Tag: hacking

Phishing scams targeting small business on social media including Meta are a ‘gold mine’ for criminals

Post By Business , , , , , , , , , , , ,

With so much of daily life happening over social media, it’s not surprising that small businesses are relying more and more on Instagram, Facebook and other platforms to spread the word about their business and sell products.

But there is one big catch: small business owners are at a big disadvantage on these platforms when it comes to cybersecurity. 

Take it from Pat Bennett, an entrepreneur who sold granola in the Cleveland area and got about half of her sales through Instagram. The business was already under pressure from the rising cost and availability of sweeteners and oats when her business Instagram page, Pat’s Granola, came under attack. 

The attack looked innocuous. Bennett received a message on Instagram from a small business owner she knows personally. Using a link, her acquaintance asked Bennett to vote for her in a contest. It was a legitimate contest, and it wasn’t unusual for Bennett to communicate with people on Instagram Messenger. As it turned out, it was an attack that went to everyone in her contact’s address book. Bennett lost control of her Instagram and Facebook accounts and hasn’t regained access, despite using all the channels Meta recommends. 

With help, she was able to track the IP addresses to Europe, but that wasn’t enough to avoid a worst-case scenario. Bennett received a letter saying she could regain control of her accounts if she paid close to $10,000. She declined to pay the ransom and had to start all over again. 

Pat Bennett, a Cleveland-based entrepreneur who sells granola says about half of her sales are through Instagram, but she became victim to an Instagram Messenger hack that resulted in Bennett to losing control of her Instagram and Facebook accounts, and she hasn’t regained access, despite using all the channels Meta recommends.

Source: Pat Bennett

Bennett’s experience isn’t isolated. As it turns out, small businesses like Pat’s Granola are frequent targets of hacking rings. CNBC quarterly surveys of small business owners in recent years have indicated that many do not rate the risk of cyberattack highly, yet the FBI says that in recent years a wave of hacks has targeted small business. In 2021, the FBI’s Internet Crime Complaint Center received 847,376 complaints regarding cyberattacks and malicious cyber activity with nearly $7 billion in losses, the majority of which targeted small businesses.

Small business owners say social media giants such as Meta have done little to help them address the problem. 

A Meta spokesperson declined to offer specific comment in response to small business owner concerns, but pointed to its efforts to protect businesses targeted by malware. The company has security researchers that track and take action against “threat actors” worldwide and has detected and disrupted nearly 10 new malware strains this year. Malware can target victims through email phishing, browser extensions, ads and mobile apps and various social media platforms. The links look innocuous and rely on tricking people into clicking on or downloading something. 

Why Main Street is an easy target 

With marketing and selling over Instagram and other social platforms being an attractive way for small businesses to reach and expand their customer base, it’s not surprising that criminal organizations have followed.

According to SCORE, a nonprofit partly funded by the U.S. Small Business Administration, nearly half of small business owners cited social media as their preferred digital marketing channel. Compare that to 51% who cited their company website and 33% who prefer online advertising. Moreover, 73% of business owners said they consider social media to be their most successful digital marketing channel, with 66% citing Facebook, 42% citing Alphabet’s YouTube and 41% Instagram. 

“Criminals are in the business of stealing, so you’re going to go where you can make money and get away with it. And social media accounts of small businesses are like a gold mine,” said Joseph Steinberg, a cyber security privacy and AI expert, who sees small business social media accounts as “low hanging fruit.” 

Bryan Palma, chief executive officer at Trellix, a cybersecurity company that worked with the FBI and Europol to take down Genesis Market, an “eBay” for cybercrime criminals, earlier this year, said he has been seeing a range of cybercriminals targeting platforms such as Instagram, YouTube and Facebook. Some are independent hackers, while others are larger, organized crime groups that target social media accounts with more than 50,000 followers. 

Common online scams to watch out for

One common scam, Palma said, is criminals will create a fake Instagram page notifying the user that there’s a problem with their post, and they should “click here, and we’ll help you fix it.” The link redirects users to a fake site asking them to type in their Instagram credentials. 

That’s similar to what happened to Cai Dixon, owner of Copy-Kids, which makes video content for kids. Dixon created an active online Facebook group with 300,000 followers and was getting as much as $2,000 a month in performance bonuses. In March, she got a message purporting to be from Meta, asking if she would like a blue badge verification. Because she was already in contact with Meta employees over Messenger, she believed the message and gave her private information. 

