New dictionary words have been formed to describe online scams. Phishing, one that everyone knows by now, is when a scammer uses a pretext in an email to get someone to click on a link or attachment in the email to deploy malicious malware and ransomware.

Social engineering is when criminals conduct online search of individuals and companies by looking at Facebook and LinkedIn profiles and through Google searches to find out as much as possible about a company and its employees and develop a dossier on the company to launch a phishing, vishing or smishing scam.

Vishing can occur, for example, when a criminal buys a similar domain to a company domain, then adds some security terms to make it look like they are from the IT department of the company and calls an employee, tells them a story about how they need to update the VPN or add additional security measures, sends the employee an email from the fake company email address and while they are on the phone with the employee, convinces the employee to put their user name and password into the pop-up, now allowing the criminal full access to the employee’s account.

And smishing (it’s so new that spell check doesn’t recognize it) is when the scammers use a text (SMS messaging) as the ruse instead of an email or a telephone call.

People tend to trust text messages more than emails. They also read them more frequently and faster than emails. Scammers are using old techniques with new technology to get people to click on embedded links to introduce malicious malware into individuals’ phones or to give up personal or corporate credentials. Now the scam is using text messages.

This should be concerning for IT professionals since so many employees use their personal phones for work. Even though the employees are being targeted on their personal phones, the smishing scams can be a threat to corporate security. IT professionals may wish to add smishing as a technique when providing security training to employees so they are aware of the latest techniques used by criminals.

When the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get together to issue an alert to warn us about a security threat, you can bet that the threat is real, and that they have seen it used successfully at an alarming rate.

The joint advisory issued on August 20, 2020, “Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign,” warns companies of the increased use of vishing attacks by cyber criminals. The advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward” [see related Privacy Tip].

People are always amazed at how much time and effort cyber criminals take to get the big pay-off. I always say this is how they make their living. We go to work every day and get a lot of work done in a legal way, while they go to work every day to figure out how to steal from us. They are spending the same amount of time on strategy, development and implementation to work out the details of the crime as we are in making an honest living. What they are doing in cyber crime is no different than planning for a bank robbery. They have to plan carefully and then execute the crime. That’s what the cyber criminals have done with their vishing campaign.

The vishing campaign referred to in the advisory started with the criminals registering domains and creating phishing pages that duplicate a company’s internal VPN (virtual private network) login page, including the requirement for two-factor authentication or a security passcode. They then obtained SSL (Secure Socket Layer) certificates for the registered domains, including support(victim company name), ticket(victim company name), employee(victim company name), or (victim company name)support. The point is that they are using the actual company name in combination with IT support to lure the victims and convince them into thinking the domain is real. It certainly looks very real.

The criminals then do online research on potential company victims, and according to the alert, “compile dossiers” on employees of the companies “using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” This is publicly-available information about companies and their employees that the criminals use to implement the crime. They aggregate the publicly available information and then start calling the employees on their cell phones. When an employee answers, they engage them in conversation as if they know them (from social engineering—including name, address, position in the company) to get them to believe they are from IT support. They advise the employee that the company has changed the VPN and that a link to the new login will be sent, which includes multi-factor authentication, and that they will need to log in to reset the VPN. During the call, they assist the employee in logging in to the VPN and in the process, they gain access to the employee’s log in credentials and now have access to the employee’s account.

Once in the employee’s account, the criminals have access to other potential victims in the company using the same tactics, and are able to “fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert acknowledges that this old scam, previously used on telecommunications and internet service provider employees, has now expanded to all industries because of the transition from work at the office to work from home during the pandemic. Companies need to be aware of the campaign, alert their employees, and provide them with resources and tips to avoid falling victim to it.

The Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning the public about vishing campaigns [see related post]. Vishing is defined by the FBI as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.”

Vishing basically means that cyber criminals are gathering publicly-available information on companies and employees so they get to know a lot about them, and then they call employees on their cell phones to try to get them to believe that they are from IT support and that a new VPN (virtual private network) is being used. They then assist the employee with activating the new VPN and in the process obtain the employee’s credentials to access the company’s system and look for new victims.

We all know not to give our credentials to strangers via email. We also know not to give our credentials or personal information to anyone over the telephone. That said, the joint alert makes it clear that people who are working from home are falling victim to this campaign as there is no face-to-face authentication, and the criminals have gathered so much information on the individual employee that the employee believes it is a co-worker calling to assist.

Beware of giving any information to anyone over the telephone (or via email for that matter).

The Alert gives the following “End-User Tips”:

  • Verify that web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis  of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, refer to the CISA Security Tips below.

Although a security researcher has confirmed that LinkedIn users’ data, including full names, gender, email addresses, telephone numbers, and industry information is for sale on RaidForums by a hacker self-dubbed “GOD User TomLiner,” LinkedIn has stated that it is not from a data breach of its networks. According to LinkedIn, “[O]ur initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources….This was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed….”

