2023 Cybersecurity

With scammers running rampant this holiday season, it’s more important than ever for consumers to stay vigilant and safe in the final weeks leading up to Christmas – and into the new year. 

In an effort to bring some levity to the serious situation of cybersecurity, while also providing consumers with tangible advice on staying safe, Karin Garrido, vice president and general manager at AT&T, Pacific States, shared “The 12 Cybersecurity Don’ts of Christmas” with ConsumerAffairs. 

While the security tips may seem funny and lighthearted – and they are – their sentiments ring true. With online shopping, shipping gifts, and the general frenzy of the holidays, it’s easy to get lax with online security measures. 

With Garrido’s advice, the goal is to keep your private information private for the holiday season and beyond. 

The 12 Cybersecurity Don’ts of Christmas

Here is Garidoo’s official “12 Cybersecurity Don’ts of Christmas:” 

1. Re-gifting passwords: Just like last year's fruitcake, re-gifting passwords across multiple accounts is a no-go. Santa uses a password manager.

- If you use the same password on several accounts, then all those accounts are vulnerable if your password is exposed on just one of them. It’s hard to keep track of so many passwords, so a reputable “password manager” is a good option. 

2. Clicking on mischievous links: Not all links are wrapped with good intentions. Think twice before clicking on them, and three times before entering information.

3. Ignoring software update elves: These diligent elves deliver security patches that shield devices from new threats. Don't ignore their hard work!

4. Typing Santa’s credit card number on an open network: Public Wi-Fi networks can be as open as a chimney on Christmas Eve. Don’t expose sensitive intel to cyber-Scrooges.

- As a precaution against electronic snooping, you should avoid typing in sensitive information like credit card numbers when you’re using public Wi-Fi. 

5. Keeping a cluttered digital house: You might get unwanted company, so it’s wise to delete old downloads and emails that are full of personal information.

- If someone succeeds in breaking into your email or computer, what will they find? If you don’t need old emails with your Social Security number and other personal information, it’s best to delete them.

6. Downloading a Trojan reindeer: Untrusted software downloads can be like a Trojan reindeer, carrying unwanted malware gifts.

- This is a longtime safety tip. Don’t download software from non-trusted sites or unexpected pop-ups.

7. Forgetting to back up data: Regular data backups are like keeping an extra set of presents in the attic, just in case. 

-If you have documents or photos that you wouldn’t want to lose, copy them in more than one secure place on a regular basis. 

8. Oversharing on social media: Oversharing personal information is like leaving your doors and windows wide open during the holidays. Facts about you can be used by fraudsters in many ways. Your pet’s name or mother’s family name may be a backup for a forgotten password. 

9. Bypassing multi-factor authentication: This adds an extra layer of security for your accounts, just like double wrapping those precious gifts. If a criminal gets your password, an extra line of defense can help keep them out of an account. 

10. Leaving devices unattended: Devices left alone in public places are as tempting as unattended milk and cookies. Use a screen lock, too.

11. Using Santa123 as the North Pole password: Weak and predictable passwords are like a flimsy lock on a treasure chest of gifts.To make a password long and strong, consider a passphrase with several words inside it. Longer is recommended to help defeat automated password guessing. 

12. Having a bit of eggnog and forgetting to log off a public device: This is like leaving your sleigh full of gifts unattended in the town square. Occasionally we all may need to log into a hotel or public library computer. Uncheck “remember me” and don’t forget to log out. 

Scams don’t end with the holidays

Though the holiday season will wrap up in a few weeks, that doesn’t mean scammers’ work is done. Consumers need to keep cybersecurity at the top of their minds into the new year, as advancements in technology are likely to make it easier than ever to be on the receiving end of a scam. 

“The rise of AI and Deepfakes will result in more sophisticated communications fraud and imposter attacks,” Clayton LiaBraaten, senior executive advisor at Truecaller, told ConsumerAffairs. “In 2024, large language model (LLM) technology will enable highly granular data scraping and mining to enable extremely targeted, contextually relevant scam and fraud campaigns at scale."

Yes, 2024 is an election year. Consumers will likely be inundated by political voice and text SPAM. Not all of it will be legitimate.

