Home + Mobile

What Defines a Machine Learning-Based Threat Intelligence Platform?

As technology continues to evolve, several trends are staying consistent. First, the volume of data is growing exponentially. Second, human analysts can’t hope to keep up—there just aren’t enough of them and they can’t work fast enough. Third, adversarial attacks that...

Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced...

A Chat with Kelvin Murray: Senior Threat Research Analyst

In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Cloud Services in the Crosshairs of Cybercrime

It's a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and...

Streaming Safer Means Streaming Legally

Reading Time: ~ 2 min.

It’s been more than a decade since Netflix launched its on-demand online streaming service, drastically changing the way we consume media. In 2019, streaming accounts for an astonishing 58 percent of all internet traffic, with Netflix alone claiming a 15 percent share of that use. But as streaming has become more common, so has the exploitation of streaming technologies. Some consumers stream illegally to cut costs, perceiving it to be a victimless crime. But as the saying goes: there’s no such thing as a free lunch. Streaming is no exception.

Jailbreak!

By downloading illegal streaming apps from third-party sources (i.e. outside of the Apple® App Store or Google™ Play), users may think they’re capitalizing on a clever loophole to access free services. However, according to a startling study conducted by Digital Citizens, 44 percent of households using pirated streaming services experienced a cybersecurity breach of one or more of their devices. That means if you use any type of illegal streaming device or app, you are six times more likely to fall victim to a cybersecurity attack than households using legal streaming services. Since a reported 12 million homes—in North America alone) are actively using pirated streams, that means illegal streaming may have led to up to 5 million potentially undetected breaches.

Why are illegal streams so attractive to cybercriminals? Because you’re probably streaming using devices and applications that are connected to your home network. Unfortunately, the firewall on the average home router does not provide adequate security against attacks. Any malware introduced by the streaming software is likely able to get through successfully. If you’re using a Window® computer or device, that means the malware can infiltrate not the device you’re actively using, but also any other Windows devices using the same internet connection. By spreading itself across multiple devices, malware makes its own removal that much more difficult. Pair these details with the fact that illegal streaming users are less likely to report a malicious app, illegal streams provide a haven for cybercriminals in which they can easily attack users, infect their machines, steal their data, and hold their files for ransom.  

Cybersecurity breaches caused by illegal streaming can manifest in many ways. For example, a popular illegal movie and live sports streaming app was observed scraping the connected WiFi name and password, as well as other sensitive information, according to ThreatPost.

How You Can Stream Safer

Ultimately, nobody can guarantee the security of an illegal stream. The truth is that legal streaming is the only safer streaming. That doesn’t mean you have to go through the giants, like Netflix or Hulu. Users can now access many low-cost, legal streaming options—including a few that are ad-supported and are actually free. So why put yourself and your family at risk for the sake of an illegal stream?

If you’re worried that someone with access to your WiFi network may be streaming illegally, thereby putting you and your devices in danger, make sure all of your devices are using up-to-date antivirus software to help stop cyberattacks and prevent malware infections. More importantly, talk with your family and friends about the real cost of “free” streaming. They’ll be more cautious once they fully understand the risks.


Looking for more home security education? Check out our Home + Mobile playlist on YouTube.


Global Privacy Concerns: The World’s Top Five Cities Using Invasive Technology

Reading Time: ~ 4 min.

Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced city, privacy can fall by the wayside. We’ve reviewed the top cities around the world that are using technologies that may invade citizens’ privacy, so you know what to expect and what you can do. 

Big brother in Beijing, China 

China is infamous for its mass surveillance, with Beijing often serving as a testing ground for new surveillance software. The Chinese government uses internet monitoring, GPS tracking, and the “world’s biggest camera surveillance system”, with more than 170 million CCTV cameras to monitor the country’s populace. These CCTV cameras are backed by powerful facial recognition algorithms, which can track an individual down in just seven minutes. It is safe to say that you are probably being monitored anywhere you travel while in China, but a general rule is that, the higher the population, the more surveillance there is.  

The town of Yizhuang has more than 2,243 high definition security cameras, 277 vehicle recognition cameras, and 267 facial recognition cameras. It also features six patrol vehicles with mobile cameras, and enforcement officers equipped with video capture equipment. Each of these cameras is sending live video streams to a main control center 24/7—all to monitor a single 11-square-mile suburb of Beijing. 

Beijing is also preparing to roll out a social credit system in 2020. This system will award personal trustworthiness points to citizens and businesses based on their financial credit scores, as well as their personal and professional behavior. In the meantime, how the Chinese government plans to use this system to reward or punish its citizens remains a mystery. 

Always watching in Moscow, Russia 

Not one to be outdone, Russia has also embraced mass CCTV surveillance. Moscow alone has more than 170,000 cameras, making it the most surveilled city in Russia. Facial recognition software is paired with this massive network of cameras to track down persons of interest, though exactly what defines a “person of interest” is somewhat nebulous. In fact, Moscow officials recently admitted that they “can now trace the debtors’ movements,” thanks to this massive network of CCTV cameras. He declined to comment on the number of debtors who have been traced using this technology, nor the severity of their debts. 

Mass monitoring in Darwin, Australia 

Darwin, Australia is piloting a surveillance system similar to the technologies used in China, with some warning that it could evolve into a social credit system. Darwin has installed poles throughout the city outfitted with speakers, cameras, and WiFi. These monitoring stations track people and their movements all around the city, and are aided by facial recognition software. They can even respond to triggers, such as when a specific individual breaches a “virtual fence.” 

“We’ll be getting sent an alarm saying, ‘There’s a person in this area that you’ve put a virtual fence around.’ … Boom, an alert goes out to whatever authority, whether it’s us or police to say ‘Look at camera five,’” said Josh Sattler, the Darwin Council’s General Manager for Innovation, Growth, and Development services in an article with NT News.  

This system also tracks mobile phone use, web traffic, and mobile app usage—but only to help local businesses, of course. 

“[It will tell us] where people are using WiFi, what they’re using WiFi for, are they watching YouTube, etc., all these bits of information we can share with businesses… we can let businesses know ‘Hey, 80 percent of people actually use Instagram within this area of the city, between these hours,’” said Sattler. 

