iM Secure, iM Aware News
Spam, Scams & Hacking You
on Social Media
Security Awareness is an essential part of achieving
WorleyParsons goal of achieving zero harm to our people,
assets and the environment. Please remember to always
practice Security Awareness within the boundaries of the
WorleyParsons Code of Conduct, OneWay Framework
and Documented iM Policies and Procedures.
To report a Security Incident:
http://support.worleyparsons.com
�Just One Click
While the interconnection of
technology has made it simple for
us to keep in touch with family and
friends, and promote our personal
and professional brands, it has also
made it simple for criminal hackers
to infiltrate our lives. Think about
all of the information you store
and share with each network you
join.
Due to the control (or lack
thereof) offered to us over our
security settings, criminals know
they have a revolving door to access
our sensitive data. The bigger the
network, the bigger the target and
ultimately the bigger the payoff.
Facebook, the worlds current
largest social network (with over
1.59 billion global users), has been,
and continues to be, the source of
scams and phishing attacks. A post
as simple as share to win! leads to
hundreds of thousands of people
being duped, all because they
didnt bother to check the validity
of the post or the person posting it.
While a sharing scam is
mostly harmless (similar to an
old-fashioned chain email), it
reveals the gullible nature of many
users, which can lead to malware
infection or identity theft. We must
always verify the source and think
before we click.
One of the most common
attacks across all social media
networks comes via imposters. A
scammer creates a profile of YOU,
or of someone you know, and
sends friend requests, with the
From the
Trenches
A real story from one of our colleagues
goal of gaining access to private
information. Impersonators not
only have access to all of your
friends and familys accounts,
they may use that access to send
requests for money or create more
fraudulent accounts. They can also
post links to fake content that,
when clicked, takes your followers
to malware-ridden websites, or
installs a Trojan, giving the criminal
access to your entire computer. (If
you think this has happened to
you, report it to the social network
in question ASAP!)
This is especially true of Chinabased QQ, an instant messaging
service with the third most users
of all social media networks. A
criminal hacker gets access to the
users account via malware and
uses it to send money requests
to all of that users contacts. Even
worse, QQ is a target for scamming
rings that use Trojan viruses to
gain access to an account. These
hacked accounts are then sold on
the black market to other criminals
who use the account to gain access
to sensitive information via the
users chat records and emails. All
it takes is one click for your data to
be compromised.
My grandma joined Facebook a
few years ago like many older folks.
But, like many non-tech-savvy
folks, she didnt know how to use
it and didnt post much content
(rarely changes her profile picture).
One day, I got a friend request from
her. I thought it odd and was pretty
sure we were already friends,
but figured she had accidentally
unfriended me somehow. So
I accepted the friend request
without bothering to look at the
profile (after all, it had her exact
name and current profile picture).
A few days later, I got a message
from my mom saying that it was
an imposter account and had been
reported as such to Facebook. I
felt like an idiot! By allowing this
imposter into my circle, he or she
had unbridled access to all of my
friends and family, including phone
numbers (which should never be
put on a social network), emails
and photos.
#dislike
WANT TO KNOW MORE
ABOUT FACEBOOK SCAMS?
Check out this article: facecrooks.
com/Scam-Watch/Top-TenFacebook-Scams-to-Avoid.html
�SCAMS
According to Wikipedia, LinkedIn is a businessoriented social networking service mainly used for
professional networking. Unfortunately, the model by
which users are connectedaccepting requests from
total strangersperpetually breeds spam.
Bogus recruiting accounts attempt to build a network
map by sending requests to business professionals,
which in turn makes the bogus account look legit.
Victims are conned into giving up personal details,
such as email addresses, which the criminals use to
launch phishing campaigns and steer the users to
websites built around malware.
We need to be cautious when accepting invitations
from strangers. And especially cautious when clicking
the LinkedIn invite button in your email. When you
get a notification that Claire, the alleged Director
of Operations for Walmart, wants to add you to
her network, dont just automatically click accept.
Investigate Claire. Why would an executive of a major
corporation want to add YOU to her network? How
many connections does she have? The lower the
number, the more likely the account is fake. Do a
reverse image search. Who is Claire? If the account
is fake, the profile image will be used for multiple
accounts. A simple Google search of the persons name
is always a good starting point before adding someone
you dont know to your network.
