2 Dec 2020
Cybersecurity Newsletter
Keeping an eye on cyber news and threats
Hi everyone!
Christmas is only a few weeks away and with that in mind I thought this week’s newsletter should focus a little bit on online shopping, so I have some news on hackable doorbells, online card skimmers and how to check for fake reviews on Amazon.
Numerous vulnerabilities found in smart doorbells
There has been an increase in the Smart doorbell trend over the last year or so, you may have even bought one over Black Friday week or on Cyber Monday. They are a useful security addition to see who exactly is outside your home, but they could be an easy target to hack according to a recent study by Which? Consumer group. They tested 11 devices bought from online marketplaces and found many had poor data encryption or weak password policies, meaning the device could be hacked to either turn them off or to access network passwords and hack other smart devices in the home. One particular brand was actually sending user’s home network names and passwords to unencrypted servers in China.
Amazon have removed some of the products in question, but Ebay have said that the products don’t violate their own safety standards. Tighter regulations are clearly needed because consumers are making themselves vulnerable to hacking without realising, because how would they know?
As technology advances, it should be getting more secure (most of the time it is) but it is also becoming widely available and easy to produce, which leads to many small brands turning a quick profit by selling cheaper versions of smart devices without the embedded security that is supposed to go with it. This is leading to more and more insecure devices being used by consumers and providing hackers with numerous open doors.
Always be careful when buying devices such as these from online marketplaces because they have become saturated by smaller brand names offering cheaper products. I’m not saying that you shouldn’t buy them at all, but be sure to read through the reviews properly as these small brands have a reputation for posting fake reviews or providing a financial incentive for good feedback.
Your best bet is to try and stick to well-known brands you trust or can verify with a little bit of research. It may cost more or take a little more time, but don’t let cost or convenience compromise your security.
You can find more information and details on some of the brand names here:
New online credit card skimmer found
Keeping in theme with online shopping, a new tool has recently been discovered that copies your credit card details by posing as a very convincing legitimate PayPal payment page.
The skimmer is a malware tool that hijacks your PayPal checkout process when making an online purchase and directs you to a very convincing fake page where it asks for your credit card details.
It’s not the first online card skimmer but it’s the first of it’s kind in how it works - it uses postMessage to inject PayPal iframes into the checkout process. PostMessage is a script that allows cross-communication between webpages, whereas normal scripts can only communicate between pages if the script uses the same protocol, host and port number. So unlike other fake payment pages this script allows the attackers to bypass the usual restrictions of a script and send payment details back to themselves more convincingly.
The clever tool will also grab previously entered details and auto-fill throughout the transaction, making it more authentic. Once your details have been stolen, you will then be redirected back to the original page and the transaction completed, and you will be none-the-wiser.
So with the technical bit out the way, how do you prevent yourself from becoming a victim of this?
Normally, these pages are fairly easy to spot but this one goes through a lot of effort to seem legitimate. Most of the responsibility lies with the e-commerce companies to detect and prevent these types of tools, so all we can do is be careful when shopping online. Do this by setting up 2-FA on PayPal, shop on sites you trust and be vigilant with transaction pages.
You can find more information on this topic at threatpost.com.
Dutch journalist gains access to EU defence video conference
Going a little off-topic from this week’s shopping theme, a journalist from Dutch media outlet RTL Nieuws was able to join a high-level EU video conference after the Dutch defence minister accidentally posted an image to Twitter that contained some of the login details.
The details contained the meeting number and 5 of the 6-digit passcode which allowed the journalist to guess the last number and to his complete surprise is allowed into the meeting.
He apologised after foreign policy chief Josep Borrell told him he had joined a secret conference and should leave, which some of the officials found amusing, and he left soon after.
Although quite comical, it highlights the need to be careful what you post online and what may be in the pictures you post. The interruption caused the conference to be abandoned, which to me begs the question – shouldn’t these high-level conferences have tighter security? Why did they let him in without checking who he was?
Source: BBC
This week’s top tip – Fake Amazon Reviews
With Christmas just around the corner and many of us still not being able to go shopping in our local high street, we are turning to buy our gifts online more than ever. Thinking back to what I said before about small brands posting fake or manipulated reviews, wouldn’t it be great if we could weed them out and get a more realistic rating? Well, you can. Sometimes it can be obvious when there are numerous low ratings mentioning the same flaw in a product, but also a lot of five stars saying ‘great product, great quality’ in between them, but sometimes it can be harder to tell. That’s where sites like fakespot.com and reviewmeta.com come in.
Simply paste the link of a product into the site and using clever algorithms the site analyses the product reviews and removes ones it believes to be ingenuine or too generic, leaving you with a nice adjusted rating at the end. Fakespot even has a browser extension so you can check on the go as you shop. A handy little tool indeed for when you want to make sure the product you buy is good quality.
That’s all for now, see you next week.
Mike