‘I spy’ in New York City, USA 

In an effort to assist its police force, NYC has turned to the world’s largest surveillance technology company—the Chinese state-owned Hikvision—to install the same surveillance tools being used in China. Thousands of surveillance cameras have been operating in New York City since 2014, using the same facial recognition software that enables law enforcement in Beijing to locate and track individuals within the city. These cameras are equipped with infrared sensors that help capture high resolution images even in very low light. The NYPD has direct access to this surveillance network, and monitors the footage remotely to avoid showing an obvious police presence. The full extent of the surveillance in New York is unknown, but reports indicate the NYPD is using these products on a “large scale.” 

Small-town surveillance in Hillsboro, USA 

Hillsboro, Oregon is the smallest city on this list, with a population of just over 100,000. So why is such a small town on the same list as places like Beijing, Moscow, and New York? The Washington County Sheriff’s Office, which presides over Hillsboro, recently became the first law enforcement agency in the United States to use Amazon’s AI-powered facial recognition tool, Rekognition. As this is the first real-world test of this technology, its accuracy is hotly debated. Many experts argue that this technology will likely lead to the wrongful arrest of innocent people whose only crime is bearing a resemblance to the accused. 

More than 300,000 mug shots taken at the Washington County jail have been uploaded into the Rekognition system. These pictures can be cross-referenced with images from a security camera, social media accounts, or even a deputy’s mobile device—without requiring a warrant. More than 1,000 facial recognition searches were logged into the Rekognition system by the Washington County Sheriff’s Office, but public records requests show that only nine official case reports mention the use of the tool. Washington County deputies are under no imperative to note when facial recognition software assisted with an arrest, so we have no way to judge how accurate the system is. 

Your Privacy is Your Concern 

While the only way to avoid detection through the facial recognition algorithms is to hide or alter your face, there are some precautions you can take to protect your privacy when visiting these cities. As an example, you can easily obscure your digital traffic, which can help prevent the kind of tracking reported in Darwin. Strong encryption is your best protection against privacy invasive cities. Research a reliable VOIP and text messaging encryption service, and invest in a trusted VPN to shield your web and mobile traffic. Encryption may not stop state actors from intercepting your data, but it will make it nearly impossible for them to interpret it. 

Have other tips for protecting your privacy while traveling? Let us know in the comments. 

A Cybersecurity Guide for Digital Nomads

Reading Time: ~ 3 min.

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for? 

Public Wifi

Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?  

When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.

Device Theft

Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark. 

If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.  

But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.  

However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure 

Lower Your Risk

Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle. 

  • Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security. 
  • Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt. 
  • Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.  
  • Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage. 

A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming the new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making your way through the remote-work landscape? Let us know your top tips in the comments below! 

A False Sense of Cybersecurity: The Riskiest States in America

Reading Time: ~ 5 min.

Like many Americans, you might think your online habits are safe enough—or, at least, not so risky as to put you in danger for cybercrime. As it happens, most of us in the U.S. are nowhere near as secure as we think we are.

As part of our recent survey to better understand people’s attitudes, perspectives, and behaviors relating to online cyber-safety (or “cyber-hygiene”), we calculated each state’s cyber-hygiene score, which you can think of like a test score on people’s understanding and practice of good online habits. I’ve repaired computers and worked in the cybersecurity business for almost 15 years now, and I was shocked by some of the results.

Cut to the chase: just how bad were the results?

Bad. The average across all 50 states was only 60% (that’s a D in letter grades) on our scale. In fact, only 10% of Americans got a 90% or higher (i.e. an A). The riskiest states—Mississippi, Louisiana, California, Alaska, and Connecticut— combined for an average score of 56%. So what made their scores so low?

  • In Mississippi, almost 1 in 4 people don’t use any kind of antivirus and don’t know if they’ve ever been infected by malware.
  • Only 44% of Louisiana residents take any precautions before clicking links in emails leaving themselves vulnerable. (This is a great way to get scammed by a phishing email and end up with a nasty infection on your computer.)
  • Over 43% of Californians and Alaskans share their passwords with friends or family.

What does people’s perception vs. reality look like?

Americans in every state were overconfident. An astounding 88% feel they take the right steps to protect themselves. But remember, only 10% of people scored an A on our test, and the highest scoring state (New Hampshire) still only got an average of 65% (that’s still only a D).

While the average American has a surface level understanding of common cyber threats, there’s a lot of room for education. Many of those interviewed have heard of malware (79%), phishing (70%), and ransomware (49%), but few could explain them. Defending against the most common online threats in today’s landscape requires a basic understanding of how they work. After all, the more cyber aware you are of an attack such as phishing, the greater chance you have to spot and avoid it.

Along with understanding common cyberattacks, it’s also important to recognize threats to your online privacy. An alarming amount of Americans don’t keep their social media accounts private (64%) and reuse their passwords across multiple accounts (63%).

Given the number of news reports involving major companies getting breached, huge worldwide ransomware attacks, etc., we were pretty surprised by these numbers. As you’re reading these, you might be checking off a mental list of all the things you do and don’t know, the actions you do and don’t take when it comes to cybersecurity. What’s important here is that this report should act as a reminder that understanding what kinds of threats are out there will help you take the proper precautions. And, following a few simple steps can make a huge difference in your online safety.

How about some good news?

There is good news. There are some who scored a 90% or above on our test. We call them Cyber-Hygiene Superstars, because they not only take all the basic steps to protect themselves and their data online, but they go above and beyond. Cyber-Hygiene Superstars are evenly spread across the entirety of the U.S., and they help demonstrate to the rest of us that it’s easy to raise our own cyber-hygiene scores.  

Some of the standout behavior of superstars included regularly backing up their data in multiple ways, always using antivirus, and using a VPN when connecting to public WiFi hotspots.

Superstars can also explain common attacks and are less likely to fall victim of phishing attacks and identity theft. They frequently monitor their bank and credit card statements and regularly check their credit scores.

What can you do to improve your cyber-hygiene score?

All in all, it’d be pretty easy for the average American to take their score from a D to at least a B, if not higher. You won’t have to do anything drastic. But just making a few small tweaks to your regular online behavior could work wonders to keep you and your family safe from cybercrime.

