Security News

Text scam lies about U.S. stimulus check

Avast Security News Team, 6 November 2020

Plus, a new Twitter bot names vulnerabilities and a gold company suffers a six-month data breach

While the details of a second U.S. “economic impact payment” from the government to victims of pandemic-related hardships have yet to be finalized in Congress – including the decision on whether or not there will even be a second disbursal – a text scam has already cropped up pretending to offer the government check to users in an effort to swindle them out of data and/or money.

CNET reported that victims of the scam received texts informing them they were being given “a direct deposit of $1,200 from Covid-19 (Treasury) Fund.” The text includes a malicious link, which the victim is urged to tap in order to accept the payment.

Since the pandemic began, scammers have been launching plenty of coronavirus-themed ploys that prey on the worldwide public’s greatest fears and anxieties, from financial scams to malicious apps posing as useful pandemic tools. The Federal Trade Commission received complaints from more than 5,000 U.S. victims who collectively lost more than $2 million to coronavirus scams. “Never ever click on a link that comes from a source you do not trust. That’s the golden rule to avoid falling into these scams,” advised Avast Security Evangelist Luis Corrons, adding, “Cybercriminals always try to take advantage of our weaknesses, and these troubled Covid-19 times make the perfect breeding ground for them. Don’t be fooled!”

Vulnonym bot assigns names to vulnerabilities

The Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University launched a new Twitter bot called Vulnonym which automatically assigns a random “adjective-noun” phrase for every new cybersecurity vulnerability given a “CVE” identifier. For decades, major flaws have been given these numeric codes, but usually researchers give nicknames to certain flaws, and that could be confusing when it makes them sound more severe than they actually are. The Vulnonym bot was developed to neutralize the danger of lesser vulnerabilities sounding greater and greater vulnerabilities sounding lesser. Read more on ZDNet

Businesses scramble to protect cloud-based systems

While the trend started before the pandemic, the migration to using teams of remote employees and cloud-based infrastructures surged among businesses worldwide as the virus spread around the planet, opening up more vulnerable attack surfaces to hackers. As a result, many businesses are turning to white-hat hackers to quickly identify their most vulnerable areas. Rewards for white-hat hackers asked to suss out improper access control have jumped 134% over the past year, reaching just over $4 million in pay-outs. Learn more on Dark Reading

Gold seller JM Bullion suffers data breach

Malicious scripts were present on the JM Bullion website from February 18–July 17 this year, stealing customer payment information in what is known as a MageCart attack. After the malicious code was removed from the site, the online retailer of precious metals mailed a “Notice of Data Security Incident” to customers informing them that their names, addresses, and credit card information may have been compromised and that if they made any JM Bullion online purchases during that window, they should monitor their credit card statements. For more information, see the article on Bleeping Computer.  

Perimeter protection no longer the solution

As business infrastructures evolve to remote working models, the typical corporate IT department’s cyber protection needs to change accordingly. Whereas the old model was to surround company systems with a protective firewall and other security measures, today that model is outdated since for most companies, their networks are integrated with the internet as a whole. Ars Technica maintains there is no perimeter to protect anymore and that IT architecture needs to turn inside-out, with security providers approaching each company system as a Zero Trust Network, meaning it should not be trusted by default but viewed as an already compromised system that needs full protection. 

This week’s ‘must-read’ on The Avast Blog

Avast CISO Jaya Baloo recently spoke at this year's Women in Business event, where she discussed Avast's swift and secure transition to a fully remote working environment. Read up on the details of her talk.