FBI warns of criminals escalating SIM swap attacks to steal millions

The Federal Bureau of Investigation (FBI) says criminals have escalated SIM swap attacks to steal millions by hijacking victims’ phone numbers.

The number of complaints received from the US public since 2018 and reported losses have increased almost fivefold, according to reports received by the FBI through the Internet Crime Complaint Center (IC3) in 2021.

FBI’s warning comes after the US Federal Communications Commission (FCC) announced in October that it started working on rules that would pull the brake on SIM swapping attacks.
The FCC’s move is the result of numerous complaints received from consumers regarding significant distress and financial harm as a result of SIM swapping attacks and port-out fraud.

SIM swapping attacks behind millions in losses

SIM swap fraud (also known as SIM hijacking, SIM jacking, or SIM splitting) is a type of account takeover (ATO) fraud that allows scammers to take control of their victims ‘phone numbers.

The crooks do this by tricking phone service providers into swapping a target’s phone number to attacker-controlled SIM cards either by using social engineering or with the help of one or more bribed employees.

After the SIM is ported, the criminals will receive the victims’ calls and messages, making it very simple to bypass SMS-based MFA, steal credentials, and take control of their victims’ online service accounts.

The vast majority of SIM swappers are financially motivated and usually target their victims’ online banking and cryptocurrency exchange accounts to steal money and virtual assets, as well as lock the victims out of their accounts by changing the passwords.

The FBI also shared tips on Tuesday regarding how individuals can protect themselves and how mobile carriers can defend their customers from such attacks, as well as info on how to report SIM swapping incidents.

If you haven’t added an account security pin to your mobile service account yet, now would be a great time to do that today !!!

Welcome to Cybersecurity Awareness Month.

I’m here to help

Would you feel comfortable with an EVIL STRANGER lurking inside your home with you and your family?

If you answered Yes to that… may as well just keep scrolling because this post is totally not for you…

We live in a time where online predators can enter our homes through the devices we use. We call these devices IoT (Internet of Things) I call them “Internet of Threats”. And in many cases you won’t have any idea they are watching or listening to you!

I’m told when I do speaking events that I tend to scare people when it comes to Cybersecurity. If you think this post is meant to scare you then… NAILED IT!

It is important that you take precautions to remove the risk of this happening. You don’t want to be another victim like that child who was talking to the predator through their bedroom security camera!

PLEASE make sure you enable two factor authentication on your accounts. It isn’t bullet proof but it is far better than not having it.

Do this on your social media accounts, your e-mail accounts, your banking accounts and EVERYWHERE that supports it.

I’ll just wait right here staring at you while you go do that…

Did you know that unprotected devices like many internet connected security cameras get indexed on a public site so that anyone can get access to them?

So, PLEASE do me a favor today and enable two factor authentication! If you ever need help setting up two factor authentication or (MFA) Multi Factor Authentication reach out so I can help.

Auto Dialers

Did you ever get a one-ring call? What are they and what are they after?

Here is how the scam works:

1. The Scammer sets up auto dialers to call as many people as possible, and will hangup after a single ring.

2. They use premium or overseas phone numbers that resemble a U.S number, for example, “232” goes to Sierra Leone.

3. They hope you call back and then play some music, because as long as you don’t hang up you will be charged a significant per-minute fee.

share this and never call back one-ring calls!

NSA Warns Smartphones Leak Location Data

The agency known for its own questionable surveillance activity advised how mobile users can limit others’ ability to track where they are.

Mobile devices expose location data in more ways than most people know, and turning off services such as Find My Phone, Wi-Fi and Bluetooth can help mitigate tracking, but are no silver bullet that prevents a third party from tracking users. That’s advice shared by U.S. top spy division, the National Security Agency (NSA).

The NSA released the advisory (PDF) this week informing people of the various ways mobile phones, by design, give up location information—which go beyond the well-known Location Services feature that people use on a regular basis. The agency also provided some tips on how privacy-minded people can limit the ways they’re being tracked.

Indeed, cybercriminals have been known to take advantage of the ability of smartphones to pinpoint a person’s location in the form of security threats such as stalkerware, spyware, socially-engineered phishing campaigns and others.