  1. Use antivirus/antimalware software.
    There are a lot of free solutions out there. While you typically get what you pay for in terms of internet security, even a free solution is better than no protection at all.
  2. Keep all your software and your operating system up to date.
    This one’s super easy. Most applications and operating systems will tell you when they need an update. All you have to do is click OK instead of delaying the update to a later date.
  3. Don’t share or reuse passwords, and make sure to use strong ones.
    You might think password sharing is no big deal, especially when it comes to streaming or gaming sites, but the more you share, the more likely it is that your passwords could end up being misused. And if the password to just one of your accounts is compromised, then any of your other accounts that use that password could also become compromised. If you’re concerned about having to create and remember a lot of unique passwords, use a secure password manager.
  4. Lock down your social media profiles.
    Making your posts and personal details public and searchable means scammers can find your details and increase their chances of successfully stealing your identity or tricking you into handing over money or sensitive personal information.
  5. If you connect to public WiFi, use a VPN.
    Antivirus software protects the device, but a VPN protects your actual connection to the internet, so what you do and information you send online stays private.
  6. Back up your data.
    Cloud storage is a great solution. But it’s a good idea to do a regular physical backup to an external drive, too, particularly for important files like tax documents.
  7. Don’t enable macros in Microsoft® Office documents.
    If you’re ever trying to open a document and it tells you to enable macros, don’t do it. This is a common tactic for infections.
  8. Use caution when opening email attachments.
    Only open attachments from people you know and trust, and, even then, be extra careful. If you’re really not sure, call the person and confirm that they really sent the file.

Want to see where your state ranks? See the full list or read more about our study and findings here.

Test your knowledge and see where the Webroot Community stacks up against the rest of America: Join our daily contest for a chance to win prizes! Contest ends at 4:00pm MT on May 21, 2019.

Methodology
Webroot partnered with Wakefield Research to survey 10,000 Americans, ages 18 and up, with 200 interviews in each of the 50 states. This survey was conducted between February 11 and February 25, 2019, using an email invitation and an online survey instrument. The margin of error is +/- 0.98 percentage points for the total audience of this study and +/- 6.9 percentage points for each state at the 95% confidence level.

Antivirus vs. VPN: Do You Need Both?

Reading Time: ~ 3 min.

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax returns known as tax-related identity theft

As a result, more than half of global internet users are more concerned about their safety than they were a year ago. Over 80% in that same survey, conducted annually by the Center for International Governance Innovation, believe cybercriminals are to blame for their unease.  

Individuals are right to wonder how much of their personally identifiable data (PII) has already leaked onto the dark web. Are their enough pieces of the puzzle to reconstruct their entire online identity?  

Questions like these are leading those with a healthy amount of concern to evaluate their options for enhancing their cybersecurity. And one of the most common questions Webroot receives concerns the use of antivirus vs. a VPN.  

Here we’ll explain what each does and why they work as compliments to each other. Essentially, antivirus solutions keep malware and other cyber threats at bay from your devices, while VPNs cloak your data by encrypting it on its journey to and from your device and the network it’s communicating with. One works at the device level and the other at the network level.  

Why You Need Device-Level Antivirus Security 

Antiviruses bear the primary responsibility for keeping your devices free from infection. By definition, malware is any software written for the purpose of doing damage. This is the category of threats attempting to undermine the antivirus (hopefully) installed on your PC, Mac, and yes, even smartphones like Apple and Android devices, too.  

In an ever-shifting threat landscape, cybercriminals are constantly tweaking their approached to getting your money and data. Banking Trojans designed specifically for lifting your financial details were among the most common examples we saw last year. Spyware known as keyloggers can surreptitiously surveil your keystrokes and use the data to steal passwords and PII. A new category of malware, known as cryptojackers, can even remotely hijack your computing power for its own purposes.  

But the right anti-malware tool guarding your devices can protect against these changing threats. This means that a single errant click or downloaded file doesn’t spell disaster. 

“The amazing thing about cloud-based antivirus solutions,” says Webroot threat analyst Tyler Moffit, “is that even if we’ve never seen a threat before, we can categorize it in real time based on the way it behaves. If it’s determined to be malicious on any single device, we can alert our entire network of users almost instantaneously. From detection to protection in only a few minutes.” 

Why You Need Network-Level VPN Security 

We’ve covered devices, but what about that invisible beam of data traveling between your computer and the network it’s speaking to? That’s where the network-level protection offered by a VPN comes into play.  

While convenient, public networks offering “free” WiFi can be a hotbed for criminal activity, precisely because they’re as easy for bad actors to access as they are for you and me. Packet sniffers, for instance, can be benign tools for helping network admins troubleshoot issues. In the wrong hands, however, they can easily be used to monitor network traffic on wireless networks. It’s also fairly easy, given the right technical abilities, for cybercriminals to compromise routers with man-in-the-middle attacks. Using this strategy, they’re able to commandeer routers for the purpose of seeing and copying all traffic traveling between a device and the network they now control.  

Even on home WiFi networks, where you might expect the protection of the internet service provider (ISP) you pay monthly, that same ISP may be snooping on your traffic with the intent to sell your data.  

With a VPN protecting your connection, though, data including instant messages, login information, social media, and the rest is encrypted. Even were a cybercriminal able to peek at your traffic, it would be unintelligible.  

“For things like checking account balances or paying bills online, an encrypted connection should be considered essential,” says Moffit. “Without a VPN, I wouldn’t even consider playing with such sensitive information on public networks.”  

How Webroot Can Help 

Comprehensive cybersecurity involves protecting both data and devices. Antivirus solutions to protect against known and unknown malware—like the kinds that can ruin a laptop, empty a bank account, or do a cybercriminals bidding from afar—are generally recognized as essential. But for complete protection, it’s best to pair your antivirus with a VPN—one that can shield your data from intrusions like ISP snooping, packet sniffers, and compromised routers.  

Click the links for more information about Webroot SecureAnywhere® antivirus solutions and the Webroot® WiFi Security VPN app.  

The Evolution of Cybercrime

Reading Time: ~ 4 min.

From Landline Hacking to Cryptojacking

By its very nature, cybercrime must evolve to survive. Not only are cybersecurity experts constantly working to close hacking loopholes and prevent zero-day events, but technology itself is always evolving. This means cybercriminals are constantly creating new attacks to fit new trends, while tweaking existing attacks to avoid detection. To understand how cybercrime might evolve in the future, we look back to understand how it emerged in the past. 

