Home + Mobile

What’s Next? Webroot’s 2019 Cybersecurity Predictions

At Webroot, we stay ahead of cybersecurity trends in order to keep our customers up-to-date and secure. As the end of the year approaches, our team of experts has gathered their top cybersecurity predictions for 2019. What threats and changes should you brace for?...

Cyber Monday: Big Savings, Big Risks

What business owners and MSPs should know about the year’s biggest online retail holiday It’s no secret that Black Friday and Cyber Monday are marked by an uptick in online shopping. Cyber Monday 2017 marked the single largest day of online sales to date, with...

Responding to Risk in an Evolving Threat Landscape

There’s a reason major industry players have been discussing cybersecurity more and more: the stakes are at an all-time high for virtually every business today. Cybersecurity is not a matter businesses can afford to push off or misunderstand—especially small and...

Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the...

Unsecure RDP Connections are a Widespread Security Failure

While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP)...

3 Cyber Threats IT Providers Should Protect Against

With cybercrime damages set to cost the world $6 trillion annually by 2021, a new bar has been set for cybersecurity teams across industries to defend their assets. This rings especially true for IT service providers, who are entrusted to keep their clients’ systems...

What Separates Webroot WiFi Security from Other VPNs?

Reading Time: ~2 min.

Virtual Private Networks (VPNs) are quickly becoming a fundamental necessity for staying safe online. From large corporations to family households, people are turning to VPNs to ensure their data is encrypted end to end. But as with any emerging technology, it’s easy to become overwhelmed with new and untested VPN options. So, how does Webroot® WiFi Security distinguish itself from other VPNs?

Whether or not you can trust your VPN provider should be the first thing to consider when selecting a VPN. A recent analysis of nearly 300 mobile VPN services on the Google Play store found that, unlike Webroot WiFi Security, almost one in five didn’t encrypt data as it was transmitted through their private network, a core tenant of VPN protection. At Webroot we have decades of cybersecurity experience. We’ve built confidence with every customer, from the world’s leading IT security vendors to families just like yours. Security and privacy are what we do best, and Webroot WiFi Security was purpose-built to always encrypt your data without screening, storing, or selling your private information.

“New products from unknown companies can be risky—what data are they capturing, what are they doing with the data, and how are they protecting that information?” notes Andy Mallinger, Webroot director of product. “Webroot has been in the security business for more than 20 years, and has built machine learning-based security systems for more than a decade. We designed our products to evolve with the ever-changing threat landscape. Adding VPN protection with Webroot WiFi Security, is a perfect next step in our continued evolution.”

Best-in-class security

Webroot WiFi Security was built to provide best-in-class security, while still being easy to use. A one-click setup automatically enables security features without any confusion or missed steps. For extra security, Android®, Mac®, and Windows® users can enable Webroot WiFi Security’s unique “killswitch” feature. If your VPN connection is lost, the kill switch prevents the transmission of your data over an unsecure network until you are reconnected to the VPN.

“Webroot WiFi Security also helps protect your privacy by obscuring your location,” says Randy Abrams, senior security analyst at Webroot. “Websites are able to precisely pinpoint your location and use that information to track your browsing habits. With Webroot WiFi Security, you can be in Broomfield, Colorado, but your VPN IP address can make it look like you are in any one of the more than 30 countries where our VPN servers are located.”

Privacy plus security

Webroot WiFi Security also offers Web Filtering powered by BrightCloud® Threat Intelligence*. This feature provides an extra layer of protection that keeps your financial information, passwords, and personal files from being exploited. Webroot goes a step above other VPNs by safeguarding users from visiting malicious or risky websites known to be associated with malware, phishing, key logging spyware, and botnets. Web Filtering is a feature that the user can choose to enable or disable.

The combination of consumer trust and the power of best-in-class threat intelligence makes Webroot WiFi Security one of the most unique and secure VPN offerings on the market. Webroot has a deep history of protecting its customers’ privacy, and we are excited to showcase this dedication in the VPN market.

Ready to make the switch to Webroot WiFi Security? Learn more after the jump.

*The BrightCloud Web Filtering feature is only available on Windows®, Mac®, and Android® systems.

Charity Scams to Watch Out for During the Holidays

Reading Time: ~5 min.‘Tis the season of giving, which means scammers may try to take advantage of your good will. A surprising fact about American donation habits is that everyday folks like yourself are the single largest driver of charitable donations in the United States. Giving USA’s Annual Report on Philanthropy found that individuals gave $286.65 billion in 2017, accounting for 70 percent of all donations in the country.

Last year, Giving Tuesday donations alone grew by 22 percent, with an average household donation of $111. With the seventh annual Giving Tuesday on November 27 fast approaching and technology that makes it increasingly easier to support your favorite causes, it’s more important than ever to keep your guard up before you click the “donate” button.

Charity Scams

Unsolicited donation requests are fairly normal during the holiday season —especially since non-profits depend on year-end giving for the success of their organizations—but look out for a few behaviors as red flags. Overly aggressive pitches including multiple phone calls and emails, or high-pressure tactics that require your immediate donation, should always be avoided. Be on high alert for “phishy” emails and links; make sure to check the sender’s email address and hover over links to reveal their true destination before clicking on them. Even if a website looks legitimate, it may be a spoofed. Check that the domain matches the company you intended to visit. This can be trickier than it sounds. For instance, stjudehospital.com may appear to be genuine, but an easy Google search of “St. Jude Hospital” reveals their actual site to be stjude.org.

If you’re donating to a charity you’ve never worked with before, do a little research before committing your funds. Charity Navigator is a particularly useful resource; just type in the organization’s name and check out their rating. If they are not listed on Charity Navigator, it’s probably best to err on the side of caution and donate your hard-earned dollars elsewhere. Also, be sure to only enter sensitive or personal information into websites that have an SSL certificate; you’ll be able to tell if a page is secure if the link begins with “https”. (This is a great tip for shopping online this holiday season too.) Finally, before making any online donations, make sure you have a strong antivirus program installed that can detect phishing sites and that it’s up-to-date on all your devices.