The NSA is in the business of collecting information and data for intelligence purposes using signals for the U.S. military and the intelligence community, and was notoriously outed by whistleblower Edward Snowden in 2013 for collecting surveillance on citizens in the United States via their telephone and computer activity.

But now the agency seems to be making a 180-degree turn and trying to help people protect themselves and hide their location data from anyone—from threat actors to law enforcement to even the government itself—who wants to find them using their mobile devices.

The move is inline with the release of Ghidra, a free, open-source software reverse-engineering tool that was released by the agency in 2019. It also comes as mobile location information is becoming more critical in light of the COVID-19 pandemic. Authorities aim to use mobile phone location data to help with contact tracing—or locating people who may have come in contact with an infected person—to try to control the spread of the virus.

NSA Privacy Awareness Campaign

Most people are aware that location services on devices can pinpoint where they are so people can have access to services in the area, as well as share their location with friends via mobile apps such as WhatsApp, among other useful activities.

But there are other activities on a mobile device that share location about which people may be less informed, the NSA said. One is the mere act of turning it on, which due to the trust relationship between cellular networks and providers, sends real-time location information for a device every time it connects to a network.

“This means a provider can track users across a wide area,” according to the agency. While this can be helpful, such as in the case of 911 calls, it also can put someone at risk if that info falls into the wrong hands, according to the NSA.

“If an adversary can influence or control the provider in some way, this location data may be compromised,” the agency warned, adding that network providers also have been found—and subsequently fined by the FCC for–selling data, including near-real time location data, to third-parties.

Other services that people use regularly such as Find My Phone, Wi-Fi and Bluetooth also provide device location data on a nearly constant basis when turned on, the NSA said, advising people to turn off these services when they are not in use to help mitigate any external tracking.

People also make the common mistake of confusing Location Services for GPS, which are not the same thing. Even if Location Services and mobile data settings are turned off for a device, it can still be tracked using GPS, the NSA said.

“Disabling location services only limits access to GPS and location data by apps,” the according to the advisory. “It does not prevent the operating system from using location data or communicating that data to the network.”

Even turning off a device’s cellular service, such as when it’s in Airplane Mode, does not totally protect someone from having their location pinpointed, the NSA warned.

“Inconspicuous equipment (e.g., wireless sniffers) can determine signal strength and calculate location, even when the user is not actively using the wireless services,” according to the advisory. “Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location.”

Even if people are vigilante and aware of the myriad ways their smartphones reveal their location, they can’t totally avoid having this data exposed, the NSA said. Ultimately, they can only reduce the amount of location shared and the ways third parties can have access to that information.

Stopping Cyberattacks

The key to stopping cyberattacks? Understanding your own systems before the hackers strike

Organisations struggle to monitor their networks because they often don’t know what’s there. And that allows hackers to sneak in under the radar

Cyberattacks targeting critical national infrastructure and other organisations could be stopped before they have any impact if the teams responsible for the security had a better understanding of their own networks.

That might sound like obvious advice, but in many cases, cyber-criminal and nation-state hackers have broken into corporate networks and remained there for a long time without being detected.

Some of these campaigns involve intrusions into critical infrastructure where malicious hackers could do damage that could have serious consequences.

But hackers have only been able to get into such as strong position because those responsible for defending networks don’t always have a full grasp on what they’re managing.

“That’s what people often misunderstand about attacks – they don’t happen at the speed of light, it often takes months or years to get the right level of access in a network and ultimately to be able to push the trigger and cause a destructive act,” says Dmitri Alperovitch, executive chairman at Silverado Policy Accelerator and co-founder and former CTO of CrowdStrike.

That means deep knowledge of your network and being able to detect any suspicious or unexpected behaviour can go a long way to detecting and stopping intrusions.

“Defence can work if you have time. If you’re looking inside your systems, hunting for adversaries and applying intelligence, you’re able to discover them even if they get in, before they do any damage,” Alperovitch adds.

Knowing what’s on the network has become even more crucial in recent years, as industrial environments have become increasingly connected with Internet of Things sensors and monitors.

The devices are useful to infrastructure providers because they allow better monitoring of systems for efficiency, maintenance and repair, but if not properly managed, they could be weak points for attackers to access the network.