Cybercrime’s origins are rooted in telecommunications, with “hacker” culture as we know it today originating from “phone phreaking,” which peaked in the 1970s. Phreaking was the practice of exploiting hardware and frequency vulnerabilities in a telephone network, often for the purpose of receiving free or reduced telephone rates. As landline networks became more security savvy—and then fell out of favor—phone phreaking became less and less common. But it hasn’t been phased out completely. In 2018, a phone phreaker staged a series of creepy attacks in New York City WiFi kiosks, reminding us that the phreaks may have been forgotten, but they are certainly not gone. 

Cybercrime as we currently think of it began on November 2, 1988 when Robert Tappan Morris unleashed the Morris Worm upon the world. Much like Dr. Frankenstein, Morris did not understand what his creation was capable of. This type of self-replicating program had never been seen before outside of a research lab, and the worm quickly transformed itself into the world’s first large-scale distributed denial of service (DDoS) attack. Computers worldwide were overwhelmed by the program and servers ground to a halt. Although Morris quickly released the protocol for shutting the program down, the damage had been done. In 1989, Morris was the first to be prosecuted and charged in violation of the Computer Fraud and Abuse Act. 

At the turn of this century, we began to see a new era of malware emerge as email gave hackers a fresh access point. The infamous ILOVEYOU worm infected 50 million computers in 2000, corrupting data and self-propagating by exploiting a user’s email contacts. Given that the infected emails were coming from an otherwise trusted source, it forced many consumers to gain perspective on cybersecurity for the very first time. With antivirus software becoming a must-have for all computer owners, cybercriminals had to get inventive once again. 

Phishing Makes A Splash 

Phishing is the practice of tricking a user into willingly providing account logins or other sensitive information. This popular style of attack began with downloadable files through email, like the ILOVEYOU worm, but quickly grew more sophisticated. Phishing emails often imitate a trusted source, like an internet or phone service provider, and often include official-looking graphics, email addresses, and dummy websites to trick the user. In some cases, these phishing attacks are so convincing that even top government officials have been fooled—something we learned all too well in 2016 when the Democratic National Committee was breached.  

With the rise of social media, we have seen a new style of phishing attack that doesn’t appear to be going anywhere anytime soon. Messages from Facebook, Instagram, Twitter and other social media accounts are frequent and increasingly sophisticated sources of social media phishing. 

The Rise of Ransomware 

No history of cybercrime would be complete without an examination of ransomware, a type of malware that gains access to critical files and systems and encrypts them, blocking a user from accessing their own data. Perpetrators extort the user, threatening to permanently delete the data or—in some cases—expose incriminating or embarrassing information. While ransomware has been around for decades, encryption and evasion techniques have become increasingly refined, sometimes at the hand of state actors. One of the most infamous examples of ransomware is the WannaCry attack in 2017, in which North Korean hackers used loopholes developed by the United States National Security Agency in the Windows operating system to attack more than 200,000 computers across 150 countries.  

This made ransomware an international cybersecurity boogeyman, but it shouldn’t be your top concern. Webroot security analyst Tyler Moffitt explains why it’s a complicated strategy: 

“Ransomware requires criminals to execute a successful phish, exploit, or RDP breach to deliver their payload, bypass any installed security, successfully encrypt files, and send the encryption keys to a secure command-and-control server—without making any mistakes,” Moffitt said. “Then the criminals still have to help the victim purchase and transfer the Bitcoin before finally decrypting their files. It’s a labor-intensive process and leaves tracks that must be covered up.”  

Cryptojacking: the cutting edge? 

A more recent workaround for the hard work of ransomware? Cryptojacking. Cryptojacking works by embedding JavaScript code into a website, which can then harvest the processing power of all devices that visit that site, using device processors to mine cryptocurrency for the host. This resource theft drags systems down, but often stealthily enough to go undetected; a fact that makes it very attractive to hackers. The number of cryptojacked URLs detected more than doubled from September to December of 2018, and cryptojacking attacks have officially surpassed ransomware in prevalence.  

“Cryptojacking costs basically nothing to pull off and has much less illegal footprint,” Moffitt said. “When criminals are leveraging victims’ hardware (CPU) and power for siphoned crypto, the profits are very appealing. Even with the volatility of crypto prices, large campaigns have been able to make hundreds of thousands of dollars in only a few months. It’s estimated that over 5% of the cryptocurrency Monero in circulation is the result of illicit mining.”  

Until recently, a cyptocurrency mining service called Coinhive was responsible for 60% of all cryptojacking attacks. Coinhive announced in early March 2019 that they would be shuttering the service. But this is by no means a death knell for crytpojacking—competitors are already rushing to fill the vacuum, not to mention inventing new ways to pivot off of existing cryptojacking techniques.  

Being prepared for this next generation of cybercrime requires a few things from internet users. Keeping devices protected with antivirus software is a strong first step, but awareness of current threat trends is also helpful in preventing outside actors from viewing your data. Pairing antivirus software with a trusted VPN wraps your web traffic in a tunnel of encryption, shielding it from prying eyes. A double-pronged antivirus-plus-VPN defense will stop a majority of cybercrime in its tracks, but it’s by no means where your cybersecurity plan should end.  

The best tool you have against evolving cybersecurity threats? Ongoing education. Read Webroot’s 2019 Threat Report to prepare yourself against threats on the horizon, and check back for regular cybercrime updates. 

How To Keep Better Tabs on Your Connected Apps

Reading Time: ~ 4 min.

Not that long ago, before data breaches dominated daily headlines, we felt secure with our social media apps. Conveniently, every website seemed to allow logging in with Facebook or Twitter instead of creating a whole new password, and families of apps quickly became their own industry. Third-party apps and games on social media platforms (remember Farmville on Facebook?) were allowed profile access en masse. Trivia games, horoscope predictions, personality quizzes — all seemingly secure and engaging diversions — let social media users enable some type of third-party app.  

Unfortunately, we now know that this left many of us, and our data, exposed to a potential breach

So we turned to Randy Abrams, Webroot’s Sr. Security Analyst, for insights on how to keep third-party app breaches in check. The trick to keeping yourself and your loved ones safe? Information silos, both on and off of social media. 