If you are contacted by a charitable organization by telephone and want to make a donation, don’t give them your credit details over the phone. Have them mail you a donation form for you to evaluate and mail back. Remember: no legitimate charity will ask you to wire them money or pay them in gift cards. If you encounter a charity that is urging you to do so, cut all contact and block them on all platforms.

Bear in mind that not all charity scams are out for money, either—some are hoping to skim personal information. There is absolutely no reason to provide a charitable organization with information like your Social Security Number or driver’s license number—these are major red flags. Also, be especially cautious of requests to send an SMS code to donate via text message.

Social Media Scams

Social media is an easy and typically secure way to donate to legitimate charitable organizations, but scammers know how to use these platforms as well. Social media scams are on the rise, but a little bit of common sense goes a long way with donations on social channels. If you’re looking to donate to someone through a crowdfunding site, be sure the campaign fully answers these questions:

  • Can you verify if the organizer of the campaign has an existing relationship with the intended donation recipient?
  • Is there a plan for how the funds be used to aid the intended recipient?
  • Are verifiable friends and family of the intended recipient making donations and leaving supportive comments?
  • How will the intended recipient access the funds?

If you cannot easily find the answers to these questions, we recommend you avoid donating to that campaign.

Another pervasive social media scam is celebrity imposters who pretend to raise funds for charities or disaster relief. These imposters use the familiar faces of some of our favorite media personalities to gain our trust and access our wallets. If you have been solicited by a celebrity for donations, stop and take moment before you give. Make sure it’s their official social media page, which can be often verified on Twitter and Facebook by a small blue checkmark next to their name. You may also Google the celebrity’s name and “scam” to see if others have already reported a trap.

Source: @PatrickDempsey on Twitter

Attacks Targeting Seniors

While scams that target our aging loved ones are a problem year-round, the Consumer Financial Protection Bureau says scammers tend to ramp up their efforts during the holidays to take advantage of seasonal generosity. Most charity scams that target seniors are similar to the ones we all face, including phishing emails, phishing sites, and false charities. However, “Grandkid Scams” are a unique variety.

For this type of fraud, an older adult is contacted by a someone pretending to be a family member in desperate need of money or assistance, often impersonating a grandchild. Speak with the older adults in your life about the common signs of scams, like misspelled emails and requests for wire transfers, and teach them how to hover over a link to check its destination. Remind them to verify whether a family member is reaching out for money, and check in with them more often leading up to the holidays to catch any potential security issues early.

Stop Attacks Early

Vigilance is key in stopping a potential security breach in its tracks. If you believe you may have unwittingly sent money to a scam charity, reach out to the organization you used to send the money, such as your bank or credit card company. Tell them the transaction was fraudulent and ask them to cancel it, if possible. If you believe your personal information was exposed, you can freeze your credit to prevent any long-term damage. Also, if you think you may have encountered a charity scam of any type, be sure to report it to the FTC to help keep others safe.

Even if you don’t think you have suffered a breach, keep an eye on your credit score and monitor your banking and credit accounts closely this holiday season. Paying a little extra attention will help you act quickly if your information has been compromised, potentially saving you and your family major holiday heartache. For an added layer of protection, secure all of your family’s devices behind a trusted VPN, which will keep your private data encrypted and safe should anyone try to intercept information you send over WiFi.

Do you know of a common scam we missed? Have some advice you think we should have included? Let us know in the comments!

How to Keep Your Kids Safe Online

Reading Time: ~4 min.As digital natives become more immersed in and dependent upon technology, they are likely to experience “cyber fatigue,” which can be thought of cybersecurity complacency. Paired with the invincible feeling that often accompanies being young, this can be a dangerous combination. It’s easy to mistakenly believe that hacked devices and identity theft are things that only happen to adults. Kids and teenagers, however, are just as high-risk and the impacts of cybersecurity breaches could potentially affect them for years into their future. So how can we protect our kids’ digital lives in the same way we protect their offline lives?

Frank Conversations

The internet may seem like a playground of endless entertainment, but we need to educate our children about the dangers that exist there as well. Have you had a friend or family member who’s been hacked or somehow had important information compromised? Talk to your kids about it, how it happened, why it happened, and the work needed to fix it. These real-life examples may be one of your most powerful education tools, as they help children more concretely understand the concept of cybersecurity threats. Demonstrating that these things can happen to anyone, including them, is the quickest way to get their cybersecurity guard up. Looking for fresh ideas on how to talk to your kids about cybersecurity? Check out the Webroot Community for advice and tips.

Common Scams

Teach your children about the most common cybersecurity threats, especially ones that are particularly pervasive on social media, including phishing, identity theft, and malicious websites. They should never accept private messages from people they don’t know, or click on links from friends or family that seem out of character or suspect. If they aren’t sure a message from a friend is actually from that individual, they should not hesitate to verify their identity by calling them, or by asking specific questions only that individual would know. The comments sections of websites like YouTube are also potential flashpoints. Clever comments can entice users into clicking on a risky link that navigates them to a malicious site.

Illegal Downloads

The temptation to download an illegal copy of a favorite movie, game, or album can be strong, but ethical and legal implications aside, it remains one of the most risky online behaviors. In fact, a recent study found that there was a 20% increase in malware infection rates associated with visits to infringing sites. Make sure your kids know the impact illegal downloads have on their security, and inform them of alternative streaming and download options. If you’re able, give your child an allowance for services like Steam for video games, or Amazon Video for films and shows. Providing them with alternative options is the best way to keep your child from giving into the temptation of illegally torrenting content.