“We need to be pro-actively testing,” says Annessa McKenzie, VP of IT and CSO at Calpine, an American power generation company.

“We need to grow more of that capability to go in with that confidence so that before there’s a breach, we at least have a basic understanding of this environment,” McKenzie explains. “Because when we go in completely blind, what should take days to respond takes weeks, sometimes months – and we never really understand what happened.”

Organisations should also try to think like hackers; by thinking about the network and how an attack could exploit it, security teams could uncover unexpected means that hackers could use to exploit the network.

“A lot of companies put in segmentation, monitoring, anti-virus – they’re not bad things – but I think too little focuses on what the attack is going to look like,” says Rob Lee, CEO and co-founder, Dragos, the industrial security provider that hosted the online discussion on securing critical infrastucture.

“Let’s work backwards. What kind of response do we want to have? Do we want to get the plant back up and running? Then we’re going to have to understand root cause analysis”.

By examining the network like this, Lee says, organisations responsible for industrial control systems can understand the requirements the network needs to ensure security – and by doing this, those responsible for critical infrastructure can help everyone by detailing what they find to the government.

“The ICS community has the ability to look at this backwards and educate the government on what that’s going to look like. That’s when the government can be impactful,” Lee adds.

With the right tools and expertise available, government intervention could help boost cybersecurity across critical infrastructure by providing an environment for organisations to share information about attacks and best practices for protecting networks.

“They could create a platform for companies to come together and exchange best practices and assistance and maybe even host some sort of joint public private response capability. That would help propel things along,” says Michael Chertoff, former United States Secretary of Homeland Security and co-founder and executive chairman of The Chertoff Group, a security and risk advisory firm.

He also suggests that liability for security shouldn’t just lie with infrastructure providers and other organisations, but the companies that build the specialist systems and connected parts used in these environments should also hold some responsibility if they’re found to be inherently insecure or vulnerable to cyberattacks.

“Right now, one of the arguments for manufacturers is ‘it isn’t our problem, we just give you the stuff, it’s on you’,” Chertoff says.

Through a combination of this and a good knowledge about what the network looks like, infrastructure and utilities providers in particular can go a long way to preventing themselves from falling foul of hacking campaigns and cyberattacks. But in many cases, there’s a long way to go before this is the case.

“The greatest advantage defenders have is if they know their environment better than an adversary – that’s not always true, unfortunately if the right tools and capabilities aren’t in the organisation,” says Alperovitch.

“But if they do, that’s when they have the high ground and detect an adversary and eject them before any damage is done”.

BREAKING NEWS: A little birdy got itself hacked. And boy was it an epic doozie!

#Twitter is currently recovering from one of the biggest breaches I have ever seen.

Nearly every major verified account was compromised and perhaps much more.

The criminals Tweeted a clever scam from very wealthy people like Bill Gates asking for $1000 in #Bitcoin (CrimeCoin) and they would give you back double. $2000 for nothing.

Many fell for this “TOO GOOD TO BE TRUE” scam even though well… red flag 🚩 🤦‍♂️

What we know so far is it was an insider breach. An employee was either paid off to help the attackers or they were tricked.

Sadly this is a case where strong passwords and two factor authentication will not help.

This is a policy and best practices issue. Lack of detection and alerts… lack of EDR… lack of user risk policies… many fails.

The aftermath of this will be huge. Stay tuned for more.


CCPA: Everything you need to know about California’s new Privacy law

The law goes into effect on Jan. 1, 2020.

The most sweeping data-privacy law in the country kicks in Jan. 1. The CCPA, short for the California Consumer Privacy Act, gives residents of the Golden State the right to learn what data companies collect about them. It also lets Californians ask companies to delete their data and not to sell it.

The full impact of these new rights isn’t entirely clear because the regulations used to enforce the law are still being finalized. Still, companies inside and outside California are already scrambling to become compliant so that they can continue to do business in the country’s most populous state.

Nearly two years in the making, CCPA has prompted other states to consider their own privacy laws, some of which have already passed. The law is often compared to the European Union’s General Data Protection Regulation, currently the benchmark for online privacy.

Here’s what you need to know about CCPA and how it will affect you.

Is this law a big deal?

