Banking Trojan

 

A banking trojan Is a malicious program designed to steal financial information or money from on-line banking apps or other financial platforms.  There are many ways a smartphone/laptop/computer can be infected with a banking trojan.  Some of these vectors include:

• Malicious Adobe Flash Player update
• Amazon gift card offer scam
• IRS email phishing scam
• Malicious java script file
• Malicious Macro-enabled Word documents
• Malicious Pdf files with weblinks
• Malicious Google Doc
• Malicious WhatsApp Updater
• SMS messages with a link to download a malicious program

Almost every day it seems as though there is a new banking trojan that has been released.  Some of the names are:

• Trickbot
• Emotet
• ZeuS
• QakBot
• IceID
• Bizarro
• And many more

Tips to Stay Secure

• Only install applications from the vendor (Google/Apple)
• Keep apps and OS updated
• Consider whether you should give a certain app the permissions it requests
• Use an anti-malware program
• Stay aware and vigilant of the various threat vectors

Mobile/Laptop/Tablet Security

Most folks carry at least one mobile device - ie. a smart phone.  Besides a smart phone, many may also have a laptop and/or tablet.  There are several different types of threats for these devices.

Threats

• Loss, theft, misplacement – Since devices are small, they can easily be lost or stolen. 
   
• Unauthorized device and data access – If a device is on, unattended, and the screen is left unlocked, a malicious individual could make changes to the device or access data on the device.
  
  
• Malware – Any electronic device with an operating system such as Windows, OSX, IOS, Android, is vulnerable to malware.  Anti-malware software can be installed on a device to make sure it isn’t infected by malware.
  
  
• Electronic eavesdropping – Malware has the ability to turn on mobile device microphones and/or cameras.  If you have a mobile device in your pocket or near to you, this could be used to listen in on your conversations.
  
  
• Electronic location tracking – Most mobile devices have GPS built-in and this can be good if you misplace your phone you can find it with a tracking application, but it could also be bad because malicious software can use the GPS functionality to track your location.

Tips to Securing

• Maintain physical control.
  
  
• Don’t leave device in unlocked vehicle.
• If you must leave your device in a vehicle, put it in the trunk or conceal the item under the seat and lock the doors.
  
  
• Set a passcode and enable auto-lock.
  
  
• Backup data regularly.
  
  
• Apply critical patches/updates to the operating system and installed apps.
  
  
• Use up-to-date antivirus software on smartphones and tablets.
  
  
• Review the rights apps require before installing.
  
  
• Use full disk encryption on the device – Apple FileVault2 or Microsoft Windows Bitlocker.

Register & Track

• Register the device with the manufacturer.
  
  
• Always keep your registration, make, model, and serial number in a safe place at home.
  
  
• Asset tag, engrave the device, or apply distinctive paint markings (such as indelible markers) to make it easily identifiable.
  
  
• Use commercial location software such as Apple FiindMyiPhone, LoJack Security, etc.

·

Cyber Security is Like a Game of Chess

 

And Checkmate! If you are familiar with chess, this is not something that you want to hear. It means that you are in a position with your king piece that you cannot escape. It’s Game Over man! In case you didn’t know, there’s a serious game being played today involving your data and identity. On one side are cyber attackers, and on the other are those who are trying to defend your privacy and personal accounts. Cyber Security is much like a game of chess!

You might be thinking, A game? Like chess? Well let me explain!

Hacking is probably not a new term for you, in fact hacking has been around for many of years. There is an early account from 1971 were a hacker named John Draper, hacked into phone systems using a plastic toy whistle from a cereal box. Crazy, right?  

Well in the early days of the internet and the personal computer, hacking was a game for many hobbyists (There are still people today who participate in hacking championships for fun) The early hackers would test the boundaries of what they could do, and what they could get away with, however, while some treated hacking as a fun innocent game, others began to realize the potential for malicious and criminal behavior. 

Now Jump forward many years, and as cyber attackers have become more sophisticated, the security industry has grown to defend against it. With new types of attacks developing all the time, we develop new strategic defenses to block and prevent them. Security tactics now become outdated as soon as attackers find ways around them, meanwhile, attackers continue to rely more on social engineering tricks that are hard to defend against in general. 

They make a move, then we make a move, and then they make a move, and so on and so on!

For us in the Information Security Department at Columbia College, cybersecurity is a lot like a game of chess. There are many pieces to move, and our strategies needs to keep tabs on all of them. We must adjust to our adversaries’ moves, move quick against attackers and protect your king at all costs. The cybersecurity game continues, but even as the stakes are rising, the rules are changing. It’s now more complicated than ever.

So, what can you do to help keep you ahead in this always evolving cybersecurity game?