No matter how the data ended up for sale on a hacker forum, if you are a LinkedIn user, you should be aware of it, and understand how that information can be used against you. Having valid email addresses and telephone numbers give hackers and scammers the ability to use them for targeting phishing and vishing schemes and other social engineering scams. In addition, the information can be used to compile dossiers and aggregated with other publicly available information for targeted campaigns.

As a precaution, security experts are suggesting that LinkedIn users update their passwords and enable multi-factor authentication on their LinkedIn accounts.

Many individuals already use facial recognition technology to authenticate and authorize payment through their smartphone. According to Jupiter Research, by 2025 (only four years away), 95 percent of smartphones will have biometric technology capabilities for authentication, including face, fingerprint, iris, and voice recognition. According to Juniper Research, this will amount to the authentication of over $3 trillion in payment transactions on a yearly basis.

Technology vendors are starting to use biometric information more and more to provide services to consumers. For instance, Spotify recently released its “Hey Spotify” feature for its app. If you use Spotify, and the new feature is rolled out to your device, you will see a pop-up with a big green button at the bottom that reads, “Turn on Hey Spotify” and a very small link in white that reads, “Maybe later.” Above the big green button in white is text that reads, “LEARN HOW WE USE VOICE DATA” and “When we hear ‘Hey Spotify’ your voice input and other information will be sent to Spotify.”

The big green button is very noticeable and the white text less so, but when you click on the “LEARN HOW” button, you are sent to a link that reads, “When you use voice features, your voice input and other information will be sent to Spotify.” Hmmm. What other information?

It continues, “This includes audio recording and transcripts of what you say, and other related information such as the content that was returned to you by Spotify.” This means that your biometric information–your voice–and what you actually say to Hey Spotify is collected by Spotify. Spoiler alert: you only have one voice and you are giving it to an app that is collecting it and sharing it with others, including unknown third parties.

The Spotify terms then explain that it will use your voice, audio recordings, transcripts and the other information that is collected “to help us provide you with advertising that is more relevant to you. It also includes sharing information, from time to time, with our service providers, such as cloud storage providers.”  It then explains that you can “interact with advertisements on Spotify using your voice. During a voice-enabled ad, you will hear a voice prompt followed by an audible tone.” Of course, you should know that your response will then be recorded,  collected, and shared.

In response to the question “Is Spotify recording all of my conversations?,” the terms state that “Spotify listens in short snippets of a few seconds which are deleted if the wake-word is not detected.” That means that it is listening frequently until you say, “Hey Spotify.” It doesn’t say how often the short snippets occur.

Consumers can turn off the voice controls and voice ads by disabling their microphone. This is true for all apps that include access to the microphone, which is why it is important to frequently look at your privacy settings and see which apps have access to your microphone and to manage that capability (along with all of the apps in your privacy settings).

It is important to know which apps have access to your biometric information and who they share it with, as you cannot manage that biometric information once you give it away. You don’t know how they are really using it, or how they are storing, securing, disclosing, or retaining it. Think about your Social Security number and how many times you have received a breach notification letter. You can try to protect your credit and your identity with credit monitoring and credit freezes, but you can’t use those tools for the disclosure of your biometric information to scammers and fraudsters.

Your voice can be used for fraudulent purposes. It can be used for authentication to get into accounts, and for vishing (see blog post on vishing here).  Your voice is unique and sharing it with apps or others without knowing how it is secured is something worth considering. If the information is not secured and is subject to a security incident, it gives criminals another very potent tool to commit fraud against you and others.

Before providing your biometric information to any app, or anyone else for that matter, read the Privacy Policy and Terms of Use and understand what you are giving away merely for the convenience of using the app.

A cyber-attack against–Bithumbone of South Korea’s largest cryptocurrency exchanges and one of the five largest in the world—has reaped access to the data of 30,000 users and drained their accounts in the process. Bithumb is one of the biggest ethereum exchanges by volume in South Korea, representing more than 44 percent of trading in that country.

The Korea Internet and Security Agency is investigating the incident that occurred on June 30 when an intruder obtained access to Bithumb’s system through the hacking of an employee’s home PC. The incident affected 3 percent of Bithumb’s users.

The data that was compromised in the incident included users’ names, mobile telephone numbers and email addresses. In addition, some users’ disposable password used in financial transactions was also compromised. This led to the draining of some of those users’ accounts.

The hackers used “voice phishing” (vishing), which is when the hacker directly contacts the company on the telephone, poses as an executive and tries to get information from an unsuspecting employee—including usernames, passwords and security codes or answers to security questions in order to gain access to the company’s system.

In this case, it is being reported that the attacker posed as an executive of Bithumb in a telephone call, claimed that suspicious activity was found on the account, and asked for the credentials so he could fix it. The victim complied and the hacker gained access to account information and thereafter drained multiple financial accounts of users.

Bithumb is offering to compensate victims and is continuing to investigate the incident.

The lesson is that hackers and criminals are very bold and using new techniques to steal. We talk a lot about email phishing and spear phishing, but vishing should not be overlooked. Employee education is important in alerting employees to these sophisticated techniques.