Shopping has been in the news lately as Amazon, Walmart and Target have all announced special sales promotions for mid-July. 

Amazon started it all with its annual Prime Day and it remains the best-known of the sales. This week’s ConsumerAffairs-Trend Micro Threat Alert shows scammers are taking advantage of it.

Amazon phishing 

• Trend Micro's research identified a phishing scam in which an SMS message prompts the victim to verify their Amazon account via a fake login page. 

• The top five states being targeted are Virginia, California, Florida, Texas, and Georgia 

“Scammers are ramping up to take advantage of the annual Amazon Prime Day on Tuesday, July 11th. Consumers who want to take advantage of this day of savings should be vigilant in looking out for the plethora of scams we’re likely to see occur, Jon Clay, vice president for Threat Intelligence at Trend Micro told ConsumerAffairs. “Trend Micro’s research team has detected Amazon SMS phishing attacks looking to steal the account owners’ credentials with the top five states being targeted the most Virginia, California, Florida, Texas, and Georgia.”

Travel scams 

• From April 1 to June 26, Trend Micro's research team found 1,979 travel-related scam URLs, which increased by 24.6% compared to the past weeks. This included three fake Booking.com login pages 

• Over one-third of the victims in the U.S. are from Oregon: 32.37%. 

• The top five states being targeted are Oregon, Virginia, Washington, Pennsylvania, and Illinois 

With the Fourth of July coming up Americans are hitting the road in greater numbers and scammers are deploying all types of schemes to ensnare victims. ConsumerAffairs recently reported on several of these summer travel scams, along with ways to avoid them.

Costco Survey Scam 

• Trend Micro's research found scammers inviting customers to participate in a short Costco survey to get a $100 cash value prize. The scammers wish to collect victims’ private information and credit card information. 

• The top five states being targeted are California, Alabama, Texas, Illinois, and Nebraska 

This scam is increasing again, probably because it is highly successful. The victim receives an email that looks like it is coming from Costco and asks the recipient to fill out a short survey.

The bait is a gift card or other item with at least $100. That should be a red flag since retailers can’t afford to pay that much for a consumer’s feedback. The scam seeks to steal personal information, along with credit card information.

FedEx Phishing 

• Trend Micro's research identified scammers impersonating FedEx to ask email receivers to declare their imported items via specific instructions. Victims were prompted to log in on a fake website to collect the victim’s personal information.  

• Trend Micro's research team found 194 logs on June 23. 

“FedEx does not request, via unsolicited mail, email, or text, any personal information pertaining to your account credentials or identity,” the company says on its website. “If you get a suspicious email, do not reply or cooperate with the sender.”

FedEx says red flags include an urgent request for money in return for the delivery of your packages and requests for your personal and financial information.

Office Printer Phishing 

• Trend Micro's research identified scammers pretending to be Office Printer and sent victims a notification letter to redirect them to ‘View Document’ or ‘Download Document.’  

• Trend Micro's research team detected 371 logs on June 26. 

The scammers sending out these emails hope to deceive recipients into clicking on a link. If they do, recipients open a bogus website where scammers try to steal the passwords of email accounts.

If you have an iPhone, you can move on to the next ConsumerAffairs story – but if you have an Android device, your next move should be to look at all the apps on your device. Google has sent up a flare warning billions of Android users that they are in danger of being harmed by 19 different apps.

These malicious apps cover everything a scammer has in their toolbox: adware, malware, spyware, trojans, and more. All can infect a phone, steal your identity, passwords, or financial information like credit card numbers and bank accounts.

The apps that need to be deleted

When you look at the following list, there are apps you may have used in the past with zero problems. But, dastardly scammers have gone as low as they know how, downloading these apps themselves, reengineering them by adding in the malicious code and then putting them back on the Google Play store, according to MalwareFox.

1. Fare Gamehub and Box

2. Hope Camera-Picture Record

3. Same Launcher and Live Wallpaper

4. Cool Emoji Editor and Sticker

5. Amazing Wallpaper

6. Simple Note Scanner 

7. Universal PDF Scanner 

8. Private Messenger

9. Premium SMS

10. Blood Pressure Checker

11. Cool Keyboard

12. Paint Art

13. Color Message

14. Vlog Star Video Editor

15. Creative 3D Launcher

16. Wow Beauty Camera

17. Gif Emoji Keyboard

18. Instand Heart Rate Anytime

19. Delicate Messenger

We repeat -- in their original form there was nothing wrong with these apps. According to Google, scammers have changed them to make them dangerous.

