Category: News

Cyber Security Attacks During Pandemic, its Cost on Small Businesses, and How They Can Tackle Such

One of the most challenging issues for small businesses is cyber security. The Covid-19 pandemic has posed a bigger threat for cybercrime as it has forced many businesses to operate remotely. Studies reveal that in small business workforces, 63% are now working remotely. Coupled with the lack of basic cybersecurity knowledge, 53% of those in the US believe they are now more vulnerable to cyber attacks more than ever.

Being a small business doesn’t mean small costs when it comes to cyber attacks. Studies show 23% of small businesses had suffered at least one attack in the last year and the average cost is $25,612.

The most common point of entry for cyber criminals is the company servers, so a critical step in order to minimize vulnerabilities is to ensure that they are secured. That being said, employees should be vigilant against cybercrimes and they need to be educated and involved on how to prevent this. It is important to be able to identify what is and isn’t a reasonable online request, detect any intrusions and continue monitoring until issues are resolved. Alerts are to be in place in both automatic and manual logging. It is critical that businesses have robust procedures to mitigate any risks brought about by the new work practices. A simple checklist for internal staff could mean saving the business tens of thousands of dollars. Regular cybersecurity awareness training should be updated with this kind of basic knowledge.

Fake COVID-19 Vaccination Cards Sold by Scammers

The public is alerted of the many fake government-issued COVID vaccination cards sprouting online. There are listings of blank vaccination cards with the Centers for Disease Control and Prevention (CDC) logo found on e-commerce sites such as eBay, Etsy and Shopify.

FBI issued this alert reminding everyone that by purchasing fake COVID-19 vaccination cards, not only you are endangering yourself and those around you, but you are also breaking the law. Violators caught selling and buying these forged vaccination record will be subject to prosecution with a corresponding fine and/or imprisonment of up to 6 months. Meanwhile, unauthorized use of an official US government seal is considered a crime thus if the cards have the official CDC seal, the penalty for those responsible in printing it would face additional fine and a sentence of maximum five years in prison. 

AOL Users: Beware of this Phishing Email

If you are still using AOL, be wary of this “old school” email phishing scam. According to a post from BleepingComputer, the said scam is underway to steal users’ login name and password by warning recipients that their account is about to be closed. Its subject indicates – “Mail Box will close in 3 days log in to re-activate.” The email content states that users will need to login and verify their email within 72 hours with the following warning:

“We noticed you haven’t updated your account information recently, and since your security is our top priority, we plan to close this account as soon as possible. It’s going to take 3 days unless you act soon. Unless you verify this account, it will be closed in 72 hrs,” 

Clicking the link so you could “verify” your account will redirect to you a phishing landing page. This fake page will ask users to enter their login info (email + password) before sending them to the standard AOL login page. If, for some reason, you fell for this scam and have already entered your login details, the first thing to do is change your password ASAP. You may also contact AOL support if you need help in doing so. Always keep in mind to never click such emails. Make it a habit to apply these basic practices to keep your account safe.

  • Check that the email comes from a legit source and whenever you enter your login credentials on a website, make sure that the link is secure and not a spoofed one.
  • Don’t click on pop-ups (online quizzes, fake software updates, discount coupons and the likes). They will direct you to malicious websites.
  • Use firewalls and install an antivirus software.
  • Lastly, do not share your personal information on the web – birthday, bank details, maiden name, etc. Avoid filling up forms which requires you to enter such details.

Posting your COVID-19 Vaccination Card on Social Media is a Big No-No

You just got inoculated so you’re surely excited to share the news to your family and friends. But the Better Business Bureau (BBB) has a warning after you receive your Covid-19 vaccine dose – don’t share your vaccination card on social media! Your card has your full name and birthday on it, along with other self-identifying information so it’s a big no-no to post this on the web. This careless move is highly prone to identity theft especially if your social media privacy settings is set to ‘public’. Apart from stealing your personal info, scammers will also have an insight what the card looks like and can easily create templates to produce fake ones.

BBB also added not to indicate where you were vaccinated and shared the following safety tips instead should you wish to share your vaccination news:

  • Share your vaccine sticker or use a profile frame. The CDC designed printable Covid-19 vaccine stickers that you can flaunt once you’ve gotten your shot. You can also make use of profile frames from Facebook showing that you’re already vaccinated.
  • Review your security settings. Check your security settings on all social media platforms to see what you are sharing and with whom. If you only want friends and family to see your posts, be sure that’s how your privacy settings are configured.
  • Be wary of answering popular social media prompts. Sharing your vaccine photo is just the latest social trend. As a general rule: think twice before participating in other viral personal posts.

If you went ahead and have already posted your vaccine card, you can always delete and simply repost the photo with the important details blurred out or covered with a sticker. Better safe than sorry!

Coronavirus [COVID-19] Phishing Emails

The current COVID-19 pandemic has cybercriminals on the loose. They have been taking advantage of this global crisis, preying on people’s fear, in order to obtain personal information and infect computers for profit. They scam people by sending phishing emails claiming to be from legit sources like the World Health Organization (WHO) or from the Centers for Disease Control and Prevention (CDC). These spoofed emails supposedly contain safety measures and treatment for the virus, travel advisories, or the latest health bulletin. It may also have advertising links selling bogus COVID-related products like vitamins and supplements.

