This is your Shared Security Weekly Blaze for December 31st 2018 with your host, Tom Eston. In this week’s episode: a new phishing attack targeting two-factor authentication, Amazon Echo eavesdropping, and a new Netflix email scam.
Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
As this is the last episode in 2018, I wanted to thank all of you for listening and supporting the podcast this year! Happy New Year and we look forward to helping you stay more secure and private in 2019!
A recent report from Amnesty International shows that there is a large phishing campaign taking place targeting hundreds of individuals in the Middle East and North Africa. The campaign seems to be targeting email accounts from Google, Yahoo as well as more secure email services from ProtonMail and Tutanota. In the case of attacks targeting ProtonMail and Tutanota, the attackers simply added the letter ‘e’ to the end of ‘proton’ in the domain name ‘protonmail.ch’ and with Tutanota they used the domain ‘tutanota.org’ when the real domain is ‘tutanota.com’. While these two techniques are very common with many similar phishing attacks, these are specifically designed to bypass common forms of two-factor authentication such as text message based methods. Essentially, the attackers set up a login page to an email service and in the background some fancy scripting acts as a proxy to the real email service while you enter your login credentials and then your two-factor authentication code sent to your phone. This attack could even work against app based two-factor authentication like Google Authenticator as well. Mitigations from this type of phishing attack are the typical ones we always recommend like carefully looking at the web address in the email or address bar of your web browser and using a newer but more secure form of two-factor authentication such as a hardware security key from companies like Yubikey and others.
I found it interesting that the details in this report were specifically directed towards human rights defenders because they are almost always targeted by nation state governments through phishing attacks like these. But as we continue to see, what I would call the arms race, between us and attackers using more creative ways to conduct phishing campaigns, it’s more important than ever to take the stance of ‘think before you click’. In fact, phishing attacks, like the ones described in this report, are becoming so common that it’s advisable to never click on links in an email all together. Instead, manually type in the web address of the site you’re being prompted to click on.
Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.
Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:
- Visibility into workload communication pathways;
- Security policies built on the cryptographic fingerprint of the software;
- The ability to apply policies and segment your networks in one click; and
- A way to continuously monitor and assess risk.
Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.
Did you receive an Amazon Echo device as a gift over the holidays? Well you may want to pay attention to this story as a man in Germany got much more than he asked for when requesting a copy of all the data Amazon had about him. Apparently, when Amazon sent him the download link to his data, he was accidentally given access to 1,700 private audio recordings from an Amazon Echo device that were generated by a completely different household. The man requesting his data from Amazon said he doesn’t even own or use an Amazon Echo device. A spokesman for Amazon told Reuters last week that, “This unfortunate case was the result of a human error and an isolated single case”. You may recall that this incident follows other similar Amazon Echo issues this past year of Echo devices sending conversations to others that were not the intended recipient.
Does it seem surprising that “human error” is the cause of this most recent issue? Something to keep in mind is that in a data request system, that you would think would be automated, we should not be surprised to hear of issues like these when we’re talking about very complex internal systems that are being used to handle potentially thousands of data requests. The GDPR, which we all know as the EU data privacy law, has provided European citizens with the ability to request their data from companies like Amazon. Now this is a huge win for individual privacy but now companies need to make sure internal systems that have issues, like in this example, are properly designed and maintained so that human error and other issues don’t end up creating more privacy concerns.
In other phishing related news…tis the season for a new phishing scam targeting Netflix customers. Last week the Federal Trade Commission in the US published an alert to consumers about a phishing email that states that the victim’s Netflix account is ‘on hold’ because the company is having trouble with current billing information. The email urges the user to click on a link to update their payment details and we all know what happens after that. In the case of this phish, there are several clues that indicate that this is a scam such as using an international support phone number, noting the British spelling of “centre”, and the greeting on the email as “Hi Dear” instead of the victim’s name.
Ironically, in our previous story we talked about how phishing attacks are getting more sophisticated, but yet, very simple phishing scams like this one with bad grammar and all (except if your British) continue to be highly effective. Be safe out there and don’t forget to tell your friends and family to be on the lookout for an increase in phishing scams which seem to always increase right after the holidays.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.