By targeting potential victims on social media, the scammers were able to pinpoint people whose jobs include dealing with a company’s finances. They were able to capture these employees’ work credentials like phone numbers and call them with an urgent, phony message that they needed to install an update into their bank’s security module. The update was no such thing, but rather malware posing as an extension of Google Chrome. This malware’s purpose, not surprisingly, is to target banking credentials and send them back to a remote location. Every person that fell for the phishing scam immediately logged into their bank’s infrastructure via their own credentials, which were quickly captured by the malware.
Most companies have malware detection systems in place to combat such attacks, but this one was different. The code was written atypical of normal malware in order to avoid detection, according to a blog written by Morpheus Labs’ Renato Marinho. Adding the phone call to the plan further legitimizes the entire operation to targeted victims. By mapping companies using the likes of Facebook, Twitter, and LinkedIn, the cybercriminals already have an enormous leg up, able to contact targets with full knowledge of their names, job titles, and places of business. If the target engages in the phone call, the cybercriminal will proceed to walk them through the steps of the download and then have them “test” the company’s bank account.
Battling phishing scams
Phishing scams range from simple and stupid to complex and hard to root out, as the Brazilian financial workers found out first hand in 2017. No matter what industry you work in or whether you’re the CEO or work in the mail room, there are plenty of ways to keep safe from phishing at your home or office.
Think Before You Click: “Does this make sense?” is a question we should all ask ourselves before we make any decision online, particularly when it pertains to releasing our personal data or financial information. Legitimate companies have painstaking systems in place to collect our information, with multiple screens full of warnings and legal notices. Phishing attacks usually have none of these things in place and are all too quick to get you to the pages where you start giving your vital information away. Voice Verification: When someone calls you from the “payment department of your credit card company,” a huge red flag should fly up in your face. Usually scammers will give as little detail about themselves as possible, instead trying to instill a sense of urgency into you agreeing that action must be taken and ushering you along to the decision they want you to make. If you’re unsure, ask for a call back number or tell them you need to get your supervisor. If they hang up, your suspicions are confirmed. Verify Website Security: This is one of the easiest to do and one of the easiest to overlook. If a website is properly secure, it will have an ‘s’ after the http and there will be a secured lock icon. If either or neither of these exists, you need to get out of there before you get scammed.
Using VPNs to combat cybercrime
Using a virtual private network (VPN) is for far more than working around blocks on Netflix or Facebook. A secure VPN connection can keep your information safe when you are performing online bank transactions, sending private emails, or using wireless networks that are not secured. Even if hackers are capable of seeing where you are going online, they won’t be able to harness all the power of the connection because of the encryption involved. When you start a VPN connection, you send information and requests to the Internet via an indirect route. Whatever you enter to go online is encrypted and sent to the remote server through a shielded tunnel. The remote server decrypts the information and attaches a different IP address to it before sending it on to the Internet without a single shred of your personal ID attached to it. When information comes back your way from the Internet, it goes first to the remote server, then to you through the same encrypted method. Three VPN services that provide great security means are NordVPN, Private VPN, and Trust.Zone.
1Trust.Zone
Trust.Zone has a zero logging policy and unlimited speed and bandwidth. Get it Now
2Private VPN
Private VPN excels with an automatic kill switch and in-built leak protection. Get it Now
3NordVPN
NordVPN has 24/7 customer support with real people for getting yourself unstuck from key situations. Get it Now