The U.S. Department of Justice (DOJ) this week rolled into Wisconsin, waving badges, seizing computers, and taking the personally identifiable information of millions of Americans off the market.

It’s about time.

Coming to the rescue is “Operation Cookie Monster,” a high-level all-hands-on-deck effort where the DOJ utilized 45 FBI field offices and international partners from Sweden to Romania to seize Genesis Market’s motherlode of consumer usernames and passwords for email, bank accounts, and social media.  

All in all, millions of passwords and email addresses were provided from a wide range of countries and domains. These emails and passwords were sold on Genesis Market and were used by Genesis Market users to access the various accounts and platforms that were for sale. Then, down stream, cybercriminals used this data for purposes ranging from identity theft to phishing attacks to credential stuffing. 

“Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the Department to identify, locate, and arrest on-line criminals,”  said Deputy Attorney General Lisa Monaco. “The Department of Justice is shining a light on the internet’s darkest corners – in the last year alone, our agents, prosecutors, and partners have dismantled the darknet’s largest marketplaces – Hydra Market, BreachForums, and now Genesis. Each takedown is yet another blow to the cybercrime ecosystem.” 

Were you part of the personal data that Genesis had?

While the DOJ prevented Genesis from pushing consumer ID information any further, you, me, and everyone else is still at risk because of what’s already rung the cash register for the data seller on the black market.

The FBI has reached out to Have I Been Pwned (HIBP), a free resource for people to quickly assess whether their access credentials have been compromised (or “pwned”) in a data breach or other activity. Victims can visit HaveIBeenPwned.com to see whether their credentials were compromised by Genesis Market so that they can know whether to change or modify passwords and other authentication credentials that may have been compromised.

And whether you know that you’re a victim or just think you’re a Genesis victim, it would be smart to see if any of your email addresses at any time in the last several years turned up on the dark web.

When ConsumerAffairs checked Have I Been Pwned against our personal email accounts, there were breaches that have widespread implications: Adobe, Dropbox, and Zynga (the creator of Words with Friends) which exposed 173 million unique email addresses alongside usernames and passwords.

Prepared in conjunction with the FBI, HIPB provides the recommended guidance for those that find themselves in this latest collection of data. Those steps are detailed in the section with the gold background on this page.

When the artificial intelligence (AI) platform ChatGPT burst into public consciousness early in the year, cybersecurity experts warned it wouldn’t be long before the bad guys made use of it. They were right.

In a recent post, Nati Tal, head of Guardio Labs, warns that hackers have hidden fake ChatGPT functionality inside a Chrome browser extension. Hackers entice Facebook users to load the extension using ads on the platform.

Once the extension has been loaded, it gives hackers the ability to hijack Facebook accounts and give them nearly complete control, including “super-admin permissions.”

Tal says his company's research found that the fake extension is being used to target well-known Facebook business accounts. Once in control, the hackers can create Facebook bots and other malicious items.

In his post, Tal said his team has uncovered “endless” campaigns abusing the ChatGPT brand, distributing malware and phishing for credit cards.

“On 3/3/2023, our team detected a new variant of a malicious fake ChatGPT browser extension, part of a campaign started in early February with several other ChatGPT branded malicious extensions,” Tal wrote. “This time upgraded with a threatening technique to take over your Facebooks accounts as well as a sophisticated worm-like approach for propagation.”

Guardio researchers found the "Quick access to Chat GPT" extension was downloaded as many as 2,000 times per day since March 3. The company says it was pulled by Google from the Chrome Web Store on March 9.

'Quick access to ChatGPT'

The fake extension, identified as “Quick access to ChatGPT,” was offered as a quick way to get started with ChatGPT directly from your browser. Guardio says the extension does, in fact, provide that. However, it also “harvests” as much data as it can from your browser. It steals “cookies of authorized active sessions to any service you have, and also employs tailored tactics to take over your Facebook account.”

