Scam Of The Week: “Mystery shopper” email
“Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control. Unlike many scams, there actually are legitimate mystery shopper companies, but they never advertise or recruit through emails.”
How this scam works is when a victim falls for the recruiting email, they are sent a bogus bank check that the bad guys ask them to deposit and then use for their “mystery” shopping. They spend some of the money on the goods that they buy, and are instructed to keep some of the balance of the check as payment for their services. However, the angle is that the victim gets instructions to return the remaining funds by a wire transfer. Obviously, the check is counterfeit, but the money that the victim transfers by wire is all too real.
Read full article: https://blog.knowbe4.com/scam-of-the-week-mystery-shopper-email
Security Headlines
Secrets of the Filecode ransomware revealed
Generally speaking, ransomware hits when you download a file, or are tricked into running an attachment, that claims to be one thing, anywhere from a fake invoice to a software crack…
…but turns out to be quite another.
The malware pops up a dialog to say that it “may take up to 10 minutes” to do its job, which is supposedly to hack Adobe Premiere or Office 2016 so you can keep on using it without paying the licensing fees:
https://nakedsecurity.sophos.com/2017/03/03/secrets-of-the-filecode-ransomware-revealed/
Amazon mega-outage caused by single command line error
This week’s great Amazon Web Services (AWS) S3 outage which kiboshed up to 150,000 websites including Netflix, Spotify, Pinterest and Buzzfeed was caused by an engineer mistyping a single command, the company has admitted.
Diving into Amazon’s mea culpa in more detail, it seems the engineer was trying to temporarily take down servers used by the S3 billing sub-system when the command line mishap caused a cascading problem that downed two really critical servers.
https://nakedsecurity.sophos.com/2017/03/03/amazon-mega-outage-caused-by-single-command-line-error/
Darkreading – Cyber Insurance Uptake Hampered By Skewed Data, Poor Communication
Sales of cyber insurance policies are suffering from a lack of shared data about security incidents, too few standard definitions, and not enough focus on risk mitigation for insurers or customers, according to a report from Deloitte released this week.
Value of the current cyber insurance market ranges from $1.5 billion to $3 billion, and remains a small fraction of the $505 billion revenues from all insurance premiums bought in 2015.
Many businesses have yet to purchase a cyber policy: not even a third of US businesses (29%) bought cyber insurance as of October 2016, according to a survey by the Council of Insurance Agents and Brokers that Deloitte cites. s.
Threats Converge: IoT Meets Ransomware
Ransomware is already a problem. The Internet of Things has had a number of security issues. What happens when the two combine?
Vendor Information
Apple pushing two-factor authentication for iOS 10.3 users
Beta users of Apple iOS 10.3 are reporting that they’re receiving push notifications from Apple to enable two-factor authentication (2FA) for their Apple IDs, which is used on Apple devices (like iPads, iPhones and Macs) to synchronize and share iCloud user data.
Apple’s 2FA provides an extra layer of security for iCloud data as well as for devices registered to an Apple ID, and it seems with iOS 10.3 that Apple is taking stronger measures to encourage its users to enable this feature.
20 Cybersecurity Startups To Watch In 2017
In spite of a slowdown in the overall funding activity from venture capital firms in 2016, the cybersecurity market continued to raise money at full steam. Last year saw the market break records in terms of funding deals, with Q3 tallying up to be the most active quarter for deals in cybersecurity in the last five years, according to CBInsights.
That influx of money is driving innovation in a number of areas. Particularly notable market segments targeted by these firms include security for data centers and public cloud infrastructure, security orchestration and incident response tools, and third-party risk assessment tools.
Verizon: Most Breaches Trace to Phishing, Social Engineering
Ninety percent of data breaches seen by Verizon’s data breach investigation team have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground or dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they’re legitimate users.
“Because organizations don’t have multifactor [authentication] rolled out, it makes it trivial to get in,” says Chris Novak, director of global investigative response for Verizon, in a discussion about the company’s latest Data Breach Digest, a companion report to the company’s annual Data Breach Investigations report.
