Cyber Safety

With an estimated 3.7 billion phishing emails sent in the past year it is no surprise that phishers have set their sights on Twitter. The latest phishing scam sweeping the ‘Net' is a spam campaign designed to look like legitimate Twitter notifications.

The emails take many forms: Some resemble messages from Twitter customer support claiming that the site has detected an attempt to steal the receiver's Twitter password. Others claim that the recipient has changed the e-mail address associated with their account and ask them to confirm. The links in these emails lead either to a downloadable "secure module" which the emails claim will protect the account but is actually malware or to a phishing site designed to steal the user's account information. Online pharmacy spammers have also taken to Twitter-formatted emails to advertise non-FDA approved pills.

Those these scams don't seem very threatening at first (I mean, how much damage can some do with 140 characters?) but the repercussions having your Twitter account hacked are HUGE! Many people use the same password they use for Twitter for many other online sites; from Facebook to online banking, people just aren't taking necessary precautions with their passwords. So, if you enter your account information into phishing site and you use the same password for Twitter as sites like Facebook or your email that may house more personal information, the scammer can potentially get into your other accounts.

These scams, discovered by Trend Micro, are easily avoidable if you are aware of them and know what a legitimate Twitter email does and does not contain.*

• Twitter does not send links to "secure modules".

• Twitter emails request confirmations include the new account information.

• Twitter emails do no describe or promote new services or products.

* Twitter email specifications via Trend Micro

Before you get hacked, consider taking these precautions:

• Always read emails completely and thoroughly before clinking though the links. It can take a while for news of the latest scam to reach your ears so keeping a vigilant eye on all your emails is a must!

• Use different, high quality, passwords for Twitter, Facebook, your email, and your online banking account. Secure passwords contain a random series of lower and upper case letters, numbers, and approved symbols. Such passwords should be more than 8 characters in length

• Consider and Identity Protection service. Investing in and identity protection service, such as Intelius IdentityProtect, can prevent a scammer that acquires your information from using it. This useful advantage could save you tons of time and money.

Think ‘tabnabbing’ sounds like the latest prank involving filing supplies and the office clown? Think again.  Tabnabbing (also referred to as tabnapping) is a new type of phishing attack that is sweeping the internet.  Most phishing scams rely on you clicking on an imbedded link or downloading a file you find in a suspect email, sketchy website or a pop up window.  Tabnabbing occurs in the background after your focus shifts away from a malicious or compromised site.   

“What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise,” Said Aza Raskin, Firefox's creative lead who identified the attack.  “Most people keep multiple tabs open, often for long periods.”

This attack uses JavaScript to discretely change the contents of an open but not active tab in your browser to look like the log-in screen of a bank, credit card company, popular retail site, social networking site or email provider.  This page transformation only occurs after the page becomes “inactive” while a victim moves to another tab or open program. The scammers are relying on users thinking they left a login page tab open.   

"When they click back to the fake tab, they'll see the standard Gmail log-in page, assume they've been logged out, and provide their credentials to log in," says Raskin.

Raskin was able to recreate “tabnabbing” on his own blog to show users what to look for.  You can try it here. After clicking the link, open a new tab, or simply click away from the page for a few seconds and then go back to the original tab.  While the URL hasn’t changed, the original blog content you saw only moments ago has been replaced with what appears to be a Gmail login page.  In this case the Gmail login page is just an image; however, in the case of an actual tabnabbing attack the page will be a functional login form.

In an actual attack after the user enters their login information, it’s sent it back to the attacker, and then the victim redirected back to the site they think they are logging into. This often goes completely
undetected because often the victim was never logged out in the first place, and it will simply appear as if the login was successful, never realizing that they just handed over the all credentials the attacker needed to access their account.   

It is even possible for attackers to detect which sites are in your history as well as what sites you are currently logged into and then customize the fake page to resemble a site you often use or are currently logged into, making this form of attack extremely effective and difficult to detect.  All major browsers are susceptible to this attack.  

Here’s what to watch for and how to avoid a potential tabnabbing attack and keep your identity, information, and login credentials safe:

Don't log-in on a tab that you haven't opened yourself. Since the tabnabbing tactic banks on you trusting that you opened the tab -- and that the site simply timed out -- the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.

Enable browser settings and filters that will alert you to potential attacks. For Internet Explorer (IE) use SmartScreen. In Firefox and Chrome it's called "Phishing and Malware Protection;" Safari doesn't give it a name, but offers a setting that reads, "Warn when visiting a fraudulent website" in the Security section of its Preferences settings.

Look at the URL in your browser's address bar before filing in any form or giving out any personal information and verify the URL matches the login page. If there’s a discrepancy, close the tab
immediately.

Use a password manager. Third-party browser password managers like RoboForm for Windows or 1Password for Mac link saved log-in usernames and passwords to a specific URL. When you save the username and password on the log-in page of the legitimate site, the password manager won't auto enter the username and password into a non-matching URL which should alert you to a possible tabnabbing attempt.

For more info on avoiding Tabnapping read ComputerWorld’s How to Foil Web Browser Tabnapping.

