Friday Five 7/22
A new PayPal phishing campaign makes the rounds, the FBI sounds the alarm on fake cryptocurrency apps, and more - catch up on the news of the week with the Friday Five!
1. FBI WARNS FAKE CRYPTOCURRENCY APPS ARE DEFRAUDING INVESTORS BY ALEXANDRA GARRETT
On Monday, CNET broke down a warning issued by the Federal Bureau of Investigation with some lofty numbers: It claimed that over the last few years, its cyber division has seen 244 victims lose $42.7 million through fake cryptocurrency apps. The entire industry, as we've seen especially over the past few years, can be volatile and ripe for attacks. Even if you only dabble in cryptocurrency, it's worth doing your homework and thoroughly vetting apps before using them. When being asked by someone you don't know to download an investment mobile app, the FBI advises to exercise vigilance and to double check before you agree to anything.
2. PAYPAL PHISHING CAMPAIGN GOES AFTER MORE THAN JUST YOUR LOGIN CREDENTIALS BY JOVI UMAWING
Over at MalwareBytes, Jovi Umawing sounds the alarm on a new phishing campaign that's targeting PayPal users. This scam is looking to trick users into giving up more than just their login credentials; it's also after government documents like passport, driver's license, and even selfie photos, in addition to valuable information like their ATM PIN, social security number, and their mother's maiden name. The blog, which is based on some research carried out by Akamai, highlights how the attackers are using legitimate WordPress sites, rigged with phishing kits, to convince users something's wrong with their account. From there it asks for information, as part of a verification process, which ultimately gets forwarded to the attackers. Can't tell if you're on one of the fake PayPal sites? Double check those URL bars to ensure you're on an authentic page.
3. DEAR AGENCY SENIOR EXECUTIVE: YOU CAN MAKE OR BREAK YOUR NEXT BIG TECH INITIATIVE BY COLIN MURPHY, ALLISON PRESS AND JEFF DURLAND
Some solid recommendations here via the hive mind of 18F, a technology and design consultancy that partners with agencies within the U.S. Government to separate the signal from the noise when it comes to digital services. This piece aims to help senior execs at agencies - who no doubt already have a lot on their plate - better manage big software. The piece, published in FCW, has three recommendations: Pursue the smallest scope of work with the fewest people, spend a little in the short term to build confidence in the long term, and use stories as leading indicators. If you're interested in learning more, beyond the byline, it looks like the slides from the presentation the article is based on, can be found on Digital.gov's 2022 Government UX Summit website.
4. DON’T LOOK NOW, BUT CONGRESS MIGHT PASS AN ACTUALLY GOOD PRIVACY BILL BY GILAD EDELMAN
In what seemed like an impossible task even a year ago, there's a chance Congress could actually pass the American Data Privacy and Protection Act, bipartisan federal data privacy legislation that contains some of the biggest privacy protections to date. The ADPPA was passed by a House panel, the U.S. House Committee on Energy & Commerce, on Wednesday. The legislation isn't a lock yet but if passed, it would prohibit big tech from tracking, predicting, and manipulating people's behaviors for profit without their consent. While the bill hasn’t been without its detractors - many have pointed out its foibles, including the fact it doesn't set up or fund an agency to enforce its rules and that it surpasses almost every state privacy law, including California's CCPA – the enthusiasm behind it and the idea that it could finally be the country's first privacy law, seems to be catching on in Washington.
5. RESEARCHERS UNCOVER POTENTIAL RANSOMWARE NETWORK WITH U.S. CONNECTIONS BY AJ VICENS
CyberScoop looks at a new report issued this week on a ransomware command and control network that's a) located in the U.S. and b) capable of launching attacks. While some things are hazy and the dots around it need to be connected more - its unclear exactly what it's been used for and what it is - the discovery appears to be connected to the MedusaLocker ransomware group. "Further analysis that included historical data tied to those hosts led the researchers to additional hosts and connections to the MedusaLocker ransomware variant, which was the subject of a July 1 alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency," AJ Vicens with Cyberscoop wrote Thursday. While not as prolific as other ransomware families, MedusaLocker, which has been around since 2019, relies on RDP (Remote Desktop Protocol) vulnerabilities to access victim networks, according to CISA.