Cybersecurity Newsletter - Issue 12
Keeping an eye on cyber news and threats
Hi everyone, welcome back to another issue of my cybersecurity newsletter. This issue includes HMRC text scams, a Facebook phishing campaign, a dangerously vulnerable mobile app and other ‘byte-size’ news.
Convincing HMRC tax refund text message scam
A new text message scam has been seen around the UK claiming to be HMRC, telling targets that they are due a tax refund due to an overpayment in the 2019/2020 tax year.
The scam has been described as ‘annoyingly believable’ by a Paul Ducklin, a researcher at Sophos. The text message contains a link to a very convincing website that looks almost exactly like a genuine HMRC form page, only at closer inspection can you spot a few spelling mistakes or bad grammar.
The form asks for details including mother’s maiden name – a popular security question, and then asks for bank account details including card number, expiry date and the CVV code. This is a big red flag that this is a scam, as they will never ask you for these details, besides, you submit these details when you need to pay for something from a trusted online retailer, not when someone is sending you money.
Keep an eye out for this HMRC scam text, if you are unsure if a text message is a scam, it’s best to believe it is and ignore it. Something like a tax refund may sound tempting, so check with HMRC directly or search online for reports of ongoing scams.
Facebook phishing campaign spreading to UK
A phishing campaign known as ‘Is that you’ that tricked nearly 450,000 users in Germany has now been reported in the UK.
Since this scam was discovered, an additional 20,000 users have fallen foul to the phishing campaign with 73% of the victims being within the UK. It is very similar to one seen before, the target receives a private message from an existing Facebook contact claiming to have a photo or video of them and upon clicking is directed to malicious websites that steal credentials and infect their device with viruses.
Always be wary of the types of messages, they are fairly common. If you aren’t sure if a link someone has sent you is genuine or not, confirm it with them personally that it’s safe before you click on it.
You can find more detailed information on this here.
· North Korea attempted to steal data from COVID vaccine makers Pfizer in yet another attempted cyber attack on the vaccine, it’s unclear at the moment how much data was stolen, if any.
· Several vulnerabilities have been found in a popular file-sharing app known as SHAREit that allows attackers to access all the files on a device with read and write permissions, allowing an attacker to change or delete files and install malware directly onto the phone. The app makers were informed of the vulnerabilities 3 months ago and still haven’t patched them.
· MacOS users are being locked out of their data due to a bug in Big Sur 11.2. The installer isn’t properly checking to see if the device has enough space to install which causes the installers to develop an error and locks people out of their data. They have now released Big Sur 11.2.1 Installer which checks for adequate space properly and works as expected.
· EXMO cryptocurrency exchange was hit by a DDoS attack (distributed denial-of-service) that took down their servers and their website. They are now back online and will refund any losses incurred to users during the downtime.
This week’s top tip – don’t plug in unknown USB sticks
Exactly as the title suggests, if you find a USB stick lying around somewhere that isn’t yours, in a car park, for example, don’t plug it in. Just don’t. As the old saying goes – ‘curiosity killed the cat’, the memory stick could be loaded with malware and left there on purpose so that some curious soul plugs the device into their laptop or computer to find out what’s on it, and as soon as they do the malware springs into action. It’s a technique that’s also used by penetration testers and is referred to as almost cheating because it’s a guarantee that someone will do it, a form of social engineering if you like – relying on a person’s curiosity to compromise them.
Most modern operating systems now block autorun on USB devices anyway and instead ask you what to do with it, but better safe than sorry.
That’s all for now, see you next week.