One thing you can be sure of is that cybercriminals always up their game.

Here’s a great example of this. Malware used to be something that could be caught using what was known as ‘signatures’. That is, specific code within the virus that could be used to identify it. Back in those days, catching a virus was much easier.

Now, we have something called a ‘polymorphic’ attack, which translates to the software being able to change depending on the environment it ends up in. This makes it much harder to detect and prevent. Polymorphic attacks are only one of many that have become super good at evading detection.

As cyber-attacks become more complex, we must use networks of intelligence that the ‘good guys’ build. One such intelligence gathering exercise has been done by Mitre. Here we look at what this is and how we can use it to up our own game in preventing cyber-attacks.

 

What is Mitre ATT&CK

 

There are so many types of cyber-threats, techniques, and mechanisms, that it can be really hard to keep track of them. Fortunately, some of us quite enjoy working out what cybercriminals are up to and then documenting the threats. One company doing stellar work in this area is Mitre.

Mitre is a U.S. based company who works closely with the federal government. Through their ongoing work within cybersecurity, Mitre has put together an online repository of cybersecurity attack methods and techniques. They have called this matrix of information, Mitre ATT&CK. The ATT&CK is an acronym for “adversarial tactics, techniques, and common knowledge”. The information in the ATT&CK matrix is a continually updated collection of data from which to understand the various cybersecurity attack methods.

The information collated by Mitre is displayed on web pages as a matrix. It comprises attack methods and stages of delivery, used by cybercriminals, and was originally developed for Mitre’s own internal project use. Using the data in the Mitre ATT&CK matrices you can identify an attack mode and see mitigations to help you detect, prevent, and deter the attack.

What is really useful about the repository is that it is an ongoing record of adversarial behaviour that is accessible to all.

The ATT&CK knowledge base is found using the online portal: https://attack.mitre.org/

The data is conveniently published to a matrix listing all of the known-attack methods. There are three main matrices:

  1. PRE-ATT&CK
  2. Enterprise:
    1. Linux
    2. MacOS
    3. Windows
  3. Mobile

 

matrices

 

When you go to any of the matrices you will see a block of attack types across the top and the techniques used to execute an attack listed in columns. For example, if you go to

Enterprise Matrix – Windows/Spear Phishing link

the page will tell you all about what spear phishing is. It will also tell you how to mitigate the attack type:

Mitigation Description
Restrict Web Based Content Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
User Training Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

 

Source: Mitre ATT&CK

 

You can also look specifically at Tactics, Techniques, and Mitigations. Each is accessible at the top of the main Mitre ATT&CK page.

 

How to Use Mitre ATT&CK for Security Awareness?

 

Mitre ATT&CK is created for many types of use, including:

Adversary emulation: to understand the techniques used by cybercriminals to attack your network.

Assessment of security gaps:to identify any areas in your network that need to be addressed in terms of improving protective mechanisms.

Red teams: a red team acts as an adversary to test out your protective measures against a cyber-attack. The information in ATT&CK can give a red team the necessary intelligence to build a more effective attack simulation.

In terms of security awareness training, under Mitigations, there is a section on user training.

 

user training

 

This section shows the various types of cybersecurity attacks that user training can help mitigate. You can use this intelligence to help kick-start or rekindle a security awareness training programme for your organisation:

  1. To give you the know-how when talking with your chosen security awareness training vendor
  2. To evidence the need for security awareness training to your C-Level
  3. For your own personal cybersecurity awareness

 

– Watch our hilarious security awareness training –

How Does Understanding Cyber Security Attack Methods Help Business?

 

The UK Government “Cyber Security Breaches Survey 2019” found that 32% of UK companies have experienced a cyber-attack in the previous 12-months. Of those, 80% were victims of phishing campaigns. However, there is a positive note from the survey. The figure of 32% is down on the previous report in 2018. Back then, 43% of UK companies were victims of a cyber-attack. The report discusses why this figure has decreased and comes up with this as an explanation:

One plausible explanation for fewer businesses identifying breaches is if they are generally becoming more cyber secure. The survey shows that businesses have increased their planning and defences against cyber attacks since 2018.”

Having an understanding of the types of cybersecurity attacks that are common, is vital in an age where cybersecurity attacks are a daily occurrence. We can no longer sit on our laurels and hope that anti-virus software or firewalls will protect our company from cyber-attacks. The Mitre ATT&CK information gives us the weapons to be offensive, now that defensive techniques are failing. Knowledge is king and queen in an age where social engineering reigns.