Mobile Safety

A recent study found that people aged 15 to 24 spend about four hours a day on their phones. This works out to roughly 1,456 hours of mobile engagement a year, making mobile devices one of the most vulnerable entry points for cybersecurity breaches. Make sure your child’s phone is protected with a pin number, password, or biometrics on the lock screen, and that they know to leave Bluetooth turned off when not in use. Connecting to public WiFi networks could also leave your child vulnerable, but you can protect their devices from open networks by securing them with a VPN.

Digital Footprint

Many young people today use anonymous or “private” messaging services, like Whisper, Sarahah, or Snapchat, believing that they are protected by the apparent anonymity. However, cybersecurity experts have long been critical of these services, as nothing online is 100% anonymous.

“There is no single app that is capable of providing complete anonymity,” says Randy Abrams, Sr. Security Analyst at Webroot. “Even though someone may think they are anonymous, our online behavior allows people to track and identify us. Apps that claim to provide anonymity often collect and sell personally identifying data left behind from internet searches.”

“Some apps may offer much higher degrees of anonymity, but it takes a tremendous amount of knowledge and discipline to be anonymous,” he adds. “If an app requires access to your contacts, pictures, storage, location or the ability to make and receive phone calls or SMS messages, anonymity quickly starts to disappear.”

Free applications have to make a profit somewhere, which often means that they are storing, tracking and selling user data. This is particularly dangerous as users are lulled into a false sense of security, which can quickly be shattered when these services are affected by a cybersecurity breach. Make sure your kids know nothing they say online is truly private, and that a negative digital footprint can drastically alter the course of their lives.

Shared Responsibility

We believe cybersecurity is a shared responsibility, and that it is not just up to parents to educate digital natives. This is why we’ve developed a cybersecurity awareness initiative with the Aurora Public School System in Colorado. In addition to providing students with online safety tips, we’ve given them insights on potential career paths, and connected them with our engineers to solve problems using skills like math and coding that could benefit them later in their careers.

We encourage parents to explore and advocate for cybersecurity and STEM education opportunities for children in their local communities. For more educational content to help keep your family safe from cyber threats, visit the Home + Mobile section of our blog.

5 Tips for Optimizing Your VPN Experience

Reading Time: ~3 min.By now, you likely know that a Virtual Private Network (VPN) is essential to remaining safe when working remotely. But, once set up, how can you optimize your VPN to work well with your devices and meet your security needs? Here are our top five tips for maximizing your VPN experience.

Pair it with an Antivirus

One of the biggest misconceptions about VPNs is that they protect your device from malicious programs. While a VPN will encrypt your network traffic, preventing others from viewing intercepted data, most do not warn you when you visit dangerous sites. If your VPN provides advanced web filtering for risky sites, that can be an additional defense against cyber threats such as malware and phishing.  Alternatively, while strong antivirus software actively monitors for viruses and malware within files and applications, it does not encrypt your data or prevent it from being monitored. Both are equally important for protecting your devices, and are ideally used together. Combining the two services provides additional security.

Enable a Kill Switch

Setting up a VPN to keep your data safe is an important first step, but what happens if your VPN server goes down or disconnects while you are entering sensitive data and you don’t notice the connection was lost? Without the protection of a VPN kill switch, your devices will often automatically reconnect to the network without alerting you, this time without the protection of your VPN. A kill switch feature blocks sending and receiving data until the VPN connection is re-established.. For maximum protection, select a VPN with a kill switch feature and ensure it has been enabled.

Understand the Impact of Setting Up a VPN on Your Router

Having a VPN on your home router may seem like a helpful boost to your cybersecurity, but it’s actually the opposite. Most routers lack the processing power of a modern CPU, meaning that even older personal devices (phones, tablets, computers) will have a much easier time handling the task of encrypting/decrypting data than your router will. Instead, set up a VPN for each personal device to prevent a bottleneck of data to your router while simultaneously securing it at all access points. Selecting an easy-to-use VPN solution with cross-device functionality will make this task much easier on the end user, while providing maximum security.

Protect All of Your Smart Devices

When it comes to cybersecurity, we tend to imagine a nefarious hacker out to steal and sell your data. But not all data collection is illegal. Your Internet Service Provider (ISP) has a vested interest in tracking your streaming habits, and they may even throttle your network depending on your usage. Our phones, computers, and tablets are each a potential interception point for our private data. Securing each of your smart devices with a VPN, even those that stay in your home, is the best way to prevent your data from potentially being monitored by third parties. 

Encrypt Your LTE Connection

While your cellular network is more secure than public WiFi options, it remains vulnerable to an attack. LTE user data can be exploited by what is known as an “aLTEr attack”. This attack redirects domain name system (DNS) requests, performing a DNS spoofing attack that can fool your device into using a malicious DNS server. This spoofed DNS server will deliver you to websites as normal until you request a high-value website the attack is targeting, like your banking or email provider. Oftentimes this fake website will scrape your data before you realize what has happened. You give yourself an extra layer of security by wrapping your LTE connection in a VPN, allowing you to access your most sensitive data confidently.

When it comes to getting the most out of your VPN, this list is just the beginning. Our privacy concerns and security needs will continue to change as our connected devices mature and we recommend keeping an eye on your VPN provider for any potential updates to their services.

Ready to take back control of your privacy? Learn how our Webroot WiFi Security VPN protects what matters most wherever you connect.

Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

Reading Time: ~3 min.For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the next step in fulfilling our commitment to protect everyone’s right to be secure in a connected world.

“Launching Webroot WiFi Security is a valuable and exciting progression in our mission,” said Webroot Director of Consumer Product Andy Mallinger. “Antivirus solutions protect your devices from malware and other cyber threats, and a VPN protects your data as it’s sent and received over networks—especially public networks. This combination allows us to extend our protection of personal data beyond the device to the network.”

