Friday Five: 5/4 Edition

by Chris Brook on Friday May 4, 2018

Contact Us
Free Demo
Chat

Facebook phishing, hospital malware, and GDPR scams - catch up on the week's infosec news with this roundup!

1. Facebook Is Helping Website Owners Sniff Out Phishing Scams by David Cohen

It’s obviously been a trying couple of weeks for Facebook so it’s refreshing to actually see the company share some good news for a change. At its annual developers conference in San Jose this week the social network announced that its Certificate Transparency Monitoring tool would soon be able to inform site owners when their sites have been spoofed, either by a homograph attack, combo squatting, typosquatting, or other means. The attack methods aren’t new but they are still successful. A Chinese researchers warned how several browsers – Chrome, Firefox, and Opera – were vulnerable to the attack vector, last year. If you’re still confused try following this seemingly benign link for more: https://аррӏе.com/ Facebook developers said this week that going forward the site would determine whether new domains could be used for phishing and notify subscribers.

2. Shhlack Lets You Encrypt Slack Messages So Your Boss Can't See Private Conversations by AJ Dellinger

This news requires at the very least a tiny grain of salt but interesting news if you're a) a Slack user and b) a little paranoid when it comes to privacy. MindedSecurity, an information security consulting firm released an add-on of sorts for the ubiquitous collaboration tool that allegedly allows users to send end-to-end encrypted messages through the app. This is important because yes - if you didn't know - administrators are technically able to download and view chats on a work Slack. The tool, Shhlack, apparently leverages CryptoJS, a JavaScript library of encryption standards. It’s worth noting the tool isn’t a failsafe (as Gizmodo notes it’s not perfect) largely because there’s not a mobile version but also because it’s more or less an experiment. As Trail of Bits CEO Dan Guido opines, it's built with "broken, unauthenticated crypto," something that could make it vulnerable to crypto flaws further down the line. That said it could still be worth experimenting with, especially if it’s done around messages that aren’t super confidential.

3. Malware may have compromised some Florida Hospital patient information by Naseem Miller

Officials at several Florida hospitals are warning patients their information may have been impacted by a recent malware attack. Details are scant unfortunately but according to the Orlando Sentinel hospital sites like FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com were all taken offline recently. Patients belonging to the first hospital, Florida Bariatric, may have had their names, email addresses, phone numbers, birth dates, height, weight, insurance carriers and the last four digits of Social Security numbers leaked. It's unclear whether the malware the newspaper is referring to is ransomware but given the rash of healthcare facilities hit by the threat lately, it's probably a safe bet.

Hospital photo by Natanael Melchor on Unsplash

Blog Post

Don’t Get Hooked: How to Recognize and Avoid Phishing Attacks (Infographic)

4. Phishing alert: GDPR-themed scam wants you to hand over passwords, credit card details by Danny Palmer

It shouldn't be a surprise - after all Brian Krebs warned weeks ago it was going happen: The looming shadow of GDPR is spurring a wave of spam and scams. One of those identified this week attempted to mimic Airbnb and told users they'd have to accept a new privacy policy to continue making bookings and send messages. Of course if a user actually clicked through they'd not only have to enter their account credentials but their payment card information, something Airbnb is in this instance obviously isn't asking for. If your inbox is like mine you’ve received a slew of “we’re GDPR compliant” emails over the last few weeks. This news is a good reminder to double check exactly where those emails are coming from and what they're after.

5. Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers by Paul Farrell

Some fairly damning data loss news out of Australia this week via BuzzFeed: The Commonwealth Bank, the continent's largest bank, lost the banking statements of 12 million customers from 2004 to 2014 after one of its subcontractors lost track of the backup magnetic tape drives. The site's Paul Farrell, a reporter based in Sydney, recaps what exactly happened in detail. Spoiler: “One possibility … is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction,” so there’s that.

Tags: GDPR, Financial Services, Malware, Privscy, Phishing

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.