 

Ways to Remain Cyber-Security Aware Using Mitre ATT&CK

 

Mitre ATT&CK is well worth a browse through, and at the very least it can be a great addition to your own personal security awareness training. The mitigation sections can also help you to develop your organisation’s security policy. And, it can be invaluable in evidencing your need for security awareness training when presenting to your management or board for cybersecurity funding support.

Taking it one step further. You can use the data gathered by the Mitre team to prepare your organisation for a security awareness training session; picking out key and current issues that need to be addressed with employees.

Remaining cybersecurity aware is part of an ongoing process of personal and professional development if you are an IT professional. Using sources of intelligence such as the Mitre ATT&CK can help you condense and focus your learning.

Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

American Express is a big business brand name. The company made $40 billion of revenue in 2018 and remains one of the top credit card companies with around 58 million cardholders. Big names mean big phishing opportunities for cybercriminals.

This phishing scam is a general mass delivery scam; the hope is that even a few clicks on the link will harvest enough payback to make it worthwhile for the fraudster behind the scam.

So, it is no surprise that this week’s scam of the week is an American Express email phishing scam.

What the American Express Email Phishing Scam Looks Like

American Express Phishing Scam

The use of American Express and other well-known credit cards brands to scam people out of money is nothing new. This week’s scam is a quite traditional scam in the scheme of phishing emails. It has the following elements:

  1. Branding that looks like American Express. This helps to convince the recipient it is real.
  2. Fear, Uncertainty, and Doubt (FUD). This is social engineering at its best. The spoof email encourages concern about an “invalid login attempt” which has led to your account being suspended. This, the scammers’ hope will initiate a knee-jerk reaction to click on the link in the email to reactivate your account and check everything is OK.

If you are an American Express customer, you may well be tricked into clicking a malicious link with this combination of a known brand and worry over an account compromise.

How Can You Tell This is a Scam?

As is often the case with non-targeted, mass delivered, email phishing scams, the fraudsters make a few mistakes. We can use these mistakes to check the legitimacy of the email. These are the tell-tale signs of this week’s scam:

  1. The salutation was “Dear Valued Customer”. If this email was really from American Express about a possibly compromised account, they would use your actual name.
  2. The email sender address was clearly not an American Express email address:

akmslasd-smelekbem.mmklmnahssd-ululupernonfa-jajamkas0004@bowokece.com

  1. There were some grammatical/formatting errors in the email body text, such as:

À merican Express Limited (showing an inflection on the A and a space between the A and m)

  1. The link was presented as www.americanexpress.com/secured/updates but resolved as a completely different URL.

What Happens if You Click the Link in the Phishing Email?

We used an online analyser to check what was inside the link. The site was blacklisted as a phishing site. Opening the site presents a spoof American Express page that requests personal information such as name, address, etc.

American Express Phishing Scam

If you do receive a suspicious email like the one in this week’s scam post:

  1. Avoid clicking on any link in the suspicious email.
  2. If you click the link, never enter personal data, including login credentials, into a suspicious website

Sometimes, spoof sites that open after clicking a malicious link are also infected with malware. So always keep your computer patched and software up to date.

If you receive an email from American Express that looks suspicious, forward it to: UKemailfraud@americanexpress.com

 

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:

The American Express Email Phishing Scam 

An email that looks like it is from American Express is a scam that is trying to steal personal data. The email will be branded with American Express logos and colours. It will state that an illicit attempt to access your account has been made. The email encourages you to click  a link to reactivate the account

DO NOT CLICK ANY LINKS IN THIS EMAIL

If you receive this email, inform your IT department or forward the email to:UKemailfraud@americanexpress.com

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

Share this:

When an organisation suffers a cyber-attack, they experience lost customer data, time, and money. Sometimes networks are also damaged causing massive disruption. And in the case of a ransomware infection, important work files can be lost for good. However, when an organisation is the victim of a cyber-attack, employees can also be in the firing line.

When a company is hit by a phishing campaign, ransomware or an attack like Business Email Compromise (BEC), the starting point is usually with an employee or someone directly associated with the company. Phishing, for example, needs only a single person to click a malicious link or download an infected attachment and the attack begins. When this happens, heads roll. There have many cases where employees have been sacked after a security incident.

Here we take a look at a few that made the headlines, but undoubtedly, this is just the tip of the iceberg.