• Complete your Columbia College annual Cyber Security Training. 
• This will ensure that you are update to date on best practices when it comes to being cyber secure.
• Follow the best practices and polices outlined by Technology Services
• Use strong passwords and never share your password.
• Remember that not ever Technology Services will ask for your Columbia College password.
• Report all suspicious emails to Technology Services at  cchelpdesk@ccis.edu
• Even if you know it is a phishing attack and ignore it, by reporting it you can help the Information Security Team identify and mitigate the attack for others.  
• Be mindful of the information you post online or on social media.
• Social Engineers can use all sorts of information you post to help them take over your identity.
• Be Aware
• The Information Security Team is growing, and dedicating itself to not only keeping our systems secure, but bring awareness and education to you to help keep you more secure in the office and at home.
• Stay up to date with all that we are doing at our blog! 

Week 5 - Internet of Things (IoT) at Home

How many devices to you have connected to your Internet connection at your house?  Can you name them all?  While these devices bring a great deal of convenience, they also bring associated risk.  Here is a list of things you can do to better secure your IoT devices.

·         Know what’s connected to your network.

·         Make sure your home wireless is encrypted using a strong password.

·         Make sure anti-virus/anti-malware software is installed on all of your computers, tablets, and smartphones. 

·         Change the default credentials and don’t use common words or passwords that are unique. 

·         Keep your smartphone secure.  Does your phone lock when not in use?  If not, consider adding a PIN, pattern, password, or face unlock.

·         Regularly update your software.

·         Use caution when using social sharing/geolocation.

·         Disable any features you don’t need.  If you don’t have any Bluetooth devices then turn off Bluetooth on your devices.

Week 5 – Prize Registration

Week 4 – Google Phishing Quiz

Nearly one-third of all data breaches in 2018 involved a phishing email.  Columbia College has an anti-spam solution which blocks tons of spam/malware/phishing emails, but even with the best solution some phishing emails may still get through.  Google’s technology incubator, Jigsaw, has released a phishing quiz which you can take to see if you can spot the phish.

Google Phishing Email Quiz (will open up in a new window)

After you have taken the phishing quiz, be sure to enter your email address to get registered to win a prize.

Week 4 - prize registration (will open up in a new window)

Week 3 - What's Wrong with My Desk?

For October Security Awareness Month, the week 3 security awareness activity is  "What's Wrong With My Desk?"  Keeping a clean desk and clear screen at work is important to protecting confidential information. Please click on the link below to see pictures of a desk and note all of the security risks.  If you find that the pictures are too small, please use the zoom feature in your PDF viewer.  Once you have a list, you can submit your answers using the second link below.

• Desk Pictures (will open up in a new window)

• Submit Answers and Register for a Prize (will open up in a new window)

Week 2 - Best Practices for Storing Columbia College Files

Where do you store your files?  Do you store files on your desktop?  What would happen if your computer’s hard drive went bad?  What would happen if your computer was infected with ransomware and you couldn’t access any of your files?  What would happen if your Columbia College laptop was lost/stolen and you had files on it needed for your job?

Do you know about the Columbia College i:\ drive?

The i:\ drive is a personal network drive which only you have access to. The i:\ drive is also backed up, so in the event your computer hard drive dies, CC laptop is stolen, computer is infected with ransomware, etc. files can be restored.

Example uses of Network Storage (my I:\) drive:

• Store documents/files
• Access files at different computers (ie. Another office, classroom, computer lab, etc)

Examples of how not to use Network Storage (my I:\) drive:

•  Do not store program installers that you have downloaded.
• Do not store personal media of large file types such as pictures, audio, or movie files.

• NOTE: the i:\ drive is only accessible on the Columbia College network.  If you are working at home using a Columbia College laptop and need to access your i:\ drive files, you will need to be connected to the Columbia College VPN in order to access your i:\ drive files.

If you do not see your network home drive mapped under My Computer, try these steps.

1. Check the magnifying button.
2. In the search box, type \\ccis.edu\homecampus\Home\youruserid
3. Hit enter
4. If this does not open your home directory, please contact the Technology Solutions Center at CCHelpDesk@ccis.edu or at 573-875-7495.

For more information, please see the Acceptable Computing Use Policy.

http://www.ccis.edu/policies/acceptable-computing-use-policy.aspx

If you currently use the i:\ drive or if you are going to start using the i:\ drive to store files after reading this security awareness tech tip, then please enter your name and email address on the Google form linked below to be registered for your chance to win a prize.

Week 2 - prize registration

October is Cyber Security Awareness Month!  

Join Technology Services and the National Cyber Security Alliance in celebrating the 16th year of National Cyber Security Awareness Month!

Cybersecurity begins with a simple message that everyone using the internet can adopt:

STOP. THINK. CONNECT.