MySpace, Facebook, Twitter, LinkedIn - with all the options and advantages, who doesn't have at least one social networking profile these days? The growth of online social networking in recent years has provided people with a new way to keep up with friends and family and connect with people all over the world.

What we sometimes don't realize, is that a lot of the information we post on these sites intended for our friends, family or trusted colleagues can also be seen by complete strangers.  Criminals have found a new source for information that can be used for crimes like identity theft, fraud and other scams that are sweeping the internet.   These criminals aren't looking for simple public record data, rather; it is the content of posts, updates and tweets that is putting social networking site users at increasing risk.

Social networking sites allow us to be constantly connected, to post whatever we want whenever we want, and we often don't think twice about what we post. Even in Twitter's 140 characters you have the opportunity to divulge enough personal information for an experienced online criminal to do harm. You may inadvertently give away your location by posting about your job, or you may post about a struggle you've been having with your bank and thus alert the social networking universe as to where you bank, what kind of banking you do, and what kind of account you have. Posting you mother's maiden name, mentioning an upcoming high school or college reunion, or talking about your favorite pets can provide criminals with just enough information about you to guess your password.

So what can you do to keep you identity from being stolen based on the information on your social networking profile? Check out the tips bellow to find out how you can keep safe:

• Keep your information to yourself. Don't post your full name (at least leave out your middle initial), your address, your email address, birth date, or your phone number to any of your social networking profiles. Though most social networking sites prompt for them they aren't required, so don't post them.

• Make all of your social networking profiles private, allowing only limited information to be viewed by people you have not approved as ‘friends' or ‘followers'.

• Only ‘friend' people you actually know. It isn't uncommon for people to accept a friend request from someone because they have a mutual friend or even a complete stranger. Often online fraudsters will friend as many users as they can with the hope that someone will take the bait. If you aren't sure if you know someone, confirm their identity before you add them. If you can't confirm, don't add them. Remember, the casual social networker uses their profile to keep up with friends and family, so why would you allow someone into your network who wasn't a friend or family member?

• Use secure passwords. Pick your passwords wisely, passwords that reflect your personal tastes or are ‘easy' to remember are often easy to guess. Consider a random set of capital and lower case letters and numbers, no less than eight characters. It's also a good idea to use different passwords for things like bank accounts than you do for social networking sites or email accounts.

• Always think twice before you post. Remember that if you post something online it can't be taken back. Just because you delete something, there is a chance that the information is cached on the site or is available on archiving sites. So before you update your page on-the-fly from your cell phone be sure to THINK about what you are posting and how the information could be used and who has the ability to see it.

• Talk to your kids about the risks. You aren't the only one online; if you have kids make sure they are practicing safe online habits. Talk to them about internet and social networking safety before anything has the chance to go wrong.

Do you talk to your kids about cyber safety? This is an issue that many parents overlook as it was not a topic of conversation when they were growing up. Nonetheless it is a topic that we encourage you to discuss with your kids.

Cyberbullying

Schools, parents, and teachers are being faced with the issue of cyberbullying for the first time. Bullying has always been a problem, but the onslaught of virtual communications such as text messages, emails and instant messages has given way to a whole new form of bullying. There have been numerous stories in the news recently of children falling victim to cyberbullying. The state of New Hampshire is currently in the process of passing a bill which will give schools the authority to address cyberbullying if it has an impact on the educational environment. If the bill passes, many states will likely follow New Hampshire's lead.

• Monitor your children's online activity. Know which sites they are visiting and who they are talking to.

• In many cases parents are unaware that their child is being picked on online, talking to your kids about cyberbullying and encourage them to talk to you if they feel they are falling victim to a cyberbully.

• Be aware that children and adults may have more than one profile on social sites such as facebook.com or myspace.com. As a condition for allowing them online access, ask them to share their online profiles with you.

• If you suspect that your child is hiding something from you, ask them to show you the most recent pictures they posted from their phone to their Facebook profile after they attend special events like a school dance, concert or party. Most likely they will post to their most active profile.

• Establish limits for online use. If your child knows you're around or if they can only use the internet for a limited amount of time each day they will be less likely to put themselves in situations that make them vulnerable to cyberbullying.

• Review your child's browsing history or set up parental controls that only allow your children to visit approved sites.

While computers have become a main staple in the curriculum of schools in the United States, a study recently released by the National Cyber Security Alliance (NCSA) and supported by Microsoft Corp., revealed that less than 1/4 of teachers in the U.S. have spent more than six hours teaching cyber ethics, safety, or security in the last year.

As a parent you cannot depend upon your child's school to teach them about cyber safety. If internet safety and security is part of the curriculum, sit down with your kids and ask them to tell you what they have learned. If you feel that the school has missed some important points, this is your opportunity to bridge the gap.

As a parent you are raising a new technology driven generation of computer savvy Americans and it is up to us to make sure that they have the knowledge needed to remain safe while using these skills. In each of these cases the most effective defense is having an open dialog with your kids. This will make them more likely to come to you if a problem should arise.

What do you do to protect your kids online?

Comment below or send us a tweet @Inteliusgal