When Ransomware Costs More Than Bitcoins

In 2019, Cybersecurity Ventures predict business will be hit by ransomware every 14 seconds. Ransomware infects computers using a number of techniques. One typical method is via phishing emails.

Lake City in Florida was the recent victim of a ransomware attack. The city ended up paying around $460,000 in Bitcoin to the cybercriminals behind the attack. Data was lost and the city workers were unable to access emails as servers were affected. The Director of IT, Brian Hawkins, was sacked after the attack. Although Hawkins had put protection in place including backups, which allowed the council to quickly get operations up and running again, after the attack, he ultimately became a scapegoat for the incident.

A Tale of Business Email Compromise (BEC), a Lawsuit, and a Sacking

Business Email Compromise is a complex, multi-faceted, cyber-attack. It typically involves targeting a company and employees within that company who manage financial transactions. The global cost to business of BEC crime is around £9.5 billion in the last 5-years.

Patricia Reilly worked in the finance department for The Peebles Media Group. She was sacked after she inadvertently paid out £193,250 to cybercriminals behind a BEC scam that targeted the organisation. The scam involved the fraudsters impersonating the organisation’s managing director (MD) and sending out emails that looked like they were from the MD. While the bank repaid some of the money lost, the company not only sacked Reilly but also sued her for the rest of the lost money.

Outing the Breach Can Get You Fired

A cyber-attack is an embarrassing as well as a costly affair. Employees who are working in the security or IT department may have to make decisions about how to handle the breach. Companies should have fir policies on the breach management and notification process.

Mignon Hoffman, an information security officer with San Francisco State University was sacked after a major data breach incident. Hoffman claimed she was fired because she disclosed security shortcomings in the university – in other words, she became a whistle-blower as she felt this was the most ethical thing to do.

Not Outing a Breach Can Also Get You Fired

This example is the other side of the breach notification coin. If you don’t notify this can also be bad news.

Uber’s Chief Security Officer Joe Sullivan, and the company’s security lawyer Craig Clark were sacked after the massive Uber data breach that involved 57 million customers. Sullivan and Clark were allegedly fired because they tried to cover up the breach and agreed to pay the cybercriminals $100,000 to delete the stolen data. They even attempted to get the cybercriminals to sign Non-Disclosure Agreements (NDA’s).

The Big Whale Can Also Be Sacked

Business Email Compromise (BEC) is a costly crime and it isn’t just employees on the front-line who end up fired. In this case, the company’s CEO was sacked.

Walter Stephan, CEO of a Boeing and Airbus supplier, FACC, was sacked after a ‘whaling’ attack. This is one of the variants of the Business Email Compromise scam, whereby a CEO or president of an organisation is impersonated by a cybercriminal. Spoof accounts are then used to trick others into financial transactions. In this case, there was a total loss of 52.8 million euros.

The Antidote to Being Fired – Security Awareness Training

According to research by Kaspersky, 31% of data breaches result in employees being fired. It is one thing when C-Level executives are sacked after a major cyber-incident, but when other staff end up in the firing line it can seem very unfair. This is especially true if that employee has not received the right level of security awareness training.

Security awareness training gives employees across all levels of an organisation the knowledge to spot the early warning signs of an attack. Training members of an organisation in what a typical phishing email looks like and warning them about the dangers of spear phishing is a powerful way to manage the threat of a cyber-attack. Similarly, teaching security best practises also adds a layer of protection against common security issues including poor passwords and password sharing.

Sacking staff because of a security incident should always be a last resort. It costs times and money to find good staff, keeping hold of them should be a priority. Providing security awareness training is a positive way to give your employees the knowledge needed to help themselves and the organisation beat cybercrime.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Uber, a company famous for cheap rides and a massive data breach in 2016.

And, with big names and data breaches come big scams; Uber is no exception to this rule. This week’s scam looks at a variant on phishing, SMiShing and how the famous brand of Uber is being exploited for ill-gains.

The Bring Your Own Device (BYOD) culture coupled with our love of texting is used by cybercriminals to commit cybercrimes, including ransomware attacks, data theft, account takeover, and general theft. SMiShing uses text messages instead of emails as a conduit for a phishing scam. The text message-based scam isn’t new, but it is an ever-present danger.

What does the Uber SMiShing Scam look like?

Uber scam

The Uber scam text message we received seems to be periodically doing the rounds. A quick check on Reddit found a number of similar scams.

The message is a simple one; it contains a four-digit “Uber code” with the advice to reply STOP to the phone number offered in the text message.