Turns out, it was a phishing scheme. Almost immediately, Dixon lost control of the account and the Facebook group she had spent years cultivating. The hackers removed Dixon and all the other page moderators and started posting animal cruelty videos, videos of heavy machinery and fake content. When she finally talked to someone on Facebook, “they said the only thing I could do was to tell all my friends to report it hacked and then they could take it down.” 

Cai Dixon, owner of Copy-Kids, which makes video content for kids, created an active online Facebook group with 300,000 followers and was getting as much as $2,000 a month in performance bonuses. But in March, a phishing scheme led Dixon to lose control of the account and the Facebook group she had spent years cultivating.

Source: Cai Dixon

These common hacks for small businesses offer little recourse.

“It’s especially damning for a small business, which has a pretty minuscule security budget compared to a General Electric or GM, which are running the best tools,” said Greg Hatcher, founder of White Knight Labs. 

Companies with 100 or fewer employees experience 350% more social engineering attacks than larger companies, according to Barracuda, a cloud security company. More than half of social engineering attacks are phishing, and one in five organizations had an account compromised in 2021. 

Social media companies are aware of the problem, but fending off attacks on small businesses is time-consuming and expensive. It’s one matter when a large Fortune 500 company that spends millions on advertising or a high-profile individual encounters a hacker. But when it comes to small business owners, there’s less financial incentive. 

“It is often better for social media companies from a purely bottom line to ignore small businesses when they have problems,” Steinberg said, adding that small businesses are generally getting the service for free or close to free. 

Two-factor authentication and cybersecurity tools

Though the threat seems vast, cybersecurity experts said the most effective defense is fairly basic. Not enough people use the security features that social platforms already offer, like two-factor authentication. Entrepreneurs can also use business password managers, designed for multiple users who may need access to the same accounts. 

“Small businesses don’t have to be completely hung out to dry. They can have good cyber hygiene, with a good password policy,” said Hatcher, emphasizing length, ideally 30-40 characters, over complexity as well as two-factor authentication. 

Knowing what to look for and being wary of any links or requests for information can also go a long way. For the unfortunate who get hacked and lose access to accounts, the Identity Theft Resource Center is a nonprofit that can help victims figure out the next steps.   

For now, the online world is still under-regulated and monitored.

Cyberattacks conducted through tech giants have caught the attention of the federal government’s main cyber agency, the Cybersecurity and Infrastructure Security Agency. In an interview with CNBC’s “Tech Check” in January of this year, CISA director Jen Easterly said, “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she said. But the U.S. government has so far taken a cautious approach with support for small business specifically – a spokeswoman for the U.S. Cybersecurity Infrastructure Agency told CNBC in January that it doesn’t regulate small business software, instead pointing to a blog post with guidance aimed at helping businesses large enough to have a security program manager and an IT lead.

“There are a lot of people spending the majority of their time in the virtual world, but the resources are not as extensive. We still have more resources protecting streets,” Palma said. Some of the big online scams get addressed, but there are many “smaller issues” that are costing people and small businesses real money, but governments and companies aren’t equipped to deal with it. “I think over time, we have to shift that balance,” he said. 

Source link

#Phishing #scams #targeting #small #business #social #media #including #Meta #gold #criminals

Has Meta’s record-breaking Threads opened us up to more cyberthreats?

Post By World , , , ,

By Dr Niklas Hellemann, Psychologist, CEO, SoSafe

Whether it’s the launch of Threads, the shift to remote work, or even the start of the war in Ukraine, hackers will manipulate our emotions against us, Dr Niklas Hellemann writes.

Threads, the new social media platform from Meta and supposed Twitter competition, is officially the fastest-growing new app in history. 

In just five days, the Twitter competitor was able to gain over 100 million users, which is even more impressive as the app is not yet available in Europe. 

However, in an already treacherous dark economy, where various channels are leveraged for cybercrime, Meta’s new social media superstar is yet another convenient avenue of attack for career cybercriminals and their social engineering toolkit. 

Civilians and employees – especially those who work with sensitive data – must be vigilant, as the rapidly expanding social media landscape represents a serious security risk.