Shifting tides

Webroot WiFi Security arrives at a time when the fragile state of our online privacy is becoming more apparent and better understood by internet users around the world. Recent revelations of government surveillance via the Snowden leaks, social media data collection like that in the Facebook/Cambridge Analytica scandal, and data breaches including the Equifax hack have fueled a palpable rise in data privacy concerns.

Over half of internet users from around the world say they are “more concerned about their online privacy than they were a year ago,” according to a 2018 CIGI-Ipsos Global Survey on Internet Security and Trust.

Another key factor with grave implications for data privacy in the United States specifically was the 2017 repeal of privacy regulations for Internet Service Providers (ISPs), which aimed to ensure broadband customers had choice, greater transparency, and strong security protections for their personal info collected by ISPs.

“ISPs are facing less regulation today, and so can continue to share, sell, and profit by passing on user information to third parties— browser history, location, communications content, financial details, etc.—without the user’s knowledge or consent,” said Webroot Sr. VP of Product Strategy & Technology Alliances Chad Bacher.

Taking control of privacy

Now more than ever, individual users must take steps to regain control over their online privacy and security. Along with keeping trusted antivirus software installed on mobile and home devices, users should actively protect their data in transit over networks with a VPN.

But it’s important to note that all VPN applications are not created equal. Many users looking for a privacy solution find themselves wondering if they can trust that their VPN provider has their interests at heart. Consumer wariness concerning the privacy of VPN products is justified—some VPN apps, especially free ones, are guilty of sharing or selling their user data to third parties, limiting bandwidth, or serving ads. Facebook’s VPN app was recently removed from the Apple App Store® following concerns over the app’s misuse of user data.

Webroot WiFi Security provides one of the most powerful forms of encryption available, AES 256-bit encryption, and protects user data from cybercriminals and ISPs alike. Webroot WiFi Security does not collect your browsing activity, the sites you visit, downloaded data (or shared or viewed), DNS queries, or IP addresses. The full Webroot WiFi Security Privacy Statement can be found here.

Privacy plus the protection of Web Filtering

In addition to the privacy safeguards of Webroot WiFi Security that protect users while they work, share, bank, and browse online, users also benefit from the integration of Webroot BrightCloud® Threat Intelligence.* The app’s Web Filtering feature provides an extra layer of protection to keep your financial information, passwords, and personal files from being exploited. Webroot WiFi Security is powered by the same threat intelligence platform the world’s leading IT security vendors trust.

“Not only is Webroot protecting user privacy, it’s also shielding users from phishing sites and websites associated with malware,” said Malinger.

Webroot WiFi Security is compatible with devices running iOS®, Android, macOS® and Windows® operating systems, and is now available to download on the Apple App Store, Google Play store, and Webroot.com.

*Only available on Windows, Mac and Android systems

Social Media Malware is Deviant, Destructive

Reading Time: ~4 min.We’ve seen some tricky techniques used by cybercriminals to distribute malware through social media. One common threat begins with a previously compromised Facebook account sending deceptive messages that contain SVG image attachments via Facebook Messenger. (The SVG extention is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.)

Cybercriminals prefer this XML-based image as it allows dynamic content. This enables the criminals to add malicious JavaScript code right inside the photo itself—in this case, linking to an external site. Users who click on the image find themselves on a website posing as YouTube that pushes a popup to install a browser extension or add-on or to view a video. There are plenty of red flags here like the URL clearly not being YouTube.com, as well as the fact that YouTube does not require any extensions to view videos.

Facebook messenger spreading an SVG image containing a harmful script

An example of a fake YouTube page with malicious browser extension popup

Worm-like propagation

If a you were to install this extension, it will take advantage of your browser access to your Facebook account to secretly mass-message your friends with the same SVG image file—like a worm, this is how it spreads. Victims don’t need to have very many friends for this tactic to be successful at propagating. For instance, if you have over 100 friends, then you only need less than 1% of your friends to fall for this for the scam for it to continue to propagate.

To make matters worse, the extension also downloads Nemucod, a generic malware downloader generally used to download and install a variety of other threats. Usually the go-to threat is ransomware given it’s proven business model for criminals.

Social media managers at risk

Those who manage social media accounts on behalf of businesses are particularly at risk of advanced malware and other cyberattacks. Earlier this spring, a new Windows trojan dubbed Stresspaint was found hidden inside a fake stress-relief app and likely spread through email and Facebook spam campaigns to infect 35,000 users, according to researchers at Radware who discovered the malware.

Stresspaint was rather deviant in the way it stole Facebook account credentials and logged into accounts looking specifically for data such as “each user’s number of friends, whether the account manages a Facebook Page or not, and if the account has a payment method saved in its settings,” according to Bleeping Computer.

Allowing cybercriminals to gain control of brand social media accounts can carry grave consequences such as reputation damage, loss of confidential information, and deeper access into an organization’s network. Last year, HBO was humiliated on their social profiles when the notorious hacker group OurMine breached several the network’s accounts and posted messages before the company finally regained control of their logins.

Source: u/marialfc on Reddit.

Crypto users targeted

Following the recent trend in malware, sophisticated variants of existing strains are now aimed at cryptocurrency users. A malicious Google Chrome extension called FacexWorm, which spreads through Facebook Messenger, was found to have morphed with a new ability to hijack cryptocurrency transactions made on a host of popular online exchanges, according to Coindesk. This further underlines the importance of exercising caution with the information you share on social media to avoid being a target, particularly if you are a user of cryptocurrency.

Cryptocurrency scams are another common threat that spreads throughout social media. Twitter is particularly notorious an outbreak of crypto scam bots that pose as high-profile tech leaders and industry influencers. Learn more about this type scam in my previous post.