What could possibly go wrong if you send STOP to this number?

This scam is similar to an Uber text message scam that focused on New Zealand residents last year. The scam was a “Premium SMS Scheme”. If you use the number in the message to send STOP or send any message to the number, you will be charged for doing so; the fraudster then receives this money.

A quick google of the number in the text message found that it is likely a premium rate number that will make a charge against your mobile phone account if used.

Alternatively, this could be an attempt to access your account. When you set up an Uber account you receive a code which is used to confirm the phone number associated with the account.

How can you tell it’s a scam?

This particular scam is a tricky one to work out; it could turn out to be a real message from Uber. The company has recently been in trouble for spam messages, sending out many multiple messages to individuals, each containing an Uber Code. Uber is now being taken to court over similar, legitimate, text messages in a class-action lawsuit  – the Uber Text Message TCPA Class Action Lawsuit.

Even if this message is not a Premium SMS Scheme scam, it pays to be vigilant. The email addresses and phone numbers of 57 million Uber customers were breached in 2016. You can check to see if your email address has been involved in the Uber or other breaches using this tool: https://haveibeenpwned.com/

It is also worthwhile making sure your Uber password is a robust one. The Defence Works recommends using a mix of three or four memorable words together in a string – a passphrase, rather than a password. Use this alongside the requirement of the Uber password policy of including at least one number to your password. You can reset your Uber password using this link:

https://auth.uber.com/login/forgot-password

If you receive a message like this and have not been in the process of setting up an Uber account, be cautious.

You should delete the suspicious text message and consider reporting it to Action Fraud Online.

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below: 

The Uber SMiShing Scam

A text message, which seems to be from Uber, should be viewed with caution. This may be a Premium SMS Scheme scam. The message gives you an Uber code and a phone number to reply ‘STOP’ to unsubscribe. Be cautious about using this number as it is likely a premium rate number and you will be charged if you use it.

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

To help combat cybercrime in your business sign up for a free security awareness training demo.

Share this:

Every year Verizon publishes a study called the Data Breach Investigations Report or DBIR. This has been an ongoing study since 2008 allowing the report to look at trends and patterns over time. One of the overriding points made in this year’s DBIR was:

The most important defence is knowledge.”

Cybersecurity is as much about human behaviour as it is about technical hacks. This is borne out by study after study looking into the whys and wherefores of cybercrime.

Cybercriminals love to manipulate human behaviour and phishing is a great example of social engineering tricking people into doing the will of the cybercriminal. The 2019 DBIR report found that a third of data breaches began with a phishing scam. And according to Sophos, around 45% of UK firms have been a victim of a phishing campaign.

As is often the case, we have to fight fire with fire, and this is where security awareness training comes in. Training packages that help to give our staff the knowledge to defend our company are a perfect antidote to cybersecurity threats.

But, just what are the benefits of using an awareness training package at work?

5 Benefits of Security Awareness Training

Security Awareness Benefit 1: Better Security in Practise

Our staff can be our best asset when it comes to preventing a cybersecurity incident. This is because human error is said to be behind around half of all security breaches.  Some reports have found human behaviour to be responsible for as much as over 90% of all cyber and data-related incidents.

Actions such as “inappropriate sharing of data between devices”, “physical loss of mobile devices”, and “further inappropriate use of resources”, are behind many of our breaches. Making people aware that their actions can result in serious breaches, can help to prevent poor security practises.

Understanding the principles of security hygiene can be a really helpful tool in preventing some of the simplest, human-error based security mistakes.

A recent survey showed that around half of employees admitted to sharing passwords with co-workers. Just a simple message to explain why sharing a password can be a security issue can help prevent an incident.

Security awareness training puts in place better security practises so that employees can apply them in their day-to-day jobs.

Security Awareness Benefit 2: Being Proactive Rather Than Reactive

Cybercrime is a major problem for all of us. With costs spiralling out of control we have to take a deep breath and proactively solve this. Security awareness training gives you the means to proactively tackle cybercrime.

Your staff will be trained to spot tell-tale signs of phishing and to know what a scam looks like. Business Email Compromise (BEC) scams, which steal money from a business using social engineering, have been estimated by a Lloyds Bank survey to have targeted over half of UK firms.

Security awareness training puts you and your staff in the driving seat when preventing cybercriminal attacks against your business.