The takeaway, says Tal, is web users must be even more careful than in the past. Hackers have managed to stay one step ahead of major players like Google so individuals have to take precautions to protect themselves.

“These activities are, probably, here to stay,” Tal concludes. “Thus we must be more vigilant even on our day-to-day casual browsing — don’t click on the first search result, and always make sure you won’t click on sponsored links and posts unless you are pretty sure who is behind them!”

Over the last few months, hackers have had to step up their game, finding new targets and developing even harder-to-detect attacks. That’s because defenses have improved.

A new report from Cybersecurity firm Trend Micro found a huge 55% increase in overall threat detections in 2022 and a 242% surge in blocked malicious files, as threat actors indiscriminately targeted consumers and organizations across all sectors.

But the bad guys don’t just accept a drop in “business.” The report illustrates how hackers have adjusted, putting even more people and organizations at risk.

“To combat waning ransomware revenues — a staggering 38% decrease from 2021 to 2022 — active ransomware actors have increased their level of professionalism to ensure higher ransomware payouts,” the report’s authors write. “In the past year, we’ve seen them take a page out of the corporate handbook to diversify, rebrand, and even offer professional services such as technical support, with the goal of keeping their attacks potent.”

Emerging trends

The report identified a number of emerging trends in cyberattacks, including these:

• The top three MITRE ATT&CK techniques show that threat actors are gaining initial access through remote services, then expanding their footprint within the environment through credential dumping to utilize valid accounts.

• An 86% increase in backdoor malware detections reveals threat actors are trying to maintain their presence inside networks for a future attack. 

• The number of critical vulnerabilities doubled in 2022. 

• The Zero Day Initiatives (ZDI) observed an increase in failed patches and confusing advisories.

• Webshells were the top-detected malware of the year, surging 103% on 2021 figures. LockBit and BlackCat were the top ransomware families of 2022.

Hackers are operating like a business

The researchers say ransomware groups rebranded and diversified in a bid to address declining profits. In the future, Trend Micro expects these groups to move into adjacent areas that monetize initial access, such as stock fraud, business email compromise (BEC), money laundering, and cryptocurrency theft.

Jon Clay, vice president of threat intelligence at Trend Micro, says hackers’ attempts to boost their profits pose a threat to everyone.

“A surge in backdoor detections is particularly concerning in showing us their success in making landfall inside networks,” Clay said. “To manage risk effectively across a rapidly expanding attack surface, stretched security teams need a more streamlined, platform-based approach."

This statistic might want to make you throw your computer or smartphone in the trash can but you need to hear it: A frightening 91% of all Americans are between “moderate to extreme risk” of digital crimes.

And if that number didn’t move you, let’s try this one: Federal Trade Commission (FTC) data show consumers lost nearly $8.8 billion to scams in 2022.

According to a new Digital Crime Index from Aura, a firm engaged in intelligent safety for consumers, not only are few of us safe, but some of us are in even great peril.

Aura’s researchers found that demographics that have become extremely susceptible to digital crimes are Black Americans, women, parents, veterans/active-duty military, and members of the Gen-Z generation.

The data show:

•  Compared to those without children, parents carry a bigger financial toll from being a victim of a digital crime -- seeing 15 times greater loss with an average of $24,188 lost per incident. And Aura says the finger needs to be pointed at all those devices parents have around the home. On average, parents have three more devices in their home compared to most Americans.

• Gen-Z faces a significant risk of digital crime compared to other generations surveyed, which rank at high risk. When Gen-Z respondents were asked if they protect themselves from digital crimes, only 52% said yes. Gen-Z’s older sibling Gen-X does the best of the four generations surveyed, with 68% saying they protect themselves digitally.

• Black Americans are five times more likely than White Americans to be at severe risk of a digital crime.

• Even though men statistically have more violent crimes committed against them, Aura found women are at an elevated risk of a digital crime and stand to lose 6 times more financially. Perhaps what is most alarming is the difference between the average loss for a woman who falls victim to a digital crime vs. a man. On average, women lose over $10,000 more than men per crime. Just ask Rebecca…

• One in every two veterans and active-duty service members who have experienced digital crime have been victims of more than one type of digital crime. Most of those were victims of a government data breach, the researchers said.

