message below.

Types of social phishing attacks

Fake customer support accounts

The rise of social media has changed the way customers seek support from brands, with many people turning to Twitter or Facebook over traditional customer support channels. Scammers are taking advantage of this by impersonating the support accounts of major brands such as Amazon, PayPal, and Samsung. This tactic, dubbed ‘angler phishing’ for its deepened deception, is rather prevalent. A 2016 study by Proofpoint found that 19% of social media accounts appearing to represent top brands were fake.

To avoid angler phishing, watch out for slight misspellings or variations in account handles. For example, the Twitter handle @Amazon_Help might be used to impersonate the real support account @AmazonHelp. Also, the blue checkmark badges next to account names on Twitter, Facebook, and Instagram let you know those accounts are verified as being authentic.

Spambot comments

Trending content such as Facebook Live streams are often plagued with spammy comments from accounts that are typically part of an intricate botnet. These spam comments contain URLs that link to phishing sites that try to trick you into entering your personal information, such as a username and password to an online account.

It is best to avoid clicking any links on social media from accounts you are unfamiliar with or otherwise can’t trust. You can also take advantage of security software features such as real-time anti-phishing to automatically block fake sites if you accidently visit them.

Dangerous DMs

Yes, phishing happens within Direct Messages, too. This is often seen from the accounts of friends or family that might be compromised. Hacked social media accounts can be used to send phishing links through direct messages, gaming trust and familiarity to fool you. These phishing attacks trick you into visiting malicious websites or downloading file attachments.

For example, a friend’s Twitter account that has been compromised might send you a direct message with a fake link to connect with them on LinkedIn. This link could direct to a phishing site like the one below in order to trick you into giving up your LinkedIn login.

While this site may appear to look like the real LinkedIn sign-on page, the site URL in the browser address bar reveals it is indeed a fake phishing site. 

Phony promotions & contests 

Fraudsters are also known to impersonate brands on social media in order to advertise nonexistent promotions. Oftentimes, these phishing attacks will coerce victims into giving up their private information in order to redeem some type of discount or enter a contest. Know the common signs of these scams such as low follower counts, poor grammar and spelling, or a form asking you to give up personal information or make a purchase.

The best way to make sure you are interacting with a brand’s official page on social media is to navigate to their social pages directly from the company’s website. This way you can verify the account is legitimate and you can follow the page from there.

3 Tips for Securing Your Home WiFi Networks

Reading Time: ~2 min.

Once your home WiFi network is up and running and your family’s devices are connected, it’s normal to turn a blind eye to your router. After all, it’s mostly out of sight and out of mind. Unfortunately, that small, seemingly harmless box isn’t as secure as you may think.

Your router is your gateway to the internet. Once it’s compromised, cybercriminals may be able to view your browser history, gain access to your login information, redirect your searches to malicious pages, and potentially even take over your computer to make it part of a botnet.

Attacks like these are becoming all too common. Last year, we saw a prime example when hackers gained access to routers from various manufacturers and infected consumers’ devices with malicious advertising (also known as malvertising).

In a more recent attack, hackers entered WordPress sites through their owners’ unsecured home routers. After hacking the router, the attackers successfully guessed the password for the WordPress accounts and took complete control of the sites. As security experts noted, this particular hack was made even worse by the fact that most users have little to no understanding of how to secure their home router.

Beef up your home Wifi network security

Here are a few precautionary steps you can take to help deter cybercriminals from infiltrating your home WiFi network:

  • Change the default username and password on your route. (Remember to update your WiFi password frequently!)
  • Configure your router’s settings to use strong network encryption (WPA2 is preferred).
  • Disable your router’s SSID broadcast so it isn’t visible to others.

 

Do you live in one of the most-hacked states?

 

Additionally, Webroot Chief Information Security Officer (CISO) Gary Hayslip recommends enabling a personal firewall.