Don’t let your guard down

Given the nature of social networks, many are likely to consider themselves to be in the company of friends on sites like Facebook, Instagram and Twitter. However, this assumption can be dangerous when you begin to trust links on social sites more than you would in your email inbox or other websites. For instance, a simple bot-spam message on Twitter was able to grant a hacker access to a Pentagon official’s computer, according to a New York Times report published last year.

It’s wise to be wary of clicking on all links, even those sent by friends, family or professional connections, as compromised social media accounts are often used to spread scams, phishing, and other types of cyberattacks. After all, just one wrong click can lead to an avalanche of cyber woes, such as identity theft, data loss, and damaged devices.

Have you encountered malware or other threats on social media? Share your story or ask a question in the comments below!

American Cybercrime: The Riskiest States in 2018

Reading Time: ~4 min.

Nearly 50 percent of Americans don’t use antivirus software

That’s right; something as basic as installing internet security software (which we all know we’re supposed to use) is completely ignored by about half the US. You’d be amazed how common this and other risky online behaviors are. We did a survey of people’s internet habits across the United States, and the numbers aren’t pretty.

For reference, some very common (and very risky) online behaviors include:

  • Not using antivirus software
  • Sharing your account passwords
  • Using too-simple passwords, or reusing the same password for multiple accounts
  • Not using an ad or pop-up blocker
  • Opening emails, clicking links, and downloading files from unknown sources
  • Not installing security on mobile devices

State-by-state Breakdown of the Riskiest Cyber Behaviors

We analyzed all 50 states and Washington, D.C., to rank them on their cyber hygiene habits. This ranking system uses positive and negative survey questions weighted by the relative importance of each question. These questions address several topics, including infection incidents, identity theft, password habits, computer sharing, software update habits, antivirus/internet security usage, backup habits, understanding of phishing, etc.

*Read the full report here.

Florida wins the dubious distinction of riskiest state with the worst cyber hygiene. But before anyone pokes fun, we’d like to point out that the average resident of any state in the nation has pretty poor cyber hygiene. Only 6 states in the nation had good cyber hygiene scores.

Impacts of Risky Behavior

When you engage practice poor cyber hygiene, you’re not just running the risk of getting infected or losing a few files.

In our research, we asked respondents who had suffered identity theft, “what were the main consequences of the identity theft incident?” Some of the self-reported fall-out was both surprising and tragic, including responses like divorced spouse, bankruptcy, failed to obtain mortgage, had to get second job, had to sell house, increased alcohol consumption, delayed retirement, and diminished physical health.

When we consider that identity theft can mean such devastating consequences as divorce, bankruptcy, and even damage to our health, it becomes clear just how important good cyber hygiene really is.

What the Riskiest States are Doing Wrong

Stats from the 5 riskiest states (Florida, Wyoming, Montana, New Mexico, and Illinois):

  • Identity theft had little to no impact on their cyber hygiene habits. That means even after learning the consequences first hand, very few people changed their habits.
  • These states had the highest per-person average (28 percent) of having experienced 10+ malware infections in a single year.
  • 50 percent+ of respondents in Florida, Illinois, Montana, and 45 percent of respondents from New Mexico and Wyoming said they don’t use any kind of antivirus or internet security.
  • 47 percent of respondents never back up their data.
  • An average of 72 percent share their passwords.

What the Safest States are Doing Right

The 5 safest states had many behaviors in common that kept them ahead of the malware curve.

  • Following cases of identity theft, nearly 80 percent of respondents from the 5 safest states reported that they had altered their online habits, and almost 60 percent changed their passwords.
  • Only 14.4 percent of respondents the safe states experienced 10 or more infections a year.
  • The safest states typically reported running paid-for antivirus/security solutions, rather than freeware, unlike their risky counterparts.
  • Finally, nearly half (43 percent) of the 5 safest states automatically update their operating systems, and 35 percent of respondents regularly back up their data, either on a daily or continuous basis.
  • And of the top 4, password sharing was hardly an issue (88 percent of respondents from those states reported they don’t share passwords at all.)

The Role of Demographics and additional findings

Given Florida’s reputation as a retirement hotspot, we wanted to point out that 50 percent of Florida’s respondents in our study were age 30 or below, and the national average of respondents aged 30 or below was 47 percent. This means age demographics in our survey were consistent throughout all 50 states and D.C. and our responses actually skew younger rather than older.

How to Increase Your Personal Cyber Hygiene Score (It’s not too late!)

Here’s a quick to-do list that will help keep you safe from malware, identity theft, and other online risks. It’s not as hard as you might think.

  1. Use antivirus software. And keep in mind, while there are plenty of free tools out there that are better than nothing, you get what you pay for. Your online security, and that of your family, is worth a little investment.
  2. Create strong passwords for each account, change them often, make sure each one is unique, and, if possible, add spaces for increased security. If you’re worried about keeping track of them all, use a password manager.
  3. Stop sharing your login credentials with friends, family, and coworkers. We mean it.
  4. Closely monitor your financial accounts for any fraudulent activity, and consider using a credit monitoring or identity protection service.
  5. Regularly update your operating system and software applications. Lots of infections start by exploiting out-of-date systems.
  6. Don’t open emails from people you don’t know, and don’t download anything from an email unless you’re certain it’s legitimate. And if you get a message that appears to be from an official or financial institution asking you to take an action, don’t click any links. Go straight to the institution’s official website, or call them to confirm whether the message you received was real.
  7. Back up your files and important data regularly to a secure cloud or physical drive.

There are a lot of risks out there, and as an internet user, you have a responsibility to use good judgement when you work, bank, shop, browse, and take other actions online. But by following these easy tips, you can dramatically change your cyber hygiene score, and reduce your risk of falling victim to cybercrime.

Update 8/15/18: The cyber hygiene survey previously embedded in this blog is now closed.