A plethora of scams

In the short time since its release, cybercriminals have already used Threads’ high-profile launch to attempt to scam and attack unsuspecting users. 

For instance, criminals have developed phishing sites that mimic non-existent web versions of Threads, which are designed to trick users into entering their login details. 

Because Threads is connected to other Meta services, cybercriminals could use these phishing sites to steal access to users’ other social media accounts, such as Instagram or Facebook. 

This is not only a privacy risk, opening the door to identity theft and doxing, but also a financial risk, as criminals may be able to steal personal banking information.

Similarly, fake versions of the app have appeared in smartphone stores, either to trick users out of their money by requiring payment or to act as a channel for malware and phishing attacks. 

Earlier this month, Apple had to remove a counterfeit Threads app from its European app store after it climbed to the number one spot in its store.

Social media, the perfect hunting ground

One reason these fraudulent sites and apps have been so successful is that Threads is not yet available to European consumers. 

Its launch in the EU was delayed due to regulatory issues over the extensive amount of data Threads collects on its users, which should concern prospective users. 

Threads can collect personal information, including location, finance and even health and fitness data. 

This treasure trove of data makes it an attractive target for hackers, representing a serious vulnerability if it is breached.

Those who can use Threads must also be careful about who they follow. Threads’ current verification system allows anyone to purchase a “tick”. 

Without vetting, there is a risk of impersonators pretending to be well-known celebrities or organisations, possibly scamming users out of their money or as part of a multi-channel phishing attack. 

Social media is the perfect hunting ground for spear-phishing attacks: by harvesting personal details, cybercriminals can craft their attacks to target people with surgical precision, including by pretending to be an authority figure, such as the CEO of a business. 

This is made even easier because users may falsely believe that they are in a safe, private environment and feel encouraged to broadcast their personal information.

FOMO, a part of human nature

The security issues around Threads relate to a basic psychological phenomenon that leads to potential risks. 

Namely, humans are fallible in the sense of reacting with certain behaviour to certain emotions, and when faced with the novelty and excitement of getting to grips with new technologies, they often let their guard down. 

In their haste to try out Threads, many users are exposing themselves to these scams. 

“FOMO” – the fear of missing out – is very real when it comes to jumping headfirst into exciting new platforms, but unfortunately, so are the potential risks.

However, there is a bigger issue at play. The rapid diversification of not just social media channels but also the communication tools and collaboration platforms we use in our everyday work and personal lives mean that we are frequently getting to grips with unfamiliar technologies and environments. 

Our increased dependency on this wider range of tools and platforms provides an advantage to cybercriminals, giving them more channels and vulnerabilities to attack and more ways to collect valuable data.

The security concerns around Threads also point to the simple fact that most people are unaware of the huge menu of tactics and methods used by today’s highly professional hackers. 

The cybercrime industry has never been more sophisticated or had more resources and opportunities, with the professionalisation of cybercrime leading to the creation of organised networks operating like slick criminal enterprises. 

Their main chance for success? Playing with our human psyche and emotions.

This is what you can do to protect yourself

So, how can everyday people stay safe in this ever-evolving cyberthreat jungle? 

First, we need to raise awareness of the threats that are out so that people remember to protect themselves online. 

By learning to spot threats or malicious messages, people are much better equipped to deal with them rather than learn the hard way.

Second, we need to reinforce safe online behaviour. That means setting strong passwords and using multi-factor authentication to keep login details secure, but also being aware of what information we are sharing online – social media are public platforms where you cannot control the spread of information. 

Where possible, set your account to private.

Finally, be aware that cybercriminals will find ways to exploit current affairs as they are masters of social engineering.

Whether it’s the launch of Threads, the shift to remote work, or even the start of the war in Ukraine, hackers will manipulate our emotions against us.

Today’s cybercriminals are experts at exploiting the human psyche. 

Only if we are aware of the innovation strength and creativity of cybercriminals and practice secure behaviour while online will we be able to notice these risks continuously and stay safe. 

Dr Niklas Hellemann is a psychologist and the CEO of SoSafe, a security awareness scale-up.

At Euronews, we believe all views matter. Contact us at [email protected] to send pitches or submissions and be part of the conversation.

Source link

#Metas #recordbreaking #Threads #opened #cyberthreats