“Hackers search the internet by using certain tools to send out pings (calls) to random computers and wait for responses,” he said. “Your firewall, if configured correctly, would prevent your computer from answering these calls. Use your personal firewall. The main point to remember is that firewalls act as protective barriers between computers and the internet, it is recommended you install them on your computers, laptops, tablets, and smart devices if available.”

Learn more about how to keep your WiFi connection secure with our Tips for Improving Router Security.

How to Outsmart Mobile Threats

Reading Time: ~2 min.

As the holiday season kicks into high gear, keep in mind that shoppers are at an even higher risk of cyberattacks during this time of year. Salesforce projects that mobile users will account for 60 percent of traffic to retail sites around the globe this year. With the increased popularity of shopping on the go, more and more cybercriminals will move to prey on unsuspecting shoppers. Here are a few tips to minimize your chances of falling victim to cybercriminals this holiday season (and all year long). 

Sophisticated attacks on smartphones

The fact is, mobile threats are on the rise. The Webroot 2017 Threat Report revealed a spike in malicious mobile apps, noting that almost half of new and updated mobile apps analyzed over the previous year were classified as malicious or suspicious. That’s nearly 10 million apps, up from a little more than two million such apps in 2015.  

Given the rising frequency of cyberattacks and data breaches year over year, it’s no surprise that we’ve continued to see more sophisticated smartphone attacks. Some of the most common mobile threats users face are mobile web browser-based hacking, adware, remote device hijacking and eavesdropping, and breaches of mobile payment services.  

Why you need a mobile security app 

To avoid becoming a hacker’s next victim, protect your device with a mobile security app. A trusted security app can block infected or malicious apps and file downloads. It can also help protect your identity and personal information if your mobile device is lost or stolen. 

It’s worth pointing out that all mobile security services are not created equal. In October, independent testing firm AV-TEST found that Google’s Play Protect service, which is designed to safeguard Android apps, was found to be “significantly less reliable” than third-party security apps, according to The Next Web. 

 

Don't Get Hacked

 

Outside of a solid mobile security app, Webroot Chief Information Security Officer Gary Hayslip recommends making sure mobile devices are up to date:  

“I recommend getting in the habit of periodically checking for updates and, if any are available, installing them. Updates that are waiting to be installed are accidents waiting to happen; they are doorways that can be exploited to access your devices or steal or encrypt your information. Don’t make it easier for your device to be compromised, keep it updated with the latest patches.” 

Safety measures 

In addition to a mobile security app and frequent updates, you should also be protective of your mobile device’s connections. Follow these two tips to double-down on your mobile safety:  

  1. Turn off your Bluetooth: Bluetooth is a resurgent way for cyber deviants to gain access to your devices and personal information, so be sure to keep your Bluetooth off while out and about doing holiday shopping. 
  2. Data over WiFi: Public WiFi networks are notorious hotbeds for digital attacks. If you have to do your holiday shopping online in public, use your cellular connection instead. If you’d rather not use data, a virtual private network (VPN) is a great way to protect yourself while connected to a public network on your mobile device.  

New Cryptojacking Tactic May Be Stealing Your CPU Power

Reading Time: ~4 min.

What if cybercriminals could generate money from victims without ever delivering malware to their systems? That’s exactly what a new phenomenon called “cryptojacking” entails, and it’s been gaining momentum since CoinHive first debuted the mining JavaScript a few months ago.

The intended purpose: whenever a user visits a site that is running this script, the user’s CPU will mine the cryptocurrency Monero for the site owner. This isn’t money out of thin air, though. Users are still on the hook for CPU usage, the cost of which shows up in their electric bill. While it might not be a noticeable amount on your bill (consumer CPU mining is very inefficient), the cryptocurrency adds up fast for site owners who have a lot of visitors. CoinHive’s website claims this is an ad-free way for website owners to generate enough income to pay for the servers. All altruistic excuses aside, it’s clear threat actors are abusing the tactic at the victims’ expense.