Yes. Before it went into effect, companies weren’t legally required to tell you what data they’d collected and you had little say over what they did with it. Now, if you live in California, you’ll be able to ask them to delete it or refrain from selling it.  

What personal data does this cover?

CCPA covers all the stuff you might expect: your name, username, password, phone number and physical address. It also includes information used by companies to track your online behavior, such as IP addresses and device identifiers.

The law also covers information that can be used to characterize you, like race, religion, marital status, sexual orientation and status as a member of the military or veteran. It also covers biometric information like fingerprints or facial recognition data, your browsing history and location information.

Data found in public government documents is excluded, so companies can still learn if you’re married, for example. However, they have to collect that data directly from government records, not from other sources such as your social media accounts.

Can I tell Facebook and Google to get rid of my data now? 

Yes. In fact, some major tech companies, including Facebook and Google, already let you delete some or all of their data about you from their systems.

These tools might not do exactly what you’d expect, though. For example, Facebook has begun rolling out a feature that lets users “disconnect” the data it’s collected about your web browsing, but doesn’t fully delete it. Instead, it disassociates your name and profile from the data, which anonymizes it. Facebook then combines the data with other people’s, allowing it to monitor broader trends. 

CCPA still allows companies to use anonymized data. However, the law sets a high bar for separating your identity from the information, with the aim of stopping someone from re-identifying a person from the data.

What happens if companies don’t follow the law?

Businesses can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional. That could mean big fines if the violations affect large groups of consumers. The California Attorney General is in charge of investigating companies suspected of violating the law.

Critics say companies will be able to get away with breaking the law because the attorney general doesn’t have the resources to catch every violation. Xavier Becera, the AG, has said publicly that his office isn’t equipped to fully enforce the law. He pushed for the passage of an amendment, which failed to pass, that would have let users sue companies directly.

The law gives Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company’s negligence. Legal observers expect this to increase class action lawsuits against companies after they’re hit by hackers.

The law gives Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company’s negligence. Legal observers expect this to increase class action lawsuits against companies after they’re hit by hackers.

Can I still use free services if I ask them not to collect my data?

Yes. The new law says companies can’t turn away users if they opt out of the sale of their data. However, the companies can give you a stripped-down version of their offerings if you go this route.

The point is to prevent companies from charging all users who don’t want their data sold. That would leave users who can’t afford a subscription in the lurch, forcing them to allow the sale of their data so they can use services we’ve all come to rely on to communicate and access information.

If companies want to charge users who opt out of the sale of their data, the law says they have to disclose how much a user’s data is worth.

I don’t live in California. Will this law affect me?

Almost assuredly. While you won’t enjoy the right to opt out of the sale of your data or ask companies to delete it, you’ll learn more about what companies are collecting about you. The law requires for-profit business to describe in their privacy policies and the categories of data they collect about users.

Many companies are likely to extend some of these rights to everyone. That way, they won’t have to fuss with deciding whether the law applies to you, and they won’t risk denying a user their rights under the law by mistake.

Finally, the state of California is often at the forefront of new forms of legislation, including plastic bag bans, animal welfare laws and worker protections. Once California passes a law, other states tend to consider following suit. California is the country’s largest market with nearly 40 million residents, and carries a lot of weight. Already, nine other states are considering similar laws, and Maine and Nevada have already passed narrower versions of privacy legislation.

How is this different from that other big privacy law, the GDPR?

GDPR applies to companies with users in the European Union, and it regulates how companies can collect the same kind of personal information as CCPA does. However, the European law puts some stricter controls on how companies must approach collecting user data.
First, GDPR requires companies to get consent to collect data or to have some other valid reason for collecting user information. Secondly, it requires companies to minimize the data collected. CCPA doesn’t require companies to go through these steps to collect personal information, so any limits on data collection will be imposed by individual users who make requests to delete and opt out.

I heard there might be a federal privacy law. Where does that stand?

After the California legislature passed CCPA, several major tech companies told federal lawmakers they would like to see one privacy law that covers the whole country. Legislators have submitted several different laws since then, and the Senate Commerce Committee held a hearing on two competing bills in December.

Several aspects of a federal bill are up for debate, including whether consumers should be able to sue companies directly for violations, and how much authority to give regulators who would enforce the law. 

Thank you Laura Hautala for the great breakdown of CCPA.