"There's no question that technology has enabled incredible progress in society and in our individual lives, but by oversharing online and over-trusting our digital interactions we're putting ourselves and our families at extreme risk," said Aura founder & CEO Hari Ravichandran. "In fact, the Index shows that 60% of Americans have already reported being a victim of at least one online crime and that number is growing every day.”

AI could make things worse, too

With all the hoopla surrounding AI – artificial intelligence – that 91% high-water mark could go even higher. In fact, it’s already starting to show its ugly side with more fake job scams starting to emerge.

"Consumers should be aware that as artificial intelligence becomes more sophisticated, it may be used by marketers in ways that put their privacy at risk,” Nicky Watson, founder of Cassie, a pioneer in consent and preference management, told ConsumerAffairs.

She said that AI-powered search engines will be able to gather and share more data about consumers than ever before. And, since no one’s trying to regulate AI, Watson says the prospect of those search engine companies selling large sets of consumer data to other companies could lead to real-world consequences for consumers. 

“For example, imagine a consumer is concerned about a health issue, so they search the issue online and visit websites relating to the condition. If an AI-powered search engine company sells that consumer’s online activity to a health insurance company, data about the consumer could impact the cost of their health insurance premiums,” she suggested.

“Consumers should proceed with caution when using AI tools and they should think about the long-term unintended consequences of how their data could be used against them.”

If you’re headed out for spring break, you’ll likely have some unwelcome company. From its perch, online security provider NordVPN says that from booking platforms to apps, holiday scammers have their suitcases packed and ready to make as many vacationers' lives as miserable as possible.

Marijus Briedis, cybersecurity expert at NordVPN, laid out everything a spring breaker needs to protect themselves and ensure a scam-free time.

Briedis’ first warning starts with anyone who may still be searching for deals on accommodations, airfares, etc. 

“Most of us will have used booking platforms or comparison sites to find our perfect break, but how do you know you’re getting the best price for your vacation?” he asked.

“As well as the time of year, your location and tracking data can also play a role in the type and price of deals you are offered by travel companies. If you are visiting a website you have used before, clear your cookies beforehand and hide your location through your browser’s ‘incognito’ mode to see if it gives you access to better offers.”

While it may be a bit of shameless self-promotion, Briedis did offer one unique advantage of having a VPN, which basically masks who and where an online surfer is -- and could pave the way for a better deal.

“You might even find that using the booking website for a country you’re visiting, by using a VPN, is cheaper than booking from home," he offered. "Our researchers found that for six days’ car hire in Dublin, Ireland, this March the price they were quoted going through Expedia’s Irish site was less than half that for exactly the same rental package through the US site.”

Phishing poles, un-updated apps, and free wi-fi traps

Given their success over the 2022 holidays, scammers are likely to amp up their phishing efforts, too. Briedis said that scammers will be out in force with fake offers designed to target things like a person’s details and bank balances and mimic genuine customer loyalty schemes.

“Check any offer by visiting the company’s website separately and don’t click on any email links or attachments unless you are sure you’re dealing with a legitimate business,” he said.

Other things people should consider strengthening include:

App updates: Hackers constantly watch for vulnerabilities in apps and try to figure out how to make some hay off those holes. Briedis suggests making sure all your apps are up to date before you take off.

Stay off of social media: This may be tough to do, but leaving Facebook, Instagram, Twitter, and any other social media platform you use alone while you’re vacationing could help keep scammers’ curiosity in check. 

“Not only can burglars looking at your feed discover your home is empty, seeing you on real-time social media like Instagram Live can reveal that you’re not around to defend your property. Even those very familiar with online privacy can still give away a stack of personal information through mistimed posts including upcoming travel plans.”

Public wi-fi is loaded with prying eyes: Briedis suggests that whether you’re in an airport or a hotel lobby, try to resist using the free public wi-fi those places may offer.

His reasoning is that free wi-fi is an added opportunity for cybercriminals to access and compromise your security. Not only can criminals set up fake hotspots, but they can also hack into unsecured public routers and monitor your online activity as well as drop some malware onto your device.

If anyone needs proof that cybercriminals leave no stone unturned, all they need to do is check out this claim from MakingUseOf (MUO): Clicking on Google search results could cost you all your passwords!