Security Awareness Benefit 3: Controlling the Costs of Cybercrime

Cybercrime costs bigtime. Accenture’s Ninth Cost of Cybercrime report, which is based on interviews with 2,647 senior leaders from 355 companies presents some shocking data:

  1. Organisations are spending more to prevent cybersecurity incidents. The average cost of spend on preventing attacks increased from US$1.4 million (£1.1 million) to US$13.0 million (£10 million) in 2018.
  2. There has been a 67 percent increase in breaches over the last 5-years

And smaller organisations are not exempt from the long arm of the cybercriminal. Even the smallest companies are feeling the costs of cybercrime with the cost of a cyber-attack ranging from £500 to £5,000.

Security awareness training can be a value-add option in managing the cost impact of cybercrime that purely technical approaches incur.

Security Awareness Benefit 4: Help with Regulation Compliance

Regulations are becoming increasingly stringent around data protection. Legislation like the DPA 2018 in the UK and GDPR across Europe, are focusing companies on protecting the data of our customers and employees. But others, like PCI-DSS compliance which applies to organisations that process financial data, also require security measures to be used.

Many of these data protection laws and frameworks either strongly encourage or mandate the use of security awareness training. Having an awareness program in place can also help to ward off the heavy fines of such regulations.

Security Awareness Benefit 5: Better staff morale and engagement on security matters

A cybersecurity incident costs money and it can also cost jobs.

A survey by Kaspersky which took data from over 6,000 businesses across the world, found that in 31 percent of cases an employee was sacked following a data breach.

Engaging staff on a program of security awareness training helps to foster a culture of security. What this means in practise, is that by using security awareness training you create a “band of brothers and sisters” mentality in your company. This mindset makes cybersecurity everyone’s business and helps us all to ward off cybercrime. Your staff will even be able to take the training into their home and help family members too.

Use security awareness training as a company-wide plan to build engagement on all matters of security.

 

Security awareness training is something that any size organisation can use to create a cyber-safe environment for staff and the business. Security awareness training has many benefits, but one of the best is that it helps give staff confidence to do their job even with the spectre of cybercrime hanging over them.

Why not sign up for a free demo and find out how our award-winning security awareness training help you your organisation.

Share this:

When we think of a phishing email the image we may have is of an email with links in that when clicked go to a spoof website. Whilst this is true much of the time, phishing emails also come in the form of malicious attachments. This week’s scam post is an example of just that type of phishing email.

The Voicemail Scam Email

The email we received in this week’s scam has the title “You have a New Telephony network message”. This type of message is quite a common one in the era of the virtual office. The use of managed office services means that company owners may often receive a voicemail message in an email from the virtual office.

Telephone message attachment scam

This makes this form of scam a feasible option for a cybercriminal. In other words, the recipient may well be expecting such as email and not think before opening the attachment; these types of scams are more likely to get a positive result for the fraudster.

What Happens if You Click to Download the Attachment?

Our phishing email attachment was a .html file and not an actual voice recording. Voicemail recording file formats are normally something like a .wav .au or .MP3. When clicked, the .html file opens to show a spoofed form asking for a password. If you enter a password it will be stolen and used for other nefarious deeds. Cybercriminals recognise that users often reuse passwords for a variety of online accounts.

In another, similar form of the scam, clicking on the ‘voicemail’ attachment will download malware to your computer.

Where we’ve added the red blocks, this is actually where the scammer had sneakily included the name of the organisation they were targeting – to try add to the authenticity or the email.

Tips to Avoid Being Scammed

Be aware of phishing emails: The tell-tale signs of a phishing email, in whatever form it takes, should be part of your company training for all employees. Signs such as:

  • Does the sender’s email address look legitimate?
  • Are there grammatical errors and other signs of poor composition. In our example above, the title was “You have a New Telephony network message” which had an errant space between “New” and “Telephone” and the case of the letters was mixed.
  • Does the content of the email look realistic and represent the brand it purports to be?
  • Is it personalised using your name in the salutation or generic?

Always log in directly to an account: Never click links or download voicemail attachments if you are unsure of the origin of the message. Go to your virtual office account directly and log in from there to access messages.

Email phishing messages like this are regularly used as bait by fraudsters. Stay cyber-safe by being security aware.

Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:

The Voicemail Scam

A scam email is doing the rounds. The email contains a ‘voicemail’ from your company virtual office or similar account. Be very cautious about any emails you receive with such attachments. Especially if that attachment is an HTML or similar. Clicking on this attachment will take you to a spoofed form which requests a password. If you enter a password it will be sent to a cybercriminal for possible use in other online accounts, you own.