And always, always, always add users via the
website. Never click the request directly from your
email. Sending bogus LinkedIn requests is standard
operating procedure for phishing emails.
ransomware case file
The Cause: Ransomware is a form of malware that
encrypts your data and restricts your access to the data
until you pay the requested bounty.
The Case: Hollywood Presbyterian Medical Center
was taken offline when criminal hackers infiltrated the
network and shut down basic operations, such as CT
scans, lab work and pertinent documentation, by using
ransomware. The facility was down for more than a week
and had to divert several patients to other hospitals.
Its a Spammers World...
and were just living in it.
The biggest security hole in social media is its
connection to your personal email. Just like with
the LinkedIn example, where bogus accounts are
sending out network requests, every social media
app sends email notifications of posts, likes, friend
requests, etc. If were not careful, those email
notifications could lead to phishing and malware.
For that reason, its important to verify the validity
of the link by doing a mouseover, hovering the
cursor over the link before actually clicking on
it. Otherwise, login to your social media account
instead. Its all too easy for a criminal hacker to
send spam email posing as a link from a popular
social network.
Macros still pose a threat!
If you receive an Office document,
and are notified that it contains a
macro, be sure to verify the sender
before enabling it. Know and follow
company policy concerning macros
and if you want more info, visit
http://bit.ly/1MyH9b0 and check
your specific software version for
assistance.
The Cost: In the end, HPMC determined the best way
to restore operations was to pay the ransom and obtain
the decryption key. The bounty was approximately
$17,000 in the form of Bitcoins.
What to do if this happens to you: At work, take no
further actions, and immediately notify your incident
response team, or appropriate management.
�Text Message Scams
The rise of unsolicited text
messages is bringing on
another form of scamming
that puts your personally
identifiable information (PII)
at risk. Usually, its a bogus
message, such as your bank
claiming your account is
locked and you need to call
a certain number and give
certain credentials. Or its a
link to claim a prize youve
supposedly wonclicking
the link installs malware
on your phone that gives
criminal hackers access to
your PII. To avoid being
scammed, simply think
before you click, and check
out the Federal Trade
Commissions list of how
to protect your personal
information.
Keeping Kids Safe
on Social Media + 10 Tips for Parents
Smart, secure networking starts
at home and it starts early. At some
point, our children will reach the
age where theyre old enough to
develop an online presence. Its
up to us as parents to educate
them about the dangers associated
with these networks, and how
important it is to protect that
1.
Dont assume your child
knows more than you about
navigating technology.
2.
Make sure your kids know what
is and is not appropriate to
post.
3.
Dont post personal financial
information such as credit
and debit card numbers, bank
statements and pay checks
on social media.
4.
Dont post other personal, nonfinancial information on social
media, such as a new drivers
license.
5.
Dont post information about
the place you work.
6.
Dont post your social plans
and vacation details.
7.
Dont let your kids check-in
everywhere they go.
8.
Know with whom your kids are
connecting.
9.
Monitor your kids credit
reports.
online presence.
In order to do that, we need to
educate ourselves on every social
media network our children are
joining. That means joining the
network and boning up on how
information is shared, so that we
can teach them how to protect their
email spoofers
are getting smarter
accounts in addition to teaching
them why what they share matters.
We dont necessarily want to
Even the most security aware
folks can get spoofed when
scammers are good at what they
do. The email was surprisingly
well written without the spelling
and grammar errors I have come
to expect from fake emails. That
says it all; scammers are getting
better at getting clicks. Which
means we need to get better at
vetting. Think before you click,
and when in doubt delete! Read
the whole story by visting the link
below.
scare our children, but making
blog.thesecurityawarenesscompany.
com/scam-alert-help-i-had-aneaster-disaster-in-the-philippines/
blog.thesecurityawarenesscompany.
com/conversation-starters-for-kidsreceiving-tech-gifts/
them aware of the dangers ahead
is part of our jobs as parents.
For that reason, showing them
examples of how their shared
information can be used against
them, and introducing them to
concepts like cyber bullying and
stalking, can be a fantastic way to
educate them. If they are aware of
the consequences, they will make
smarter choices.