Take security and safety precautions, understand the consequences of actions online, and enjoy the benefits of the internet!  Throughout October, Technology Services will offer interactive educational activities to help you achieve those goals—for each activity you complete, you will be entered into a drawing at the end of the month!

For Week 1 we have a list of questions for you to attempt. Please follow the link below and make sure to enter your email address at the bottom to be registered for your chance to win!

2019 October Security Awareness Questionnaire

2019 could be a record-breaking year for data breaches

https://securityboulevard.com/2019/09/2019-could-be-a-record-breaking-year-for-data-breaches/

According to Risk Based Security’s 2019 Midyear Quickview Data Breach Report, there have been 3,813 separate data breaches reported through June — exposing about 4.1 billion records. That’s a 54% increase in data breaches and 52% increase in exposed records over the same period in 2018.

Of the organizations that suffered a breach and could be clearly classified, those in the business sector accounted for 67% of breaches, followed by medical (14%), government (12%) and education (7%).

The web remains the primary vector of exposed records, accounting for 79% of compromised records, the report states. Hacking remains the number one cause of data breach incidents, accounting for 82% of those reported. “Email addresses and passwords remain prized targets, with email addresses exposed in approximately 70% of reported breaches and passwords exposed in approximately 65% of reported breaches,” the report stated.

Attacks continue to focus on user credentials. And that’s for good

reason: it works. Reams of login credentials are made available every day on the dark web. According to the report, such activity has increased in recent months.

While the report shows that there are more external data attacks, when insiders attack, they tend to expose more sensitive data. “The vast majority of incidents are attributable to malicious actors outside of the organization, yet more and more sensitive data is exposed when insiders fail to properly handle or secure information. Case in point:

misconfigured databases and services – 149 of the 3,813 incidents reported this year – exposed over 3.2 billion records,” the report found.

“Attackers have taken notice. The practice of targeting open, unsecured databases to either steal data or hold it for ransom has ebbed and flowed over the past 2 years,” the report continued.

As the report said, the first six-months of 2019 were among the worst ever when it came to raw data breach numbers, and there’s little to be optimistic about. “The number of breaches is up and the number of records exposed remains stubbornly high. What is clear is that despite the awareness of the issue among business leaders and the best efforts of defenders, data breaches continue to take place at an alarming rate,” the report says.

Such reports could be much different if organizations that hold large amounts of data focused more on securing that data and if there was a bigger focus on two-factor authentication. According to the report, passwords accounted for 64% of all exposed data, and more than 3.2 billion records (80% of the total) were exposed in just eight of the data breaches.

A Credit Freeze Won't Help With All Equifax Breach Threats

There are other dangers you should know about. Here's how to protect yourself.

By Jeff Blyskal

September 19, 2017

If you’ve placed a security freeze on your credit reports at Equifax, Experian, TransUnion, and Innovis, that will help prevent fraudsters from opening new credit accounts in your name.

Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits.

But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach.
With the information that hackers got, including access to Social Security numbers, birth dates, and an unspecified number of driver’s license numbers, you need to take other steps to help lock down your finances.
Here are three important ways you can protect yourself.

Tax Refunds

With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service as of last March. 

MORE ON EQUIFAX DATA BREACH

How to Lock Down Your Money After the Equifax Breach

Consumers Union Demands Equifax Make Affected Customers Whole

Security Freeze vs. Fraud Alert: Deciding the Best Option

How to Freeze Your Credit While Applying for a Loan

Though you are generally not liable for such fraud, if a criminal manages to change your tax records and receive your refund, it can take months to straighten out the mess.
How to protect yourself. The best defense is to obtain an Identity Protection PIN from the IRS, which is a code that must be filed with your legitimate return for it to be accepted. An identity thief can’t file his fraudulent return without your PIN.
But you can get a PIN only if a fraudulent return has previously been filed in your name, if the IRS determines that you’re an ID-fraud victim, or if you live in a high tax-related identity theft locale such as Washington, D.C.; Florida; or Georgia.
The IRS would not say whether those affected by the Equifax breach would qualify for a PIN.
Andrew Mattson, a tax partner at the Moss Adams tax firm in Silicon Valley, recommends that taxpayers who don’t officially qualify for a PIN request one anyway, by filing a Form 14039, Identity Theft Affidavit (PDF). “Even if the IRS says no, your account will generally be flagged for additional monitoring for suspicious activity,” he says.
Mattson also recommends that you periodically view your IRS account information, which shows when returns were filed and which refund payments were made. Activity there—if it’s not yours—can be a sign of fraud. The balance updates every 24 hours, usually overnight, but there is a one- to three-week lag in the time it takes for refund payments to show up.
If you suspect fraud, contact your local IRS office using the Taxpayer Assistance Center Office Locator.

