Cyber crooks have targeted travel firm Booking.com in a bid to steal hundreds of thousands of pounds from customers. Users were sent WhatsApp and text messages claiming a security breach meant they needed to change their password.
But the link gave hackers access to bookings and they then sent follow-up messages demanding full payment for holidays in advance with bogus bank details provided. These appeared genuine as they included personal data including names, addresses, phone numbers, dates and prices of bookings, and reference numbers. Marketing manager David Watts got a WhatsApp message but realised it was a scam.Read more
Basically, phishing is a type of fraud that aims to extract personal data: logins, passwords, wallet numbers, and so forth. It’s essentially digital social engineering.
There’s a variety of phishing known as spear phishing. What distinguishes spear phishing from other types of phishing is that it targets a specific person or employees of a specific company. That targeting makes spear phishing more dangerous; cybercriminals meticulously gather information about the victim to make the “bait” more enticing. A well-produced spear phishing e-mail can be very difficult to distinguish from a legitimate one. So, spear phishing makes it easier to hook the victim.Read more
The holidays are upon us, and so it is to remind ourselves once again of just how much cyber criminals enjoy playing on the very fears of consumer fraud they elicit.
If the last thing you want interrupting your time with friends and loved ones is a slew of fraudulent bank charges, you’ll need to keep your wits about you. As you read this, an illicit campaign is underway to deceive PayPal users into believing recent transactions they’ve made “could not be verified.” In emails bearing PayPal’s logo, consumers are warned that PayPal has detected suspicious activity on their accounts and that the company requires updated information to avoid fraudulent charges.Read more
Phishing is still a key tool for cyber criminals as they seek to insert malware onto machines and to get hold of personal details.
Although most people are aware of the threat there are still some subject lines that are much more likely to deliver results for the phishermen than others, according to security awareness training specialist KnowBe4, which has released its Top 10 Global Phishing Email Subject Lines report for the third quarter of 2017. The company looked at tens of thousands of email subject lines used in simulated phishing tests to uncover just what makes a user want to click.Read more
Hackers have launched a new phishing campaign against LinkedIn members that uses compromised LinkedIn accounts to send messages with malicious links and downloads to potential victims in an attempt to steal credentials and personal information.
The campaign, first spotted by security researchers at cybersecurity firm Malwarebtyes, makes use of real LinkedIn accounts that have been compromised in order to make the phishing messages sent via LinkedIn’s messaging system appear legitimate. According to Malwarebytes researchers, the attackers have managed to hijack a number of LinkedIn member accounts.Read more
Vendors relying on Mastercard’s Internet Gateway Service for processing online payments ought to double-check every transaction before they send out items to customers.
There is a critical flaw in the system’s validation protocol and it appears the company is completely ignoring it. Independent security researcher has stumbled upon a glaring flaw in the MIGS protocol that allows hackers to spoof the payment system and trick merchants into accepting invalid transactions as successful. “It can be said that this is a MIGS client bug, but the hashing method chosen by Mastercard allows this to happen,” the researcher explains.Read more
Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.
The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copyfish, a browser extension that performs optical character recognition, also had their account hijacked. In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed.Read more
The Gmail phishing attack that played out across Google's billion-user email platform Wednesday afternoon was "particularly insidious" and created by someone with considerable skill, say cybersecurity experts.
The scam involved sending users a malicious link from what looked like a familiar contact; when users clicked it and logged on, the hacker gained access to their Gmail credentials, thereby getting the keys to the kingdom for a user's entire online life — and enabling the virus to replicate itself. While Google says it has fixed the problem, it still remains a mystery who may have launched the worm that quickly made the rounds online.Read more
A massive phishing campaign targeting Google accounts ripped through the internet on Wednesday afternoon. Several people online across a range of industries said they received emails containing what looked like a link to a Google Doc that appeared to come from someone they know.
These, however, were malicious emails designed to hijack their accounts. If you have clicked on the link, go to your Google account's page where you can manage the permissions you've granted to apps. Then locate the "Google Doc" app. This looks totally legitimate, but it's actually not.Read more
A Chinese infosec researcher has reported about an "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet.
He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users. What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?Read more