This new twist on phishing is built around attracting eyeballs to the very top of Google’s search results where Google’s algorithms attempt to reflect the things someone is looking for or a paid placement by a company.

MUO said that these evil-doers might include an excerpt taken from a dictionary or a website, a range of similar questions to your query, two or three ads, and then the actual search results from Google.

And if someone clicks on one of the fabricated links or ads, they’re immediately transported to a brilliantly spoofed website where a hacker will gladly take passwords, personally identifiable information, and other important digital credentials off their hands.

MUO’s David Rutland pointed to Microsoft Outlook as a prime example. He said that if a user was searching for “Outlook help” and clicked on a malicious link, they could easily wind up at what they think is a real Microsoft-driven site where they put in their Outlook username and password to log in.

“The visual style of most of these elements is different enough from the meat of the results that it's easy to scan past them and scroll down,” Rutland wrote. “The adverts, however, are not immediately recognizable. They use the same link color as regular results, and have the same length of summary and selection of site links to URLs within the website.” 

And to an unassuming user, that could spell trouble – particularly for older users.

“Clicking adverts by accident is a familiar and frustrating feeling. It's made worse by the fact that there's a tendency among older computer users to simply type the name of the service they want to use into the search field and then click on the top result, rather than type in the actual URL,” Rutland said.

Google comments

When ConsumerAffairs asked Google to verify MUO’s claims, a spokesperson said it is, indeed, aware of what’s going on, and it’s voluminous – to the tune of blocking over 100 million phishing attempts every day. Nonetheless, the company said it’s doing everything it can to get these hackers out of its – and our – lives.

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.”

Safety suggestions for consumers

Google said that even though it’s the company’s job to do everything it can to block bad ads on its platform, “sometimes bad actors can temporarily evade our detection.” 

To help consumers prevent being sucked up in this fake ad vortex, Google shared some tips and tools. 

Learn more about the ads you see and the advertisers behind them: Google said that by clicking on the three dots that appear next to an ad, a user can go to My Ad Center which includes basic information about the advertiser, including whether or not they are a verified business. 

When ConsumerAffairs tried out that trick, we have to admit it was pretty impressive. Not only were we shown when the source was first indexed by Google, but also if our connection to the site was secure or not.

It also has a nifty feature where a user can remove a specific search result so it doesn’t pop up in the future.

In the coming months, Google said it will be rolling out additional transparency tools so that searchers can learn even more about the advertisers behind an ad.

Spot malicious behavior and double-check URLs:  Hackers love big brands because if someone is in a hurry to get something fixed or a question answered, they may not take the time to fully inspect the validity of a site’s URL or whether a phone number is real or not. And, being careless can lead to being fleeced by a cybercrook pretending to be one of those big brands.

To get around that issue, Google recently started adding site names to search results and ads on mobile, so users can more easily identify the website that’s associated with each result at a glance.

“You should always be wary if someone is urgently requesting you to do something like send money, provide personal information, or click on a link. Chances are, it could be a scam,” the company said.

Enroll in 2-Step Verification (2SV): Google – as well as Apple and Microsoft – have been working toward a passwordless future, but we’re not there yet, so for now, passwords are here to stay. And that calls for extra precaution.

Google is encouraging everyone to, at minimum, enroll in 2-Step Verification (2SV). Taking that step adds another layer of protection to online accounts by requiring the user to not only enter their password, but an additional piece of information as well. 

“This way, if your password is stolen, a bad actor still needs more information to gain access to your account. And to keep those credentials safe in the first place, we also encourage the use of Google Password Manager,” the company told ConsumerAffairs.

“Google Password Manager will not only create unique passwords that are hard to crack but will also store them all for you so you don’t need to keep that little piece of paper in your drawer you write them all down on.”

It’s been relatively quiet in the hacker world when it comes to major companies, but Valentine’s Day brought an all-out alert from the Cybersecurity and Infrastructure Security Agency (CISA).

It noted that several major software companies and service providers were asking users to update their systems to address vulnerabilities in multiple products and prevent hackers from taking control of an affected device.