An example of cryptojacking

 

In the image above, we can see that visiting this Portuguese clothing website causes my CPU to spike up to 100%, and the browser process will use as much CPU power as it can. If you’re on a brand new computer and not doing anything beyond browsing the web, a spike like this might not even be noticeable. But if you’re using a slower computer, just navigating the site will become very sluggish.

Cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. In case you’re wondering why this script uses Monero instead of Bitcoin, it’s because Monero has the best hash rate on consumer CPUs and has a private blockchain ledger that prevents you from tracking transactions. It’s completely anonymous. Criminals will likely trade their Monero for Bitcoin regularly to make the most of this scam.

CoinHive’s JavaScript can be seen in this website’s HTML:

 

CoinHive maintains that there is no need block their scripts because of “mandatory” opt-ins:

“This miner will only ever run after an explicit opt-in from the user. The miner never starts without this opt-in. We implemented a secure token to enforce this opt-in on our servers. It is not circumventable by any means and we pledge that it will stay this way. The opt-in token is only valid for the current browser session (at max 24 hours) and the current domain. The user will need to opt-in again in the next session or on a different domain. The opt-in notice is hosted on our servers and cannot be changed by website owners. There is no sneaky way to force users into accepting this opt-in.”

For reference, here’s what an opt-in looks like (assuming you ever do see one):

CoinHive Opt-In

Why Webroot blocks cryptojacking sites

Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in—the compromised sites we’ve evaluated have never prompted us to accept these terms. Since CoinHive receives a 30% cut of all mining profits, they may not be too concerned with how their scripts are being used (or abused). This is very similar to the pay-per-install wrappers we saw a few years ago that were allegedly intended for legitimate use with user consent, but were easily abused by cybercriminals. Meanwhile, the authors who originated the wrapper code made money according to the number of installs, so the nature of usage—benign or malicious—wasn’t too important to them.

To protect our users from being exploited without their consent, we at Webroot have chosen to block websites that run these scripts. Webroot will also block pages that use scripts from any CoinHive copycats, such as the nearly identical Crypto-Loot service.

There are a few other ways to block these sites. You can use browser extensions like Adblock Plus and add your own filters (see the complete walkthrough here.) If you’re looking for more advanced control, extensions like uMatrix will allow you to pick and choose which scripts, iframes, and ads you want to block.

 

Update 12/13/17:

CoinHive scripts running rampant

If there was ever any doubt around the severity of this emerging threat and the overall nefarious use of CoinHive’s scripts, it can be put to rest. CoinHive engineers have now essentially admitted that they’ve “invented a whole new breed of malware,” according to a report in the German newspaper Süddeutsche Zeitung.

With the continued price surges in Monero, and the cryptocurrecy market as a whole, it seems cryptojacking becomes a more lucrative opportunity for cybercriminals with each passing day. And recent revelations have shown even more surreptitious methods being used by cryptojacking sites to evade user detection. One website was seen hiding a popup window underneath the Window’s task bar in order to continue mining after users believe they have closed their web browser, according to Bleeping Computer.

CoinHive’s cryptojacking script was even spotted on public WiFi at a Starbucks in Buenos Aires, according to BBC News.

Why You Should Use a VPN on Public WiFi

Reading Time: ~2 min.

Working remotely? It only takes a moment on a free WiFi connection for a hacker to access your personal accounts. While complimentary WiFi is convenient, protecting your connection with a VPN is the best way stay safe on public networks, keeping your data and browsing history secure.  

What is a VPN?

VPN stands for “virtual private network” and is a technology that can be used to add privacy and security while online. It’s specifically recommended when using public WiFi which is often less secure and is often no password protected.  

VPN’s act as a bulletproof vest for your internet connection. In addition to encrypting the data exchanged through that connection, they help safeguard your data and can enable private and anonymous web browsing. However, even if you’re using a VPN, you must still be careful about clicking on suspicious links and downloading files that may infect your computer with a virus. Protecting yourself with antivirus software is still necessary.

 

Five ways free antivirus could cost you

When and why should you use a VPN?