“As a rule, I leave my apps in silos, meaning I severely limit their connectivity level — especially when it comes to accessing my mobile device, “Abrams says. “Apps for email, texting, and calling people do have a reasonable need for access to your contacts on the phone. Most other apps, such as social media apps do not need to be able to look up your unsuspecting friends.”  

Limiting the access your apps have to their direct functions will help keep you and your loved ones safe. Here’s how to get it done. 

Mobile App Permissions 

Limiting your app’s permissions may seem like a chore, but it is the best way to keep breaches from expanding in scope. We’ve put together a mobile app permissions crash course to help you silo your sensitive data quickly and easily. 

For Android Users 

To monitor and edit an existing application’s accessibility permissions on your device, go to your Android’s settings and tap Apps & Notifications. From there, you will be able to locate all the applications that are active on your device. When you’ve located the application whose permissions you would like to edit, simply tap the app and then tap “Permissions” to view and edit its current permission settings. 

To review an application’s accessibility permissions before you install it on your device from the Google Play Store, tap on the app you’d like to install and click Read more to bring up its detail page. Scroll to the bottom and tap App permissions to review the app’s requested permissions. After you install and open the application for the first time, you will be prompted to allow or deny application permissions (like access to your contacts or location). You can always edit the application’s existing permissions later using the steps outlined above. 

For iOS Users 

To monitor and edit an existing application’s accessibility permissions on your device, go to the settings app Privacy to see all the permissions available on your phone (like location services and camera access). Select the permission set you would like to review to see all of the applications with access, and revoke any permissions you’re not comfortable with. 

To review an application’s accessibility permissions at install, simply open the app and begin using it. The app will request permissions, which you can either allow or deny. You can always revoke permissions after they have been granted by following the steps outlined above. 

Preventing social media applications from gaining unnecessary access to your mobile data could help stop data breaches from spreading. But it won’t stop the breaches themselves from happening. Leaving apps enabled entails large-scale security issues — not only for ourselves, but also for friends and family connected with us through social media. When we connect apps to our social media profiles, we expose not just our information, but the shared information of a broader network of connections — one that expands well beyond our immediate circles. In a startling example, only 53 Facebook users in Australia downloaded Cambridge Analytica’s infamous thisisyourdigitallife app, but a total of 311,127 network connections had their data exposed through those users. That amount of collateral damage is nothing to scoff at. 

Removing Third Party Apps 

“Facebook is the company best known for leaking extensive amounts of data about users, usually by default privacy settings that allow third-party apps to access as much user data as possible,” says Abrams. “Most users had no idea they could control some of what is shared and would have a difficult time navigating the maze to the settings.” 

Facebook 

Facebook made a few reform efforts to help make managing third-party access to your account a little bit easier. Click on Settings from the account dropdown menu, and then select Apps and Websites. This should take you to a dashboard that will show your active, expired, and removed apps. It will also give you the option to turn off the capability for any third-party apps to connect with your profile. 

Twitter 

From your account dropdown, click on Settings and privacy. Click on the Apps and devices tab, which will show all of the apps connected to your account. You can see the specific permissions that each app has under the app name and description. To disconnect an app from your account, click the Revoke access button next to the app icon. 

Instagram 

From a web browser, log in to your account and click the gear icon next the Edit Profile button. Select Authorized Apps to see all of the apps connected to your account. Click the Revoke Access button under an app to remove it from your account. 

Building Secure Social Media Habits 

Monitoring the access levels of your connected apps is a good start to keeping yourself and your loved ones secure, but it’s not always enough. 

“It must be assumed that all third-party apps are collecting all of the information on the platform, regardless of privacy settings,” warns Abrams. 

Establishing secure social media habits will continue to help keep you secure after you’ve reviewed your app permissions. This means conducting regular audits of the third-party app permissions associated with all of your social media accounts and — slightly more arduously — thoroughly reading the privacy policies of any third party apps before you connect them. 

“If a person is going to use apps in conjunction with social media platforms, it’s important to understand their privacy policies,” say Abrams. “Unfortunately, with many apps, the privacy policy may not be shown until the app has been installed, and may not even be visible on the developer’s website. When the policy can be located, you’ll often find the user’s friends’ privacy is collateral damage in the agreement. It is up to the individual choosing to decide if their friends’ privacy is acceptable collateral damage. Unfortunately, few know how to obtain the information required to make an informed decision. 

“Without reading the privacy policies you cannot know to what extent your friends’ private information will be shared, “adds Abrams. “Remember, it isn’t just their names you are sharing, it is part of the data aggregation they are already subjected to. Simply letting an app know you are friends provides more information than just their names. It helps app companies build more robust profiles.” 

Stay Vigilant and Informed 

Don’t allow your data or your network to be used beyond your wishes or against your will. Take charge of your data security, and protect your friends by conducting regular audits of your third-party app permissions. Before you connect any new apps, settle down with a little light reading and thoroughly vet their privacy policy. Given how intertwined our digital lives have become, the cybersecurity of our closest friends and loved ones could well depend on it. 

Four Tips to Help Tidy Up Your Tech

Reading Time: ~ 3 min.

This spring, many of us will roll up our sleeves and get down to business decluttering our homes. Garage sales will be held, basement storage rooms will be re-organized, and donations will be made. 

Shouldn’t the same thing happen in our digital lives? After all, the average American will spend the bulk of their waking hours parked in front of some sort of screen—flipping , swiping, and clicking away. A little tidying up of data and online habits can go a long way toward enhancing your digital security andpeace of mind. 

So here are a few tips for tidying up your tech designed to make you ask not only: “Does this bring me joy?” but also, “does this make me more secure?”  If not, consider purging apps, connections, and permissions that could leave you more susceptible to a breach. If you answer yes, make sure you’re taking the necessary steps to protect it.

Turn off Bluetooth when it’s not in use

Since the Blueborne family of vulnerabilities was discovered in 2017, deactivating Bluetooth when not in use has become standard security advice. With the increasing adoption of home IoT devices, the consequences of ignoring that advice have only risen. 