When receiving such emails, one must exercise these safety precautions:

  • Always bear in mind that health agencies like the CDC and WHO will never ask for personal details or login credentials thus do not give out any information. You may go directly to the agency’s official website if you need to verify facts and data.
  • Double check the sender’s email address by hovering over its name. Scammers will type in a fake one that closely resembles that of a legitimate source so watch out for spelling errors. Simply ignore or delete emails from senders you don’t know.
  • Avoid clicking any of the links included in the suspicious email you have received. Do not also open any attachments as this may download a malware into your device. Once installed, this would allow cybercriminals to monitor your computer activity and record your keystrokes giving them eventual access to your personal info like banking details.
  • Make sure that your computer is always up to date with the latest antivirus and anti-spyware programs. Watch out for the latest security updates, apply necessary patches, and have a good firewall.
  • News coverage about the coronavirus is truly overwhelming. Make yourself informed by going directly to reliable sources. Be vigilant not to fall prey into any of the phishing scams these cybercriminals are trying to exploit in the midst of public paranoia and panic.

    Shlayer Trojan: Mac Malware Infecting 10% of Mac Users

    A lot of computer users assume that Macs rarely or don’t get infected at all with malware. But this is not the case. Just recently, antivirus provider Kaspersky has cited in their report that in 2019, the top Mac malware infecting 1 in 10 macOS users is the Shlayer trojan. According to their press release, OSX/Shlayer is the “most widespread for macOS users. A smart malware distribution system, it spreads via a partner network, entertainment websites and even Wikipedia, demonstrating that even users that only visit legal sites still need additional protection online.

    What happens is that Apple users are being directed to fake pages from their search results. From there, they could not proceed in accessing the site because their Adobe Flash Player must supposedly be updated first. Clicking the “Download Flash” button to update will actually download the Shlayer Trojan itself. When this trojan is executed, it will install a malware cocktail onto the computer.

    To protect one’s self from getting infected with Trojans such as Shlayer, whether you’re a Mac or Windows users, make sure to install a reliable antivirus (AV) program on your PC and keep it updated. Perform necessary updates to your AV software if necessary. It is also a good practice to always check websites you visit that they are safe and only install browser extensions, programs, games, apps, and updates from a trusted source.

    Special Olympics NY Server Compromised, Sends Phishing Emails

    Special Olympics New York, a non-profit organization that helps provide opportunities for people with intellectual disabilities and their communities to compete in Olympic-style, coached sports had its email server hacked during the holidays. The hackers were able to compromise and launch a phishing campaign targeting its donors. It tells the recipients that an automatic donation of $1,942.90 would register on their accounts in the next two hours. The phishing email tricks the victims into clicking the hyperlink which is supposedly the PDF statement verifying the transaction details.

    In a post via their Instagram account, Stacey Hengsterman, President & CEO of Special Olympics NY, published this: “Boo! As you may have noticed, our email server was temporarily hacked. We have fixed the problem and send our sincerest apologies. While donating to Special Olympics NY is always a good idea, we would never ask in such a grinchy way.

    They urged the donors to disregard the emails they received and assured them that the issue has already been fixed. They can now continue donating again securely without any complications. Furthermore, Special Olympics NY explained that the incident has only impacted their communication system and hasn’t affected any financial data. Contact information remained protected and kept confidential.

    First Aid Beauty, P&G’s online beauty store, Hacked

    It seemed that hackers were successful in stealing customer payment information by planting an e-skimmer on prestige skin-care brand First Aid Beauty’s website. This popular beauty line was recently acquired by Procter & Gamble (P&G) reportedly at $250 million.

    It is again the notorious Magecart software skimmer who is responsible for this attack on P&G’s e-commerce site. It specifically targets victims from the United States using the Windows OS. The malicious code went undetected for several months.

    Procter & Gamble has already issued their statement via BleepingComputer which says: “Consumer trust is fundamental to us, and we take data privacy very seriously. As soon as we learned about the compromise of the First Aid Beauty site, we moved quickly to take the site down and minimize the impact to our consumers. We are currently investigating the source of the malware and working to identify and notify those consumers who might have been impacted to ensure we provide them the necessary support.

    TransUnion Credential Stuffing Attack: Credit Information Exposed

    Credential Stuffing, a cyberattack where login details are stolen through a data breach, was on topic in the news recently. An unauthorized person used this attack to successfully gain access to a TransUnion Canada web portal where it was able to pull consumer credit files when doing a credit search. This includes a consumer’s Social Insurance Number (SIN), birthdate, current and past addresses.

    The credit bureau has already reached out to their affected consumers whose information was exposed in this credential stuffing attack through postal mail.

    “Simjacker” Could Silently Affect 1 Billion Mobile Devices Worldwide

    Cybersecurity researchers from Dublin-based firm AdaptiveMobile Security have recently uncovered a new and previously undetected vulnerability and associated exploits, called Simjacker. What Simjacker does is track phones by simply sending an SMS. Based on the report, these specially crafted texts “instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands”. Once compromised, important information like geographical locations can be obtained and it may also force the phone to make calls or send text messages. 

    How Simjacker works from

    Simjacker is reportedly being exploited by groups as surveillance to spy and track targeted individuals. It is estimated that about a billion mobile devices worldwide will be vulnerable to this attack.