CISA informed ConsumerAffairs that attackers are actively attempting to break into products from Apple, Adobe, Microsoft, and Mozilla. According to WindowsReport, several of these are “critical” as far as severity is concerned – such as Adobe Photoshop and Adobe InDesign. 

The following is a list of the affected products and links to the updates for those products:

Apple 

CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:

•   Safari 16.3.1

•   iOS 16.3.1 and iPadOS 16.3.1

•   macOS 13.2.1

Adobe

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

• After Effects APSB23-02

• Connect APSB23-05

• FrameMaker APSB23-06

• Bridge APSB23-09

• Photoshop APSB23-11

• InDesign APSB23-12

• Premiere Rush APSB23-14

• Animate APSB23-15

• Substance 3D Stager APSB23-16

Mozilla

Mozilla has released security updates to address vulnerabilities in Firefox 110. 

CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 110 and Firefox ESR 102.8 for more information and apply the necessary updates.

Microsoft

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. CISA encourages users to review Microsoft’s February 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Chances are your home has a few “smart devices,” things like video doorbells or a thermostat you can control with your smartphone. They can make life easier but cybersecurity experts warn that “digital burglars” can use them to virtually burglarize your home.

Steve Grobman, chief technology officer (CTO) at McAfee, points to a recent study by the Florida Institute of Technology that found that the companion apps for several big brand smart devices had security flaws. That's a problem since all of these devices connect to the internet.

“Eight of the 20 apps associated with connected doorbells, locks, security systems, televisions, and cameras they studied…could allow attackers to intercept and modify their traffic,” Grobman told ConsumerAffairs. “This could lead to the theft of login credentials and spying, or it could lead to the compromise of the connected device itself. That’s unsettling, given that we’re talking about things like smart door locks.”

The experts we consulted said smart home devices are like any other device that connects to the internet. They need strong protection.

Start with strong passwords

Lumen Technologies Chief Privacy Officer (CPO) Hugo Teufel, a former CPO at Dept. of Homeland Security, says all of these devices need strong passwords and should have access to regular software updates. 

“The best decision anyone can make? Make sure their smart device’s operating software and apps are updated when that update becomes available,” he told us.

Michael Gibbs, the CEO of Go Cloud Careers, says not all smart devices are created equal when it comes to security. Some are more hackable than others. 

Some of the things that determine a smart device’s strength against a hack include the operating system firmware, and the degree of security integrated into the product. Older devices may be more vulnerable.

“If consumers' devices are hacked many problems can occur, ranging from doors being unlocked, personal information being stolen, and cameras recording peoples’ private lives, to life-threatening problems like fires in ovens and other appliances if they were to be remotely hacked and turned on,” Gibbs said.

What to do

What can consumers do to protect themselves? First, be aware of the potential threat. Then, mount a strong defense.

“Broadly speaking, they involve two things: protecting your devices and protecting the network they’re on,” Grobman said. “These security measures will look familiar, as they follow many of the same measures you can take to protect your computers, tablets, and phones.”

And it should go without saying that consumers should create strong user names and passwords. Most devices will come with default security credentials. If you don’t change them – and many consumers don’t – even a novice hacker can break in.

Since many smart devices can be controlled with a smartphone, Teufel says it’s important to keep the phone’s operating system up to date.

“Using the most current operating system, apps and web browsers help defend your phone and its contents against online threats,” he said.

In addition to smartphones, your home internet network is also a first line of defense. Grobman says you may need to upgrade to a new router if you’re using an older one lacking strong security features. Gibbs agrees that protecting the network is critical.

“If a hacker can get on the network, they can hack these devices,” Gibbs told us. “The best protection is to keep hackers out by using a firewall to protect the network, using strong passwords, patching all systems to protect against security vulnerabilities, and leveraging security software like antivirus and antimalware to protect the systems on the network.”

If you have an iPhone, you can move on for now, but if you have an Android phone, you should pay close attention – particularly if you are a customer of Chase, Citibank, Bank of America, Capital One or Wells Fargo.

There’s a new piece of malware called “Hook” that is being spread through fake banking apps claiming to be from some major bank brands (here’s a complete list of banks).

Once Hook gets on your Android device, hackers can take over and remotely control your phone from anywhere in the world, pulling off normal functions like unlocking the device and taking a screenshot.