Bluetooth connections are like a lonely person on a dating site; they’re in constant search of a connection. When Bluetooth-enabled devices seek out the wrong sources—that of a cybercriminal, say—they are vulnerable to exploitation.

“Smart speakers and other IoT devices may introduce convenience to our daily lives,” says Webroot Security Analyst Tyler Moffitt. “But they’re also a calculated risk, and even more so for knock-off devices whose manufacturers don’t pay proper attention to security. Minimizing the time Bluetooth is on helps to manage that risk.”

Or, as Webroot VP of engineering David Dufour put it to Wired magazine soon after the discovery of Blueborne, “For attackers, it’s Candyland.”

Use a VPN to cloak your digital footprint

Shrouding your connection in a virtual private network (VPN) is especially important when accessing public or unsecured WiFi networks. Again, we make a trade-off between convenience and security when logging on to these “free” networks. 

Without additional protection, cybercriminals can spy on these unencrypted connections either by commandeering the router or by creating their own spoof of a legitimate WiFi hotspot, in a variation of a man-in-the-middle attack. From here, they’re free to monitor the data flowing between your device and the network. 

“It’s more than just the privacy violation of being able to see what you’re doing and where you’re going online,” Moffitt explains. “Cybercriminals can lift sensitive data like banking login credentials and drop ransomware or other malicious payloads like cryptojackers.”

A VPN encrypts the traffic between your device and the router, ensuring your digital footprint is shielded from prying eyes. 

Keep apps updated with the latest software

While some apps are inherently sketchy, and users shouldn’t expect the app creators behind them to prioritize security, others introduce vulnerabilities inadvertently. When responsibly run, app developers address these security gaps through software updates.

Take the cultural phenomenon Fortnite, for example. The game that drove its parent company, Epic Games, to an $8 billion valuation was found at the beginning of the year to contain multiple vulnerabilities that would have allowed malicious actors to take over player accounts, make in-game purchases, and join conversations. Epic Games was quick to issue “a responsibly deployed” fix, but in this and similar instances, users are only protected after installing the suggested updates.

“I always recommend users keep both their apps and their mobile operating systems up to date,” says Moffit. “This is made easier by turning on automatic updates wherever possible and only downloading apps from reputable app stores, so you increase the chances that updates are timely.”

For more tips on protecting your smartphone from mobile malware, see our complete list of recommendations here.

Set up automatic cloud backups

Purging unused apps is a good principle for spring cybersecurity cleaning – like a box of old clothes you haven’t worn in decades, unused apps represent digital data containers you no longer need. But what about all that data you’d hate to lose—the pictures, videos, documents, and other files you’d be devastated to see disappear? Protecting that trove of data is another core tenant for tidying up your tech. 

Ransomware is one prime reason for keeping up-to-date backups of valuable data. It can strike anyone from college students to cities, and the list of those who’ve been burned is long and distinguished.

“The combination of an antivirus and a cloud backup and recovery solution is an effective one-two punch against ransomware,” Moffit says. “On the one hand, you make your device more difficult to infect. On the other, you become a less attractive target because you’re unlikely to pay a ransom to recover data that’s already backed up to the cloud and out of reach for ransomware.”

Natural disasters and device theft—two contingencies even the tightest cybersecurity can’t account for—are prime reasons to make sure backups are in place sooner, rather than later. Cloud backup is more secure and affordable than ever, so it makes sense to back up anything you couldn’t stand to lose, before it’s too late. Want more tips for cybersecurity spring cleaning? Download Webroot’s full checklist for tidying up your tech.

Lock Down Your Digital Identity

Reading Time: ~ 3 min.

The last decade has been one of digital revolution, leading to the rapid adoption of new technology standards, often without the consideration of privacy ramifications. This has left many of us with a less-than-secure trail of digital breadcrumbs—something cybercriminals are more than aware of. Identity theft is by no means a new problem, but the technology revolution has created what some are calling a “global epidemic.”

Securing your digital identity is more important now than ever, and Webroot can help you start.

What is a Digital Identity?

The first step in locking down your digital identity is understanding what it is. A digital identity is the combination of any and all identifying information that can connect a digital persona to an actual person. Digital identities are largely comprised of information freely shared by the user, with social media accounts generally providing the largest amount of data. Other online services like Etsy and eBay, as well as your email and online banking accounts, also contribute to your digital identity. Realistically, any information that can be linked back to you, no matter how seemingly inconsequential, is part of your digital identity.

Digital Identity Theft

Digital identity theft occurs in several ways. A common tactic is social media fraud, where a hacker will impersonate a user by compromising an existing social media account, often messaging friends and family of the user requesting money or additional account information. If unable to gain full control of a genuine social media account, identity thieves will often set up a dummy social media account and impersonate the user using it.

A less widely-known form of digital identity fraud is internet-of-things (IoT) identity theft, where an attacker gains access to an IoT device with weak security protocols and exploits it to gain access to a higher priority device connected to the same network. Another growing threat is “SIM swapping”— an attack that involves tricking a mobile provider into swapping a legitimate phone number over to an illegitimate SIM card, granting the attacker access to SMS-enabled two-factor authentication (2FA) efforts.

Even those who don’t consider themselves targets should be aware of these tactics and take steps to lock down their digital identities.

Locking it Down

Reviewing your social media accounts’ privacy settings is one of the easiest things you can do to cut opportunistic identity thieves off from the start. Set your share settings to friends only, and scrub any identifying information that could be used for security clearance — things like your high school, hometown, or pets’ names. Only add people you personally know and if someone sends you a suspicious link, don’t click it! Phishing, through email or social media messages, remains one of the most prevalent causes of digital identity theft in the world. But your digital identity can be compromised in the physical world as well — old computers that haven’t been properly wiped provide an easy opportunity hackers won’t pass up. Always take your outdated devices to a local computer hardware store to have them wiped before recycling or donating them.

The Right Tools for the Job

This is just the start of a proper digital identity lock-down. Given the sensitive nature of these hacks, we asked Webroot Security Analyst Tyler Moffitt his thoughts on how consumers can protect their digital identities.

“Two-factor authentication in combination with a trusted virtual private network, or VPN, is the crown jewel of privacy lock-down,” Tyler said. “Especially if you use an authenticator app for codes instead of SMS authentication. A VPN is definitely a must… but you can still fall for phishing attempts using a VPN. Using two-factor authentication on all your accounts while using VPN is about as secure as you can get.”