DO NOT download any attachments from this email.

Don’t forget to share this with your colleagues and friends and help them stay safe.

Let’s keeping breaking scams!

Share this:

Back in 2014, the GSMA established that the world contained as many mobile devices as human beings. Mobile phones are ubiquitous. Most of us take them everywhere we go; we use them at work and play. The trouble is, this little packet of goodness is connected to everything else via the Internet and apps. This mix of used by everyone coupled with being open to the world attracts cybercriminals like bees to honey.

RSA, in their “Current State of Cybercrime 2018” report, found that mobile threats are abundant. In fact, over 60% of online fraud is via mobile platforms according to their survey. And the route into the fraud – 80% of mobile fraud is via mobile app and not mobile web browsers. Just as an example of the scope of the threat, Google had to recently remove over 200 apps from the Google Play Store that were infected with one particular type of malware (Simbad). This is just the tip of the iceberg.

Type of Mobile Security Threats

Like any other cybersecurity threat, the starting place to preventing a threat becoming a security incident is to know what you are up against. One of the worrying trends in all malware, including mobile malware, is that the underlying program is becoming more ‘intelligent’. That is, the code can morph how it works, even hide from detection by antivirus tools. So, it is hard to keep up to date with specific malware types as they are likely to change. Security awareness training programs are designed to keep people up to date with this ever-changing security landscape. However, you can also see general ways that cybercriminals operate and focus on those. This can help you to mitigate the chances of becoming a victim of cybercrime via a mobile device.

Some of the more prevalent mobile threats include:

Mobile Ransomware

Symantec found that mobile ransomware increased by 33% in 2018.  Ransomware that affects a mobile device is similar to its desktop counterpart – it performs a malicious action, like locking the mobile device and/or stealing data. Like the desktop version, you will see a screen message telling you to pay up to unlock your phone and get your data back.

Apps are behind many mobile ransomware attacks. If you download and install an infected app from a store your phone will become infected with the ransomware.

Ransomware doesn’t just affect Android phones; iPhones are susceptible too. There was even a recent fake ransomware attack in the UK that affected iPhone users. The victims of the fake mobile ransomware saw a screen demanding payment in the form of a £100 iTunes Gift card. It turned out the phone wasn’t infected with ransomware, but the phone owner would have to know how to remove the threat to get back into their phone, all the same.

Mobile Banking Trojans

Trojanised apps are downloaded from both legitimate and illegitimate app stores. Sometimes they are also hidden in games. They present a convincing fake bank app interface when you go to use your mobile banking app. You think you’re logging into your bank, when, in fact, you are logging into a fake site. Banking trojans can also connect your mobile to a remote server which contains various bank spoofs. When you launch your legitimate banking app, this server recognises which banking app you are using and presents the spoof app interface to you. Once you enter your bank credentials, they are sent, via the cybercriminal in control, to the real bank login page and hey presto, the cybercriminal is in your bank account. There are many variants on the theme of stealing bank login credentials, so it is wise to keep on top of this security threat. Mobile banking trojans increased by 58% in Q1 2019.

SMiShing

Mobile apps aren’t the only way malicious activity occurs on a mobile device. Mobile phones have their own version of the phishing email in the form of text phishing or ‘SMSishing’. Some malware, like TimpDoor, will try to enter the mobile device via a text message. In the case of TimpDoor, the user will receive a link in a text message; if they click on it, they see a webpage or a message to download a voicemail. If they do so, a backdoor is created using malicious code. This backdoor allows the cybercriminal to enter the corporate or home network via the phone, infecting the network or exfiltrating data. The Defence Works wrote recently about a Natwest SMiShing scam that used text based phishing links to steal bank login credentials.

7 Tips to Mobile Security

We love our mobile phones.  But, instead of throwing them away to avoid becoming a victim of banking trojans, ransomware or any other malicious program, we can take these precautions:

  1. Keep your mobile operating system and other apps updated.
  2. Be careful where you download apps from, and which apps to use – be ‘app-choosy’.
  3. Watch out for fake apps. If you get an invite for an app, check out the app before you download. Go online, research it. Does it look legitimate? Check for spelling and grammatical errors in the app descriptions.
  4. Don’t click on the links for mobile app downloads in social posts or reviews. Always go to a company website directly, or carefully choose from a legitimate app store.
  5. Use a security app to protect your device and data.
  6. Backup your data frequently
  7. Stay aware of mobile security issues and new mobile malware threats
Share this: