Weekly CyberTip: Disaster Relief Scams
In the wake of the disastrous storms hitting the Canadian east coast and the southeastern United States, threat actors have emerged to prey on the victims and others looking to provide assistance. For example:
- Cyber criminals are placing spoofed phone calls, pretending to be a representative from an insurance carrier, in an effort to collect personal information and insurance account details for the purposes of identity theft
- Unsolicited calls, calls, texts, emails and appeals over social media are asking for storm relief donations. Financial information is collected directly or via malicious websites, where it is then used to steal funds.
Tips to keep cyber safe:
- Verify that messages are legitimate before answering questions or volunteering assistance. Contact the organization directly by using another, independent line of communication.
- Understand that caller ID information can be spoofed. Always maintain a healthy skepticism.
- Understand that a caller from an insurance company should already have access to your information on their systems. Don’t share personal information over an unsolicited call.
- While the storm situation is serious, be wary of undue pressure from a caller to make an immediate donation. Reputable charities will accept a donation at any time.
- Place priority on donating to established charities or relief organizations whose work you know and trust. If you want to support an unfamiliar charity, first check their background on the Canadian government list of charities, or the Charity Navigator in the United States.
- Be wary if an organization asks you to donate through cash, gift cards, cryptocurrency, or wire transfers. Since these payment methods are difficult to trace, there’s greater risk. Stick to payment with credit card if possible.
CISA releases “Top 20” exploited vulnerability list
The Cybersecurity and Infrastructure Security Agency (CISA) has released a “Top 20” list of the most commonly exploited vulnerabilities targeted by Chinese hackers over the past two years. Topping the list is the infamous Apache Log4j vulnerability, which came to light in December 2021. Second place goes to a VPN product from Pulse Secure, which was patched in April 2021, while the third most exploited vulnerability was a remote code execution bug in the GitLab DevOps platform, which was remedied in November 2021. Four of the top 20 relate to now-fixed security flaws in Microsoft Exchange Server, while three others involve load balancers – one from Citrix and two from F5 Networks.
Given that fixes are available for all of these high-frequency hacking targets, companies using these technologies should consider prioritizing their patching efforts accordingly to mitigate risk.
2K Games confirms stolen player information now for sale on the dark web
2K Games has confirmed that data stolen in a recent cyber attack is now being offered for sale on the dark web. 2K suffered a security breach on September 20, in which an unauthorized third party accessed the credentials of one of their vendors to make malicious use of 2K’s Zendesk customer support platform. Posing as helpdesk analysts, the hackers targeted customers with fake support tickets designed to deliver malware via embedded links.
In a statement and communications to affected users sent last week, 2K Games advised that “[t]he unauthorized third-party accessed and copied some personal data that was recorded about you when you contacted us for support, including your email address, helpdesk ID number, gamertag, and console details. There is no indication that any of your financial information or password(s) held on our systems were compromised.”
“For users who clicked on the malicious link, we recommend resetting all online passwords and restarting your devices. However, we do not believe that the unauthorized third-party had access to any user passwords on our systems,” advises the company’s FAQ page about the incident.
2K has not confirmed what organization is responsible for the attack. However, game manufacturer Rockstar Games (which is owned by Take-Two Interactive, the same parent company that owns 2K) also suffered a recent security breach, allegedly masterminded by the Lapsus$ hacking gang.
Survey: 7 in 10 SMB employees surveyed engage in unsafe cyber practices
In recent survey of employees of small-to-medium sized businesses published by the Insurance Bureau of Canada (IBC), 72% of those responding reported at least one behaviour that could allow a cyber criminal to gain access to their company’s computer systems.
According to the report, these unsafe cyber practices include:
- 27% use one password to access multiple websites they use for work;
- 23% access public Wi-Fi while using their work computer;
- 19% download software/apps on their work devices that were not provided by their employer;
- 7% allow family members or friends to use their work computer; and
- 5% share their work login or password by email or text.
The results are just some of the findings in IBC’s inaugural “Cyber Savvy Report Card“, which rated Canadians with an over-all “C” letter-grade for cyber safety actions and knowledge.
Other key metrics included:
- 42% say they have seen an increase in cyber scam attempts over the last year;
- Only about one-third of those surveyed (34%) report that their company provides mandatory cybersecurity awareness training; and
- 50% of those survey report that their companies have not yet implemented MFA.
Coinciding with Security Awareness Month, the IBC has also launched a new cyber education initiative called the Cyber Savvy Challenge, a portal with a quiz, tips and resources to help raise the security awareness level for all Canadians.