2FA provides an additional level of security to your accounts, proactively verifying that you are actually the one attempting to access the account. 2FA often uses predetermined, secure codes and geolocation data to determine a user’s identity.

Because 2FA acts as a trusted gatekeeper, do your research before you commit to a solution. You’ll find some offerings that bundle 2FA with a secure password manager, making the commitment to cybersecurity a little bit easier. When making your choice, remember that using SMS-enabled 2FA could leave you vulnerable to SIM swapping, so though it is more secure than not using 2FA at all, it is among the least secure of 2FA strategies.

VPNs wrap your data in a cocoon of encryption, keeping it out of sight of prying eyes. This is particularly important when using public WiFi networks, since that’s when your data is at its most vulnerable. Many VPNs are available online, including some free options, but this is yet another instance of getting what you pay for. Many free VPNs are not truly private, with some selling your data to the highest bidder. Keeping your family secure behind a VPN means finding a solution that provides you with the type of comfort that only comes with trust.

The two things that only you can do to keep your identity secure? Constant vigilance and continuous education. Visit the Home+Mobile page on the Webroot blog for a host of resources to help keep you and your family safe online—at home and on the go. 

The Hidden Costs of ‘Free’ WiFi

Reading Time: ~ 3 min.

The True Cost of Free WiFi

Ease-of-access is a true double-edged sword. Like all powerful technologies, WiFi (public WiFi in particular) can be easily exploited. You may have read about attacks on publicly accessible WiFi networks, yet studies show that more than 70% of participants admit to accessing their personal email through public WiFi. WiFi vulnerabilities aren’t going away anytime soon—in 2017, the WPA2 security protocol used by essentially all modern WiFi networks was found to have a critical security flaw that allowed attackers to intercept passwords, e-mails and other data.

So what are the most commonly seen attacks via free WiFi, and how can we protect ourselves and our families? We turned to Tyler Moffitt, Webroot’s Sr. Threat Research Analyst, for answers.

Common Public WiFi Threats

“Criminals are either taking over a free WiFi hotspot at the router level, or creating a fake WiFi hotspot that’s meant to look like the legitimate one,” explained Moffitt. “The purpose of these man-in-the-middle attacks is to allow attackers to see and copy all of the traffic from the devices connected to the WiFi they control.”

Basic security protocols often aren’t enough to protect users’ data.

“Even with HTTPS sites where some data is encrypted, much of it is still readable,” Moffitt said. “Beyond just seeing where you surf and all the login credentials, criminals also have access to your device and can drop malicious payloads like ransomware.”

We are now seeing these attacks evolve, with cryptojacking becoming a particularly lucrative exploitation model for public WiFi networks. Cryptojacking is seen as a “low risk” attack as an attacker siphons a victim’s computer processing power, something far less likely to be detected and tracked than a traditional malware or ransomware attack. This was particularly notable in a 2017 cryptojacking attack that targeted Starbucks customers, which went uncorrected until Noah Dinkin—a tech company CEO—noticed a delay when connecting to the shop’s WiFi. Dinkin took it upon himself to investigate

It’s not just coffee shops that are being targeted. Airports, hotels, and convention centers are particularly prime targets due to their high  traffic. To demonstrate the power of a targeted attack in a conference setting, a security experiment was conducted at the 2017 RSA Conference. Surprisingly, even at an IT security conference, white hat hackers were able to trick 4,499 attendees into connecting to their rogue WiFi access point. The targeting of high-traffic, travel-focused locations means that many frequent travelers will leave themselves exposed at some point by connecting to public WiFi options—even though they may know better.

How to Detect the Threat

What are the telltale signs of a compromised system?

“With cryptomining, you will definitely notice that your machine will start acting slow, the fans will kick on full blast, and the CPU will increase to 100 percent, usually the browser being the culprit,” Moffitt said. “But there are few signs of a man-in-the-middle attack, where wireless network traffic is spied on for credentials and financial information. You won’t notice a thing, as your computer is just connecting to the router like normal. All information is being observed by someone in control of the router.”

With one recent attack in 2018 alone affecting 500,000 WiFi routers, the need for WiFi security has never been stronger.

Protecting Yourself on the Go

You can take steps to keep your data secure; the first of which is being sure that you have a VPN installed and protecting your devices. Nothing else will as effectively encrypt and shield your traffic on a public network.

“Using a VPN is the most impactful way to combat the dangers of free WiFi,” Moffitt said. “Think of VPN as a tunnel that shelters all of your information going in and out of your device. The traffic is encrypted so there is no way that criminals can read the information you are sending.”

“I use a VPN on my phone when I’m on the go,” he continued. “It’s really easy to use and you make sure all your data is private and not visible to prying eyes.”

But be sure to research any VPN before you commit to ensure it is trustworthy. It’s important to review the vendor’s privacy policy to make sure the VPN does not monitor or retain logs of your activities. Remember that, with security software and apps, you generally get what you pay for.

While free VPN apps will shield your data from the router you are connecting to, they may still spy on you and sell your information,” Moffitt said.

What does this all mean for you? If there is no such thing as free lunch, then there is definitely no such thing as free WiFi. The true cost just might be your online security and privacy.

Stay vigilant, secure all of your web traffic behind a trusted VPN, and check back here often for the latest in cybersecurity updates

Avoid Unsecure IoT: Smart Device Shopping Tips

Reading Time: ~ 3 min.

“Internet of things” (IoT) is a term that’s becoming increasingly commonplace in our daily lives. Internet-connected devices are being designed and implemented at a rapid clip, especially in our own homes. The internet is not just at our fingertips anymore, but also at our beck and call with smart speakers and digital assistants.

It’s easy to see why we are drawn to these cool new devices. They promise to make our lives easier and the convenience associated with some of these devices is undeniable.

But at what point are we sacrificing security for convenience?

A Brave New World of IoT Devices

Internet-connected doorbells can beam a video feed to your phone so you can see who is at your door before deciding whether or not to open it. A smart refrigerator will alert you when supplies are running low or approaching expiration while you shop at the grocery store. Smart thermostats boost efficiency and deliver monthly savings on utilities. These functions have obvious appeal for consumers.