Health Insurance

Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions.
Many health insurers have internal special investigation units and anti‐fraud personnel to root out medical identity fraud, and if suspicious activity is detected, they’ll send email alerts to the policyholder, says Cathryn Donaldson, a spokeswoman for America’s Health Insurance Plans, the trade association of health insurers.
How to protect yourself. Get copies of your medical records from providers to establish the baseline of your health before your records are compromised. Increasingly, online patient portals make this easy to do. Check back regularly to see whether providers you didn’t use are listed and whether you’ve been charged for treatments you never received.

In addition, review your free annual MIB Consumer File, which contains medical and personal information about you reported by health, life, disability, and other member insurers. Do the same for your Milliman Intelliscript report, which tracks your history of prescription drug purchases.

The Federal Trade Commission also says consumers should ask each of their health plans and medical providers for the “accounting of disclosures” related to their medical records. That tells who got copies of your records from the provider. The law allows you to order one free copy from each medical provider every year.
If available, sign up for your insurer’s secure online portal, and regularly review the explanation of benefits, which shows which treatments you received when and from which providers. While there, sign up for fraud alerts via email or text message, which will keep you apprised of benefit payments.
Regularly review your credit report for medical collection accounts that don’t belong to you.

Your Driver's License

Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you. With more work and information from phishing or further hacking, identity thieves can create bogus checks to pay a cashier, who “verifies” the shopper’s identity by writing your license number on the bad check.
If this happens to you, you may not discover how your license has been used until a police officer tells you, or perhaps, until a bank closes your account because of too many bounced checks.

How to protect yourself. Ask the motor vehicles department to give you a copy of your driving record; most states charge for this, usually about $10. To find out whether any bad checks are attributed to your driver’s license, request your free annual consumer report from each of the big three check verification companies, ChexSystems, Certegy, and TeleCheck.
If you find that your driver’s license is being used fraudulently, you can file a police report at your local police department and ask the motor vehicles department to flag your license number, which will alert law enforcement officers to be extra careful in identifying people they pull over with your license number. You should also request a new driver’s license number.
If you’re arrested or find criminal charges on your record, go to the Identity Theft Resource Center for advice on clearing criminal identity theft; if you find fraudulent checks on your record, follow the ITRC for advice on resolving checking account fraud. You can also call the center at 888-400-5530 for free assistance.

Correction: A previous version of this article said people should register at the government website my Social Security to protect their Social Security benefits. In fact, setting up a credit freeze with Equifax will stop identity thieves from setting up a my Social Security account in your name. 

Massive phishing attack targets Millions of Gmail Users

View the original article from the BBC. Image courtesy of Getty Images.

Google says it has stopped a phishing email that reached about a million of its users.

The scam claimed to come from Google Docs - a service that allows people to share and edit documents online.

Users who clicked a link and followed instructions, risked giving the hackers access to their email accounts.

Google said it had stopped the attack "within approximately one hour", including through "removing fake pages and applications".

"While contact information was accessed and used by the campaign, our investigations show that no other data was exposed," Google said in an updated statement.

"There's no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup."

During the attack, users were sent a deceptive invitation to edit a Google Doc, with a subject line stating a contact "has shared a document on Google Docs with you".

The email address hhhhhhhhhhhhhhhh@mailinator[.]com was also copied in to the message; Mailinator, a free email service provider has denied any involvement.

If users clicked on the "Open in Docs" button in the email, they were then taken to a real Google-hosted page and asked to allow a seemingly real service, called "Google Docs", to access their email account data.

Victims of the scam were asked to let a seemingly real service called "Google Docs" access their account data. Image copyright Talos Intelligence

By granting permission, users unwittingly allowed hackers to potentially access to their email account, contacts and online documents.

The malware then e-mailed everyone in the victim's contacts list in order to spread itself.
"This is a very serious situation for anybody who is infected because the victims have their accounts controlled by a malicious party," Justin Cappos, a cyber security professor at NYU, told Reuters.

'Too widespread'

According to PC World magazine, the scam was more sophisticated than typical phishing attacks, whereby people trick people into handing over their personal information by posing as a reputable company.

This is because the hackers bypassed the need to steal people's login credentials and instead built a third-party app that leveraged Google processes to gain account access.

The Russian hacking group Fancy Bear has been accused of using similar attack methods, but one security expert doubted their involvement.

"I don't believe they are behind this... because this is way too widespread," Jaime Blasco, chief scientist at security provider AlienVault, told PC World.

Google said the spam campaign affected "fewer than 0.1%" of Gmail users. That works out to about one million people affected.

Last year, an American man pleaded guilty to stealing celebrities' nude pictures by using a phishing scam to hack their iCloud and Gmail accounts.

And in 2013, Google said it had detected thousands of phishing attacks targeting email accounts of Iranian users ahead of the country's presidential election.