The new ‘Hook’ malware is the stuff of nightmares for Android users, boasting the power to pillage mobile files, ransack WhatsApp accounts or even send money from a user’s phone,” Marijus Briedis, a cybersecurity expert at NordVPN, told ConsumerAffairs.

And Hook is one bad dude, too. Briedis said that it’s a cut above most of the weaponry in a hacker’s arsenal. Because it’s so good at what it does, bad actors are paying as much as $7,000 a month to subscribe to the software so they can make some serious bank of their own from the comfort of their basement.

When a hacker subscribes to Hook, they also get access to a special console that uses the same virtual network technology many workers have to access their office computer from home.

“This means your device can be taken over even while you’re holding it,” Briedis said.

How you can stop Hook from getting its claws on your phone

Defending against Hook ruining your life is doable, but you have to pay attention. Briedis said that it’s important for Android users to keep their system software updated regularly – an easy task on most Android smartphones.

All you have to do to check for system updates is go to Settings and if an update is available, there should be a prompt to download and install it.

For those of you who have newer Android phones, system updates should happen automatically. But, for those with older phones, you should be aware that malware loves older operating systems that don’t know how to fend off ilk like Hook.

Briedis’ recommendation for those users is to make sure to only download banking apps from an official marketplace like the Google Play Store and check how often it has been reviewed and downloaded before you install it yourself. 

What state do you think is the most vulnerable when it comes to people’s digital life?

After a year in which the FBI’s Internet Crime Complaint Center received close to 3 million complaints of cyber attacks and malicious cyber activity, Secure Data Recovery polled Americans from all 50 states to find out which residents are most vulnerable to digital threats. What did their analysts discover?

The South rocks, so does R$k35*5ErFhX, and the battle of the sexes is a draw 

On a positive note, the majority of Americans take some steps to protect their devices from hacking. Of those who stay digitally safe, 71% do so by keeping their phone number, email address, and home address off social media. 

People in Kentucky may want to pour themselves a glass of bourbon and toast the fact that the Bluegrass State is the most digitally secure of all 50 – with 54% of Kentuckians checking every permission related to a new app when they download one to their phone, and only 26% of its residents listing their address, email, or phone number on social media.

In fact, Southern states smoked all other regions in the digitally-secure rankings – holding down nine slots in the over-50% range. Louisiana was number two, Tennessee number 5, Mississippi number six, North Carolina number seven, and South Carolina number 10.

If you’re looking for a battle of the sexes, women are more digitally vulnerable than men, overall. However, women get a victory when it comes to backups because they back up their information more frequently than men. Staying with the backup category, just a little more than half of those surveyed back up their devices automatically on a regular basis, and even fewer (39%) keep a copy on the cloud. 

The saddest takeaway is that 79% of Americans leave themselves open to being hacked because they don't use auto-generated passwords, preferring to stay with easy-to-crack things like "Memaw!" which can be hacked inside of 2 seconds. Yes, what we're talking about are the long, multi-character type like “R$k35*5ErFhX” that a good password manager would create.

If you live in the Empire State, sorry, but upon hearing the news, hackers everywhere must be blasting “I Love New York” on their stereos. According to the survey, New York ranks as the most digitally vulnerable. One in three have clicked on suspicious ads, links, or attachments in the past year.

We have our work cut out for us

Yevgeniy Reznik, the Laboratory Operations Manager at Secure Data Recovery Services, said that Americans have five things they need to improve if they want to stay hack-free and digitally secure:

Keep your private information off of social media: That means your email, your phone number, and the address where you live.

Don’t click on anything suspicious: That’s ANYTHING! If you don’t recognize the name, the email address, don’t know why someone is sending you an attachment, or there’s a link in any text message or email from anyone you don’t personally know and trust, keep your hands to yourself.

Install antivirus software on your computer: If your computer gets hit with a virus attack, be prepared to write a check for anywhere from $100-$300 to repair it. Comparatively, dropping $25-$50 a year on antivirus protection seems like a much better investment.

Use unique passwords for each account: That means one for Adobe, another for YouTube, another one for Google, etc.

Keep two or more copies of important information: A backup of your backup? If you’ve ever lost important information to a hard drive crash, you know the pain, so yes, double down.