However, some devices on the market stretch their advertised utility and convenience. Smart salt shakers, for instance, deliver voice-controlled sodium so you can avoid the hassle of salting your food the old fashioned way. Smart toasters will burn the date and weather into your bread, lest you forget an umbrella and what day it is. But with each new “convenience” promised by smart devices comes the danger of ceding some of your security.

Image source: Screenshot from Toasteroid YouTube.

The underlying issue with the new and accelerating trend of buying more and more IoT devices is that the average consumer has little to no education about security when shopping for these devices. Even manufacturers can be blind to or willfully negligent of the security issues inherent to their IoT devices. It’s all about coolness and convenience—and that’s the trap.

Be wary of Unsecure IoT

Many IoT devices have little to no embedded security, and there’s little incentive for designers to consider it. One reason for that is a lack of third-party standards for evaluating IoT security. Until now, the focus has been on producing a viable product that’s functional enough to get consumers to purchase it at the right price. The “right price” is usually as inexpensive as possible, and so some quality is sacrificed.

With IoT devices, that sacrifice usually comes at the expense of security vetting in the design process. As a result, one of the biggest trends we see with cheap IoT devices is a complete and total lack of security. It’s just not something that stands out in marketing materials, so manufacturers don’t promise it and consumers don’t demand it.

That’s why care is required when shopping for new IoT devices—especially cheap ones. IoT devices like smart thermostats, smart doorbells, et cetera, usually feature competing products with varying functionalities and prices. It’s common to peruse the fanciest, most expensive devices, and then purchase an off-brand device that offers similar functionality at a much lower price.

Vendors have flooded the IoT market with devices that have so-called “hardcoded passwords.” This means that, when setting up your device, the password given to you in the instructions is the same password for every device of that model and can’t be changed. Even if the device allows you to setup a custom password, the hardcoded password will still work to log into the device.

This is basically the opposite of security. It served as the principal attack vector for the infamous Mirai botnet attack a couple years ago. It’s also how hundreds of thousands of routers have been hacked to mine cryptocurrency. Even premium IoT devices like Google’s Nest are subject to attacks, but when properly set up and used—as in by setting up two-factor authentication and not reusing their compromised credentials—they tend to be safer than their knock-off counterparts.

It’s clear now that internet-connected devices will be a part of our lives for the foreseeable future. They will help run our cities, power our grids, and yes, manage our homes. But we must be aware of what we are connecting in our home and the security of each device. Vendor regulation will also need to play its part, something already underway in California, but there is plenty more ground to cover and no time to wait. For now, it’s on the consumer to scrutinize the IoT products they bring into their home, and security should be high on their checklist.

Make sure that any internet-connected devices you buy allow you to create custom passwords, as a start. It’s also wise to only shop from reputable vendors.

Taking caution will help ensure that your smart home isn’t an easy target for cybercriminals.

Common WordPress Vulnerabilities & How to Protect Against Them

Reading Time: ~ 3 min.

The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a price. The easy-to-use interface has given even users who are not particularly cybersecurity-savvy a presence on the web, drawing cyber-criminals out of the woodwork to look for easy prey through WordPress vulnerabilities in the process.

Here are some of these common vulnerabilities, and how can you prepare your website to protect against them.

WordPress Plugins 

The WordPress Plugin Directory is a treasure trove of helpful website widgets that unlock a variety of convenient functions. The breadth of its offerings is thanks to an open submission policy, meaning anyone with the skill to develop a plugin can submit it to the directory. WordPress reviews every plugin before listing it, but clever hackers have been known to exploit flaws in approved widgets.

The problem is so prevalent that, of the known 3,010 unique WordPress vulnerabilities, 1,691 are from WordPress plugins. You can do a few things to impede your site from being exploited through a plugin. Only download plugins from reputable sources, and be sure to clean out any extraneous plugins you are no longer using. It’s also important to keep your WordPress plugins up-to-date, as outdated code is the best way for a hacker to inject malware into your site.

Phishing Attacks 

Phishing remains a favored attack form for hackers across all platforms, and WordPress is no exception. Keep your eyes out for phishing attacks in the comments section, and only click on links from trusted sources. In particular, WordPress admins need to be on alert for attackers looking to gain administrative access to the site. These phishing attacks may appear to be legitimate emails from WordPress prompting you to click a link, as was seen with a recent attack targeting admins to update their WordPress database. If you receive an email prompting you to update your WordPress version, do a quick Google search to check that the update is legitimate. Even then, it’s best to use the update link from the WordPress website itself, not an email.

Weak Administrative Practices 

An often overlooked fact about WordPress security: Your account is only as secure as your administrator’s. In the hubbub of getting a website started, it can be easy to create an account and immediately get busy populating content. But hastily creating administrator credentials are a weak link in your cybersecurity, and something an opportunistic hacker will seize upon quickly. Implementing administrative best practices is the best way to increase your WordPress security.

WordPress automatically creates an administrator with the username of “admin” whenever a new account is created. Never leave this default in place; it’s the equivalent of using “password” as your password. Instead, create a new account and grant it administrative privileges before deleting the default administrator account. You’ll also need to change the easily-located and often-targeted administrator url from the default of “wp-admin” to something more ambiguous of your own choosing.

One of the most important practices for any WordPress administrator is keeping the WordPress version up-to-date. An ignored version update can easily become a weak point for hackers to exploit. The more out-of-date your version, the more likely you are to be targeted by an attack. According to WordPress, 42.6% of users are using outdated versions. Don’t be one of them.

Additional Security Practices 

The use of reputable security plugins like WordFence or Sucuri Security can add an additional layer of protection to your site, especially against SQL injections and malware attacks. Research any security plugins before you install them, as we’ve previously seen malware masquerading as WordPress security plugins. If your security plugin doesn’t offer two-factor authentication, you’ll still need to install a secure two-factor authentication plugin to stop brute force attacks. Keeping your data safe and encrypted behind a trusted VPN is also key to WordPress security, especially for those who find themselves working on their WordPress site from public WiFi networks.

WordPress is a powerful platform, but it’s only as secure as you keep it. Keep your website and your users secure with these tips on enhancing WordPress security, and check back here often for updates on all things cybersecurity.