Holiday Scams to Watch for This Season

The holidays are roaring down on us, and we’re all looking to get the best deals as we shop online and explore cyber sales. Here at DSA Technologies, we want to help you avoid that “Nightmare Before Christmas” that could arise from a stolen card number or hacked personal data as a result of online shopping. We’ve all heard it. If it seems too good to be true, it probably is. There are many websites that offer as much as 60, 70, even 80% off during this time of year. Don’t be the one that enters your payment information to capture a quick special and find out days, weeks, possibly even months later that you’ve been phished. How can you make sure you’re as safe as possible? As we get ready for Cyber Monday specials and online shopping throughout the month of December, there are several tips we can offer for businesses and individuals alike.

The golden rule? Be careful what you click on
Make sure the site you are entering your personal information has HTTPS. It’s important to see the “S” after HTTP, but that still does not mean you’re out of the woods. According to research from Venafi, the number of typosquatting domains (which is a bait-and-switch lookalike URL) is 400% greater than the number of authentic retail domains. That’s right, the bad guys are coming up with “fake” domains that look like the real domain of vendors like Facebook, PayPal, Amazon, and many others. Be careful what you type, and make sure you see the correct URL when you’re going to a website.

Bogus Shipping Notices 
Households receive a deluge of packages as the holidays get closer. A message from UPS, FedEx, or Amazon that notifies you that there is a missing or delayed package can be easily glanced over and taken for granted. Most of the time the message will include a link for easy access. Don’t click on this link. It may take you to a bogus website or better yet, download a virus directly onto your computer. If you are expecting a package, go to the vendor’s website by typing in the correct URL and tracking your package from there.

Phishing Emails
This is getting to be one of the most common scamming attempts. It is any email with a link designed to get you to enter your personal information. You might see that this is a letter from Santa or a prize that you’ve won, encouraging you to click on a gift card offer or discount. Remember this saying: “just don’t click!”

Phone Scams
Phone scammers figure most people are going to be home over the holidays, and they double their efforts during this time. The short story is, they are trying to get your personal information over the phone. They can pretend to be any number of vendors, bank tellers, computer repair advisors, or support technicians. The solution is pretty simple: don’t give personal information to any caller you didn’t initiate a conversation with.

This is getting to be one of the most common scamming attempts. It is any email with a link designed to get you to enter your personal information. You might see that this is a letter from Santa or a prize that you’ve won, encouraging you to click on a gift card offer or discount. Remember this saying: “just don’t click!”

Phone Scams
Phone scammers figure most people are going to be home over the holidays, and they double their efforts during this time. The short story is, they are trying to get your personal information over the phone. They can pretend to be any number of vendors, bank tellers, computer repair advisors, or support technicians. The solution is pretty simple: don’t give personal information to any caller you didn’t initiate a conversation with.

Relatives in Distress
This tactic is commonly known as “Virtual Kidnapping Ransom Scam.” It can begin with a phone call saying your family member is being held captive or in trouble with the law in another country. The caller might allege that a child or grandchild has been kidnapped with someone screaming or yelling in the background. They will typically provide instructions to ensure a safe return of the family member. They will ask you for money and give you directions on who and where to wire the money. If this happens to you, take a deep breath and realize this could be a scam. Ask to talk to your family members being held, and if they don’t let you speak to them, ask them to identify your family members. Attempt to call or text your family members. To prepare for an event like this, have code words that can be used so you know it actually is a real event. Call your local law enforcement as soon as possible.

Fake Charities

Possibly one of the most unfortunate scams out there, fake charity requests can be heartbreaking. This may be a fake GoFundMe account for what you think is a good cause, a social media thread, or an email chain. They may be impersonating someone you know or a friend of a friend. They might impersonate a legitimate charity on the phone. If you receive a phone call, the best thing to do is tell the caller you will call them back. Wherever you see the request, be sure to look up the correct charity and call them to see if they contacted you, or have outreach campaigns in progress. It may take you a little more time, but remember, it’s better to be safe than sorry. We hope these simple tips can ensure your holiday stays merry and bright!