Bad Apps: Protect Your Smartphone from Mobile Malware

Reading Time: ~2 min.Smartphone apps make life easier, more productive, and more entertaining. But can you trust every app you come across? Malicious mobile apps create easy access to your devices for Android and iOS malware to wreak havoc. And there are many untrusted and potentially dangerous apps lurking around in app stores determined to outsmart your smartphone. With the average user having 35 apps installed on their phone, according to Google, it’s easy to see why smartphones can be such a easy target.

But my iPhone is safe, right?

Both Apple iOS and Android devices are targeted by hackers, and while the latter is a more popular target,  both platforms are both susceptible to various types of cyberattacks. After all, Apple’s latest version of iOS 11 was cracked just one day after its release via vulnerabilities in the Safari web browser, according to ZDNet.

Protect yourself from bad apps:

All of this means that unprotected smartphones are soft targets for cybercriminals, with weaknesses that hackers can ultimately exploit to generate revenue. The first defense is knowing that you can’t trust all apps. These tips will also help you stay protected as you search for the good ones:

  1. Download apps from reputable stores. The major, reliable providers are Galaxy Apps (Samsung), the App Store (iOS), Amazon App Store, and Google Play (Android).
    Google Play, for example, scans 50 billion apps daily to detect malware before publishing new ones.
  2. Disable “Unknown Sources” for Android devices, which prevents installing apps from sources other than the Google Play Store. So, if you use Amazon App Store, you’ll need to enable “Unknown Sources”. In that case, be mindful before allowing any other app or website to install something on your phone. It should also be noted that changes to this functionality are coming with the latest update to Android’s Oreo operating system.
  3. Keep Android USB debugging off. It can prevent outside malware from accessing your phone through corded connections, such as from a public charging station.
  4. Don’t jailbreak your iPhone. Allowing access and changes to your phone’s software can allows outsider apps that may not be trustworthy.
  5. Beware of any website, text, email, or anything asking you to install an app. Search for your own apps at the store and research all apps before installing.
  6. Beware of granting excessive permissions. Apps that perform basic functions, such as a flashlight, don’t need to access your personal information, for example.
  7. Read app reviews before installing, and review and report sinister apps. Users working together as a community can help alert unsuspecting victims to phony apps.
  8. Be cautious about providing your credit card or banking information. Avoid making transactions over apps that are not well known to you or the user community and be careful about hidden charges such as microtransactions.
  9. Install OS and other software updates. It always recommended to keep your OS and apps updated with the latest patches. It’s also smart to consider phones from vendors that release prompt security patches. Many software updates are designed to defend against malware and other emergent threats.
  10. Use trusted internet security software. No matter how careful you are, it is wise to employ a reputable layer of online security.

Prevention, prevention, prevention.

Sometimes free mobile apps, including free security software apps from unknown providers, are suspect. The convenience of a quick download and excessive trust are not worth saving a few seconds or cents. Do your research, follow these 10 tips, and protect your well-being on any mobile device.

 

Tech Support Scams: From Bad to Worse

Reading Time: ~2 min.Fake tech support scams aren’t going anywhere. In fact, recent data shows this type of social engineering attack is on the rise—with phony tech support calls, emails, and pop-ups peddling the digital equivalent of snake oil to unsuspecting internet users around the world.

While many people have grown wise enough to spot the warning signs of the typical tech support scam, a significant percentage fall victim, and exploiting their naivety can prove quite profitable for cybercriminals. A recent report from Microsoft describes a growing global problem: 153,000 reports were received from Microsoft customers involved in tech support scams in 2017, leading to a 24 percent rise in tech scams reported by Microsoft from the previous year. Those who lost money forked over an average of $200 and $400.

“It doesn’t require a great deal of technical knowledge to carry out a support scam, so it’s easy to see why criminals are choosing to jump into this field,” said Marcus Moreno, Supervisor of Threat Research at Webroot. “All that’s is needed is gaining the user’s trust and knowing more than they do about their computer. Whether criminals pay websites to host their fake support banners, or they proactively reach out to you, it doesn’t take much expertise.”

Due to the lucrative nature and relative success rate of these social engineering tactics, tech support fraud continues to propagate. The FBI’s Internet Crime Complaint Center (IC3) received around 11,000 cases of tech support scams in 2017, with victims claiming nearly $15 million in losses. That’s a shocking 86 percent increase from 2016!

The IC3 report also noted new variations of the typical tech support scam, with attackers resorting to posing as law enforcement to re-target previous victims by offering phony recovery assistance in exchange for a fee. Tech support scams are also turning to target cryptocurrency users, where the stakes can be higher, netting potentially thousands of dollars from a single victim.

Cold calls? Hold the phone!

The number one thing to keep in mind is that major tech companies—whether that’s Microsoft, your security software provider, or your device manufacturer—will never call you out of the blue. Beyond attempting to dupe a victim out of a fee for fake support services, cybercriminals can also try to gain remote access to your computer to steal personal information and install malware that can carry on the attack after the phone call has ended.

It’s also important to know that tech support scams also appear in the form of malvertising, such as pop-ups that can be found even on legitimate websites. These scam ads try to trick users with various fake system errors or malware infection warnings. Thousands of websites were recently discovered to be infected with malicious ads that lock users’ browsers and display a fake infection warning, according to SC Magazine. Web-based threats like this highlight the importance of keeping your devices updated and secure, as well as practicing safe browsing habits.

Visit our Cybersecurity Education Resources to understand more about common tech support scams and how to avoid falling victim. There you can also find blacklists of URLs and phone numbers known to impersonate Webroot and target our customers.

‘Smishing’: An Emerging Trend of Phishing Scams via Text Messages

Reading Time: ~3 min.Text messages are now a common way for people to engage with brands and services, with many now preferring texts over email. But today’s scammers have taken a liking to text messages or smishing, too, and are now targeting victims with text message scams sent via shortcodes instead of traditional email-based phishing attacks.

