A Review of the Best News of the Week on Identity Management & Web Fraud
Bomb Threat, Spammers Abused Weakness at GoDaddy.com (Krebs on Security, Jan 22 2019)
“Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.”
Facebook Shuts Hundreds of Russia-Linked Pages, Accounts for Disinformation (Dark Reading, Jan 17 2019)
Facebook says the accounts and pages were part of two unrelated disinformation operations aimed at targets outside the US.
Google Made a Quiz to See if You Can Identify Phishing Emails (Motherboard, Jan 22 2019)
Google’s Jigsaw has a new quiz to test your ability to distinguish phishing emails from regular, benevolent ones.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.
Hackers Use PayPal to Phish with Ransomware (Infosecurity Magazine, Jan 18 2019)
The new attack method combines “a ransom note that direct victims to a PayPal phishing page…Clicking on the Buy Now button, it directs to the credit card part of the phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished,” the team tweeted. Once that payment is processed, the victim receives a confirmation.
Senator Wyden Hammers T-Mobile For Empty Promises on Sale of Cell Phone Location Data (Motherboard, Jan 18 2019)
The Senator expressed “disappointment” and “disbelief” at CEO John Legere’s unfulfilled promise to end the sale of geolocation data to “shady middlemen.”
Report: Facebook’s Privacy Lapses May Result in Record Fine (SecurityWeek, Jan 21 2019)
Facebook may be facing the biggest fine ever imposed by the U.S. Federal Trade Commission for privacy violations involving the personal information of its 2.2 billion users.
Cybercriminals Home in on Ultra-High Net Worth Individuals (Dark Reading, Jan 23 2019)
Research shows that better corporate security has resulted in some hackers shifting their sights to the estates and businesses of wealthy families.
Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent (Motherboard, Jan 23 2019)
Zumigo, which sold the location data of American cell phone users, wanted the FCC to remove requirements around user consent.
Most Facebook users aren’t aware that Facebook tracks their interests (Help Net Security, Jan 18 2019)
74% say they did not know about the platform’s list of their interests (ad preferences page) before being directed to it for the purposes of the survey. 60% of Facebook users have 10 or more categories listed on their ad preferences page.
Marco Rubio Proposes New Federal Data Privacy Bill (SecurityWeek, Jan 18 2019)
U.S. Senator Marco Rubio (R-Fla.) introduced a bill on Wednesday designed to provide privacy legislation for the entire nation — that is, federal law. It is based on the Privacy Act of 1974, which was introduced post-Watergate to protect people from government storage and retrieval of personal data.
How Cybercriminals Clean Their Dirty Money (Dark Reading, Jan 22 2019)
By using a combination of new cryptocurrencies and peer-to-peer marketplaces, cybercriminals are laundering up to an estimated $200 billion in ill-gotten gains a year. And that’s just the beginning.
BioCatch launches new behavioural biometrics offering to combat vishing (Help Net Security, Jan 22 2019)
In a typical vishing fraud, the criminal dupes their victims into performing financial transactions. For example, a fraudster may call the victim disguised as a security official from his or her bank and, after establishing trust, coerce the victim into transferring funds from his or her account into the scammer’s account as a ‘security measure.’ Other forms of impersonation include pretending to be a law enforcement representative.
Former employee blamed for hack of WordPress plugin maker (WeLiveSecurity, Jan 23 2019)
The plugin’s users are recommended to change their passwords on WPML’s website following havoc reportedly wrought by a disgruntled ex-employee.
How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory (AWS Security Blog, Jan 21 2019)
“Here, I’m going to explain how to automate federation between AWS Identity and Access Management (IAM) in multiple AWS accounts and Microsoft Azure Active Directory (Azure AD).”
Trends in Digital Identity: 15 Predictions for 2019 (ThreatMetrix, Jan 10 2019)
1. Fraud attacks go mobile-first
By the end of the year, mobile attack rates will surpass desktop rates for the first time. From fake or hijacked mobile apps, to phishing and smishing scams, to malware infiltrations and more, mobile will become the #1 channel for attacks for one simple reason.