Top 5 Cyber Attacks You Should be Aware for Your Business

DSA Technologies works with a wide range of businesses, that face many of the same security challenges over and over. Most of these issues are preventable or can at least be mitigated with the right care and awareness. Here’s what the resident expert Michael Reese at DSA Technologies shared with being the most common problems that you should keep an eye out for.

  1. Phishing Schemes
    Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. Nearly all successful cyber-attacks begin with a phishing scheme. These attacks are responsible for over $12 billion losses globally! Usually the attack is delivered in the form of an email and will demand that the victim go to a website and take immediate action. If the user clicks the link, they are sent to a fake website that imitates a real website. From here, they are asked to login. The criminal now has your information to cause more damage.
  2. Cloud Cyber Security Threats
    Cloud computing, or the use of an internet source to store information, has grown significantly. Most people assume that cloud storage is safe, but this isn’t necessarily the case. If your provider offers minimal security your sensitive data could be easily accessible to hackers. The amount of security your cloud server offers is usually in the terms and conditions. These can be muddy waters. Don’t be afraid to talk to an expert on how to navigate these threats.
  3. Ransomware/Malware Ransomware
    is like malware in that they are both criminal software used to take control of your computer and/or your information stored. Ransomware attacks are on the rise. Companies like DSA Technologies can help you build your line of defense through software against this type of attack. It’s estimated that an organization will fall victim to ransomware every 14 seconds in 2019. A single attack could leave you out of business for a week or more. Could you afford to be out of business that long?
  4. IoT (Internet of Things) What I call “Internet of Threats”
    IoT devices include internet enabled devices (i.e. iPhones, Amazon Alexa, Printers). There will be more than 20 billion IoT devices by 2020. How are the increasing amounts of data being secured? In most cases it’s not. There are manufacturers who have no security on their IoT devices, meaning anyone can access them. With so many devices being used, businesses should be aware of the security in place on IoT devices. Each device represents a different access point for attacks. With the rise of internet enabled devices the rise of attacks is inevitable. Ensure that your devices for your business are secure to protect sensitive data.
  5. Single Factor Passwords
    Single factor passwords are when you use a username and a passcode to log in. This is traditional and the method most websites maintain. Unfortunately, most passwords can be cracked in a matter of minutes. A second line of defense can help you and your business protect your data. An added defense line is the use of multi-step or two-step authentication passwords. This means that to log into your account, you can enter your password, but then a second step will require you to enter additional information, like a unique code sent to your cell phone. Having at least two steps make hacking your account more difficult in turn making your data less of an appealing target.

    DSA Technologies’ resident Cyber Security Expert, Michael Reese is there to assist businesses tighten their security.
    Visit DSA Technologies to learn more about how they can assist your business.

WiFi Finder app exposes 2 million network passwords!

“WiFi Finder” is a popular hotspot finder app that is used to locate free wifi spots nearby.  Unfortunately, the company utilized a database with minimal security to store information such as the Wi-Fi network name, its exact geolocation, its basic service set identifier (BSSID) and network password. All this data was stored in plain text. While the app developer claims the app only stores passwords for public hotspots, after a review of the data, countless home Wi-Fi networks were also discovered.

The biggest threat to free Wi-Fi security is the ability for the hacker to position himself between you and the connection point. So instead of talking directly with the hotspot, you’re sending your information to the hacker, who then relays it on. While working in this setup, the hacker has access to every piece of information you’re sending out on the Internet: important emails, credit card information and even security credentials to your business network. Once the hacker has that information, he can — at his leisure — access your systems as if he were you.

Utilizing free Wi-Fi in public locations is a major security risk, however, there may come a time when your only option is an unsecured, free, public WiFi hotspot, and your work simply cannot wait. If you must use public Wi-Fi there are a few steps you should take to stay safe (well….as safe as possible….because you shouldn’t use public Wi-Fi).

What to do:

  1.  Use a Virtual Private Network (VPN).
  2. Disable file sharing on your device.
  3. Log out of accounts when you are done.
  4. Only visit sites using HTTPS.
  5. Disable Wi-Fi auto-connect.
  6. Turn off Wi-Fi (and Bluetooth) when not in use.
  7. Access Web sites that do not hold sensitive or personally identifiable information (i.e. don’t do your banking while waiting for your flight).

While not all Wi-Fi is a security risk, without the right protection your personal information could become public information.