What do we mean by shortcodes

Businesses typically use shortcodes to send and receive text messages with customers. You’ve probably used them before—for instance, you may have received shipping information from FedEx via the shortcode ‘46339’. Other shortcode uses include airline flight confirmations, identity verification, and routine account alerts. Shortcodes are typically four to six digits in the United States, but different countries have different formats and number designations.

The benefits of shortcodes are fairly obvious. Texts can be more immediate and convenient, making it easier for customers to access links and interact with their favorite brands and services. One major drawback, however, is the potential to be scammed by a SMS-based phishing attack, or ‘Smishing’ attack. (Not surprisingly given the cybersecurity field’s fondness for combining words, smishing is a combination of SMS and phishing.)

All the Dangers of Phishing Attacks, Little of the Awareness

The most obvious example of a smishing attack is a text message containing a link to mobile malware. Mistakenly clicking on this type of link can lead to a malicious app being installed on your smartphone. Once installed, mobile malware can be used to log your keystrokes, steal your identity, or hold your valuable files for ransom. Many of the traditional dangers in opening emails and attachments from unknown senders are the same in smishing attacks, but many people are far less familiar with this type of attack and therefore less likely to be on guard against it.

Text messages from shortcodes can contain links to malware and other dangers.

Smishing for Aid Dollars

Another possible risk in shortcodes is that sending a one-word response can trigger a transaction, allowing a charge to appear on your mobile carrier’s bill. When a natural disaster strikes, it is common for charities to use shortcodes to make it incredibly easy to donate money to support relief efforts. For instance, if you text “PREVENT” to the shortcode 90999, you will donate $10 USD to the American Red Cross Disaster Relief Fund.

But this also makes it incredibly easy for a scammer to tell you to text “MONSOON” to a shortcode number while posing as a legitimate organization. These types of smishing scams can lead to costly fraudulent charges on your phone bill, not to mention erode aid agencies ability to solicit legitimate donations from a wary public. A good resource for determining the authenticity of a shortcode in the United States is the U.S. Short Code Directory. This site allows you to look up brands and the shortcodes they use, or vice versa.

Protect yourself from Smishing Attacks

While a trusted mobile security app can help you stay protected from a variety of mobile threats, avoiding smishing attacks demands a healthy dose of cyber awareness. Be skeptical of any text messages you receive from unknown senders and assume messages are risky until you are sure you know the sender or are expecting the message. Context is also very important. If a contact’s phone is lost or stolen, that contact can be impersonated. Make sure the message makes sense coming from that contact.

After the Hack: Tips for Damage Control

Reading Time: ~4 min.According to the Identity Theft Research Center, in 2017 alone, nearly 158 million social security numbers were stolen as a result of 1579 data breaches. Once a cybercriminal has access to your personal info, they can open credit cards, take out loans that quickly ruin your credit, or leave you with a giant bill. But that’s not all. Many people don’t realize that, depending on how much information a hacker gets and what their intentions are, you could lose a lot more than money. From sending malware to your contacts from your account to spamming your coworkers with phishing attacks to compromise your employer’s network, the damage a hacker can wreak on your personal and professional life can extend far beyond the monetary bounds.

Additionally, according to Dave Dufour, VP of Engineering and Cybersecurity at Webroot, we’re seeing more evolution in cybercriminal tactics that take advantage of internet users and their trust:

“What’s happening lately is that people are hacking social media accounts. Why would anyone want your social media information? One reason is that, if I have access to one of your social media accounts, I can spread malware to all your followers who trust you. Pretending to be you, I can send out a link, your followers click it, and my malware is now on all of their devices.”

So, what do you do if you’ve been hit with malware, ransomware, phishing, or a social media attack? First, don’t panic. Second, follow these steps to deal with the fallout.

You’ve been hacked. Now what?

Change your passwords
The first step is one you’ve probably already heard: change all your passwords. Yes, all of them. Don’t forget make them strong by using at least 12 characters, changing out at least two or three of the characters to uppercase, using numbers or symbols (e.g., replacing an A with a @ or an S with a 5), avoid using places you’ve lived, acquaintances names, your pets, birthdays, or addresses—and don’t even think about using ABC or 123. If you have trouble keeping track of your passwords, we recommend you use to a secure password manager application that saves your credentials in an encrypted database and automatically fills them in when you log into a site.

Turn on two-factor authentication
Most accounts that house your personal information, such as email or banking, offer two-factor authentication. This provides an additional layer of security that goes beyond your username and password by asking you to confirm your login with an extra step, such as a short-term security code sent via text message or phone call. You can turn on two-factor authentication from the login screen of the account.

Check for updates
One of the best ways to keep your devices protected is to update your operating system regularly and ensure that any applications you use are patched and up to date. If you have questions, you can always call your device provider’s helpline. To make things even easier, most systems and software allow you to set up Automatic Updates, so you don’t have to worry about remembering to check for them manually.

Install antivirus protection and run a scan
Antivirus software is an extremely beneficial tool that doesn’t just help detect and remove malicious software that could be lurking on your computer, it can also stop threats before they infect your device in the first place. But be careful: avoid the temptation to download a free antivirus program, as these often come bundled with malware or potentially unwanted applications. Instead, invest in a reputable option. Once installed, be sure to run a scan and turn on automatic scans and updates.

Delete sensitive data from the compromised account
As soon as you realize you’ve been hacked, go to the compromised account and delete any sensitive data you can. For example, if you know you’ve stored your credit card information, bank statements, social security number etc. in your email or on any retail site, immediately delete them from those locations. This also goes for any personal photos or information you wouldn’t want released. And don’t forget to clear out your folders on any cloud services, such as Dropbox, Google Drive™ or iCloud®.