No idea where to begin? Try
these conversation starters:
10.
Be actively involved in your
childs online life.
�PHISHING IN ACTION
An information security professional shared this example of a real phishing
email that came through her inbox. It made her pause because it looked so
legitimate. Read through her notes about the thought process she used to
figure out if it was real or not.
Inconsistencies in the links! Service@paypal.com was just the
display name. Service@pp.com was the actual email URL.
They used my actual name, not something generic like
customer so I had to really think about this.
Link inconsistencies!
When I hovered over Click here to login, this
very long URL appeared. Clearly, this is not a real
PayPal address. (And it had my email address
in the url, so it probably contained a script to
capture the associated login information!)
The day before receiving this message, I had
just set up a new bank account on my PayPal
account and sent money to a friend, so its not
unreasonable to believe that some recent account
activity may have triggered their security alarms.
While this email looks really good no obvious
spelling or grammar issues, it includes the PayPal
logo, it used my actual name theres still some
odd formatting that I know the PayPal design
team would never let go out to a customer.
I opened a browser and logged in the way I usually do WITHOUT clicking on any of the links in the email and upon entering
my account, lo and behold, there were NO account notifications, nothing indicating that my account was limited. That confirmed
my suspicions that this was a phishing email. As you can see, they can be very convincing!
�HEADLINE NEWS
Massive Government Data Breach
Exposes Every Filipino Voters PII
Y!
Yahoo Security @YahooSecurity Mar18
Yahoo kills password authentication with
their new account key http://bit.ly/265SiGA
GSO
Get Safe Online @GetSafeOnline Mar 21
Incidents of online ticket fraud rose by 55%,
costs UK public 5.2m http://bit.ly/1XHesZy
Microsoft MMPC @msftmmpc Mar 22
Microsoft releases new Office feature to
combat macro malware http://bit.ly/1SjUkLK
The personally identifiable information (PII) of 55 million
Filipino voters could have been exposed in a March 27th
data breach of the Philippine Commission on Elections
(COMELEC). This could be the worst government data breach
anywhere, ever. Supposedly, its purpose was to convince the
commission to implement stronger voting security for their
upcoming elections.
COMELEC seems to be brushing off the incident, but
according to Trend Micro, the amount of PII that was exposed
is alarming: 15.8 million fingerprint records, 1.3 million
overseas Filipino voter passport numbers, a list of officials
that have admin accounts, and more.
Trend Micro warns Filipinos that they could now be targeted
by criminals. For more information on the breach, visit their
blog: http://bit.ly/1VCIBup.
Many of Worlds Most Powerful People
Exposed by Panama Papers Leak
E
IBT
The Panama Papers leak has been dubbed the biggest
ESET @ESET Mar 23
Self-protecting USB steals data via
undetectable trojan http://bit.ly/1Ry3tgF
Intl. Business Times @IBTimes Mar 23
Hackers breached water treatment plant &
successfully changed levels of chemicals in
water http://bit.ly/1SfJp5Y
ever of its kind, overshadowing the Wikileaks and Edward
Snowden scandals with 2.6 terabytes of incriminating data
made public. Law firm Mossak Fonesca was exposed as
helping several power players worldwide protect and hide
their millions, and a cascade of resignations has followed. To
Cloudmark @Cloudmark Mar 31
55+ companies have fallen victim to W-2
spear phishing attacks http://bit.ly/22AlalS
read the details of this unfolding story and to stay up-to-date,
visit the ICIJ: https://panamapapers.icij.org/.
From a security standpoint, this leak more than likely arose
from an insider threat (though still unconfirmed). This is a
WP
common cause of breaches and, in this case, very difficult to
Washington Post @washingtonpost Apr 12
FBI paid hackers to crack into iPhone; will
they tell Apple how? http://wapo.st/1VkMpl7
confirm. Its unclear where to draw the line between legitimate
whistleblowing and criminal theft of information. And who
should be prosecuted: the law firm for failing to protect its
clienteles confidential data, the whistleblower who has access
to that data, or the heads of state who were engaging in illegal
and seedy business? Only time will tell!
IBM
IBM @IBM Apr 14
Hybrid malware GozNym used in attacks
against 24 US & Canadian banks to steal
millions http://ibm.co/1qU7JSg