When checking into your hotel, connecting to the WiFi is often one of the first things you do once settling in. While it may sound like a tempting offer, logging in to an unsecured connection without a VPN is a very bad idea. In July, ZDNet reported the return of hacker group DarkHotel which aims to target hotel guest’s computers after they have logged on to the building’s WiFi. Once compromising a guest’s WiFi, the hacker group can then leverage a series of phishing and social engineering techniques to infect targeted computers. 

Traveling and lodging is just one example of when you can use a VPN to help stay secure and avoid potential attacks, however anyone can benefit from using a VPN.  

From checking Facebook on an airport hotspot, accessing your company files while working remotely or using an open network at your local coffee shop, regardless of the scenario, using a public WiFi can potentially put the data you’re sending over the internet at risk.

Two-Factor Authentication: Why & How You Should Use it

Reading Time: ~3 min.

Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional security is imperative.

From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.

Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.

Three categories of two-factor authentication:

  1. Something you know, such as a password.
  2. Something you have, such as an ID card, or a mobile phone.
  3. Something you are, a biometric factor such as a fingerprint.

The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).

Protect accounts with an extra layer of security

Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.

While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.

This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.

This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.

 

Do you live in one of the most-hacked states?

 

Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.

Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.

What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.

And until passwords are put to death completely, be sure to heed a few safety tips from Gary Hayslip, Webroot CISO, in addition to using two-factor authentication:

“Change passwords periodically, do not recycle passwords, don’t use the same password for your social media account and your bank account, and finally store your passwords in a safe place. Consider using some type of password vault program, avoid keeping passwords on a Post-it note under your keyboard, on your monitor or in a drawer near your computer.” – Webroot CISO Gary Hayslip

Public Safety in a Connected World

Reading Time: ~2 min.

The U.S. electrical grid is in “imminent danger” from cyberattacks according to a report from the U.S. Energy Department released earlier this year. Such an attack would put much of the infrastructure that we rely on for public safety and basic services in jeopardy—electricity, water, healthcare, and communications systems, among others.

Just last week, an email was sent to energy and industrial firms by the DHS and FBI warning of hacking groups targeting critical infrastructure in the “energy, nuclear, water, aviation, and critical manufacturing sectors.”

Great power, great responsibilty

While the networked technology behind this infrastructure empowers our society, it also exposes us to new risks. Most people are aware of the cyber threats facing our personal mobile devices, home computers, and smart appliances. But the risks to public safety on a larger scale are less well known. Commitment to securing this brave new world is critical if we are to avoid serious public safety problems.

Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world. 

Ransomware attacks—when cybercriminals hack a computer, encrypt the files and hold them hostage—pose a particularly dangerous threat for public infrastructure.  It is estimated that ransomware has resulted in billions of dollars of losses in the last year alone, according to our June 2017 Quarterly Threat Trend Report.

Already this year, we’ve seen several major ransomware attacks on government entities, including counties, cities and multiple police departments leading to major disruptions in services like emergency response times, video surveillance and emergency radio transmissions.

 

Do you live in one of the most-hacked states?

 

In June, an infamous cyberattack dubbed NotPetya hit Europe, affecting workplaces and public domains. This attack mirrored its predecessor named Petya (a type of ransomware), except this new incarnation used “EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack.” It also differed from other popular ransomware attacks by denying user access and attacking low-level structures on the disk. This Petya-based attack targeted employees at one of the world’s largest advertising agencies, as well as oil companies, shipping companies and banks. A new ransomware attack that emerged this week named Bad Rabbit also appears to be linked to the NotPetya attack.

As advanced threats such as ransomware continue to evolve in sophistication, they present a more imminent threat to the systems and services we rely on for public safety. Cyberattacks targeting our critical infrastructure reveal our shared responsibility in securing the networks we depend on each and every day in our connected world. 

Get tips on becoming a more proactive and prepared citizen with our “One Wrong Click” infographic.

Page 1 of 612345...Last »