Monitor bank statements and account activity
One of the top motivations of a cyberattack is to steal your money or identity to go on a shopping spree or use your financial accounts in some way. Be vigilant about monitoring your accounts for recent activity and check to make sure no new shipping addresses, payment methods, or accounts have been added. Also, call your bank and let them know about the incident so they can have their fraud department monitor your accounts.=

Deauthorize apps on Facebook, Twitter, Google, etc.
To protect your accounts and remove malicious individuals, check which apps are connected to your social media accounts and deactivate all of them. Did you sign into a site using your Facebook so you could see which historical figure you look like? That’s an example of something you should deactivate. You can find directions on how to do this for each account in its help or settings section or by contacting the associated customer service line.

Tell friends you’ve been hacked, so they don’t become victims, too
Another important step to take after you’ve been hacked is to alert your contacts. Many social media and email attackers will send messages from your account that contain malicious links, attachments, or urgent requests for money. Letting contacts know right away that your account has been compromised, and what to watch out for, can save them from the same fate.

Because technology continues to advance and the number of connected devices is growing exponentially, being the target of a cyberattack or identity theft is becoming more commonplace. But we’re here to help. Learn more about protecting yourself and your family online, and what you can do to stay safe from modern cybercrime.

Home Sweet Hackable Smart Home

Reading Time: ~4 min.We live in the future. Not one with teleportation, time travel, or flying cars, but one where talking to inanimate objects is the “normal,” even “cool” thing to do.

According to The Smart Audio Report from NPR and Edison Research, 39 million people now own an interactive, voice-activated smart speaker and, in just a few short years, the smart speaker has been joined by countless other smart gadgets, forming a network of connected devices known as the internet of things (IoT). These connected household devices have evolved from assisting with simple tasks like having Alexa play music, to having the ability to control nearly every part of the home, from the ambient temperature to the food that’s purchased for your refrigerator.

It’s pretty amazing, as long you remain in the captain’s chair. But what happens when you’re no longer the one in control?

They see you when you’re sleeping, know when you’re awake

Imagine coming home on a hot day to find your thermostat set to Phoenix-in-August-like temperatures and realizing you can’t change it. Or discovering your internet-connected appliances have been hijacked to do the bidding of cybercriminals in a DDoS attack by a massive IoT botnet. And what could be worse than finding out hackers have the ability to peek into the feed from the nursery webcam? These examples may sound like fear-mongering or idle, worst-case-scenario musings. But they’ve all already happened.

The more consumers buy and use internet-connected home devices, the more opportunities are created for hackers to break in, both digitally and physically. Since IoT products include everything from to fitness bands and home security cameras, to lights, doors, and cars, we run the risk of painting a detailed, time-stamped digital portrait of our daily lives for any hacker with the know-how to access these devices. All they need to access your entire network is one weak link.

Hacked by default

Why are IoT products so vulnerable? According to Webroot senior threat researcher Tyler Moffitt, “the underlining problem with all these emerging IoT devices is that the vendors are only focused on functionality, and have little to no budget for security vetting. Minimum viable product for maximum profit.”

The result? More vulnerabilities leading to more opportunities for attackers to hack your home. The proliferation and widespread adoption of IoT devices presents hackers with billions more targets than previously available, and their success rate need not be high. A single security oversight on a mass-produced device can be devastating.

For example, many smart home devices like Nest Learning Thermostat devices come with a default username and password that most consumers don’t think to change. In some cases, that’s simply not an option, as passwords are sometimes hardcoded into the firmware. Oftentimes, hackers can easily find default login information online and sneak onto your device. Then, with the help of a little malware, they can gain control of your entire fleet of smart-home devices. And hundreds of other people’s.

Patches and updates are another gaping door left open to hackers. Many IoT devices either simply can’t be patched to protect against the latest threats, or their manufacturers don’t have the budget or resolution to release prompt updates. In an up-and-coming market segment filled with startups, there isn’t even a guarantee your device manufacturer will be around to release a much-needed security update when an emergent threat comes knocking.

Secure is the new smart

Before you run home and to rip your Nest or other IoT connected device off the wall, read on. There are ways to keep your home smart and secure.

“Smart homes are still a new space as far as security goes,” says Moffit. “Down the road, we expect security to be protecting internet connected devices. But for now, we recommend a layered approach and taking all the proper precautions. Similar to antivirus, pay for the well-reviewed, vetted products.”

Here are a few more tips for being a smart IoT consumer:

Update login info

Update your usernames and passwords (the stronger the better). Do this for every device you have, and avoid using the same password twice. While you’re at it, change the passwords on your other accounts, too — especially if you’ve had the same one since you opened your first email account in 1998.

Secure wireless networks

Set up two different networks to help reduce the risk of hacking across devices — one for smartphones, computers, and tablets, and another for your smart home products. Add a strong password and give your home network a random name having nothing to do with your username, password, or address. Also, make sure your home network is protected by the Wi-Fi Protected Access II (WPA2) protocol, disable guest access, and most importantly, disable remote access. 

Update software and firmware

Updating helps ensure the latest security measures are being implemented by your device. Many smart home devices don’t update automatically, so check for them about once a month.

Install security software and malware protection

Because there is no singular solution for protecting your smart home products themselves, it’s important to use a layered approach for your security measures. Safeguarding your network, for example. Adding security apps and software to your computer and smartphone can protect against attackers accessing information via a malicious site or app.

Invest in proven solutions

Since so many companies are trying to get on the smart home train and many aren’t keeping security top-of-mind, it’s important to invest in proven solutions and stick to well-known brands that have a reputation for being secure. This helps guard against the aforementioned problem of timely updates not being available, too.

Oh, and you know those home gadgets that come with a hard-coded password? Don’t buy them.

Page 1 of 712345...Last »