Breaches at Password Manager LastPass Cause Concern

by Leave a Comment

Password managers are programs that let you store an ever-growing list of online credentials in a safe location. These programs remove the need to record this information insecurely, such as by emailing them and writing Post-it Notes.

Many security experts advise clients to use these programs as part of best security practices because they also let you create strong and unique passwords for each online account you have. Additionally, some programs alert you if you duplicate a password across different accounts and can notify you if your password has appeared in a known data breach.

However, if your program’s secure vault is compromised, it potentially puts every one of your online accounts at risk of compromise. This issue drew my attention following last year’s extensive LastPass breach incident.

In 2022, there were multiple breaches at LastPass. In addition to putting the response and actions of LastPass under the spotlight, the incidents have raised questions over the safety of storing multiple login credentials on password managers altogether.

LastPass announced in late August 2022 that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account.” This enabled the attacker to take portions of source code and some proprietary LastPass technical information.

After conducting an investigation and forensic review, LastPass said it found no further evidence of activity from the threat actor. The unauthorized access was limited to its development system, which is “physically separated” from its production environment.

At the end of November, they made another announcement that an unauthorized party had gained access to a third-party cloud storage device. This new breach was enabled by the information gained by the attacker during the original August incident.

And a few days before Christmas, the firm informed users that attackers had accessed encrypted customer data (username, password, and notes) and unencrypted data (the website addresses of customers’ online accounts).

Do I believe you should keep your LastPass account following this last episode? No, but the damage has already been done. There is a high likelihood that your account may have been compromised. But if you want to continue to use LastPass, there are three things you must do to continue using the service.

  • First, you must strengthen your master password and ensure it is unique, long, and complex.
  • Second, as an extra security precaution, you should change the passwords for the websites you have stored in the service.
  • Third, you should be on the lookout for targeted phishing attempts in the coming months, with the attackers accessing your unencrypted contact information and websites.

I have reviewed these services over the years and have not found one I have felt entirely comfortable using – and I have not only my accounts to manage but many of my client’s accounts. I hate to say it, but the safest and most secure way of managing your passwords is to use a notebook and write them down.

If you use a document or spreadsheet and your computer is ever compromised, you will lose that information, and bad actors will use it against you.

What is the best way to implement this Luddite approach? Have one page per account, and write the name and website address at the top. Have a one-line entry per password, preferably with the date you first used it. If you must change a password, cross out that line, and write a new one along with the date, you created it.

The more complex we have made our lives by thinking that computers would make things easier for us, the more I think we need to use simple methods to maintain our security.

The Calendar Year has Changed, but Scams Haven’t

by Leave a Comment

In 2017, there was a security breach at the credit reporting firm, Equifax. This breach was significant news at the time, and by 2019 the company agreed to a $425 million settlement of several class action lawsuits. They offered credit monitoring or a cash award of up to $125. At the time, I recommended the former.

In the closing days of December 2022, Equifax began to issue those cash awards. Many people found the amount they received laughable (e.g., most claimed to receive less than $10). However, scammers immediately went on the alert and into action. The website DomainTools.com reported several new domain names, which closely resembled the legitimate one, had been registered in just a few days. The valid website name is equifaxbreachsettlement.com. Fake versions include equifaxbreechsettlement.com, equifaxbreachsettlementbreach.com, and equifaxsettlements.co.

If you get an email notification about payment, do not click on the link in the email. It would be best if you went directly to the legitimate website and manually entered the keycode shown in your email. These instructions also apply if you get a letter in the mail.

Of course, because everyone’s information was made publicly available, scammers know who you are. If you get an email that seems slightly off and want to learn if it is “real,” please forward it to me for verification. Doing so is not an intrusion on my time. I would much rather spend a minute or two to review the contents of an email, than spend several hours — or days — working to restore your stolen identity.

Thanks, and safe computing!

Looking Forward to 2023 With Nary a Prediction in Sight

by Leave a Comment

Last began with more than 100 ships, loaded with goods, lined up outside the ports of Los Angeles. Now there is no backlog. I was looking forward to a new year with some semblance of normalcy in the supply chain for computer-related goods. Unfortunately, that looks like it might not happen.

China was locked down with its zero-Covid initiative and still managed to produce products to keep the supply of goods up and running. Now the government has eliminated that constraint, and people are staying home anyway. Many more are getting sick. Based on recent news articles, the country is prepared for hundreds of thousands of citizens to die. This disastrous result will place many computer equipment manufacturers in the same awful position they were in at the start of the pandemic three years ago.

Lenovo has not announced any planned price increases, but they rarely do. They adjust pricing at the distributor level when they provide their available supply list. I expect to see price jumps on the equipment I usually offer to home users and small business clients by mid-year. I also expect to see the same unavailability of monitors and computers as I did early last year. My advice is if your computers are coming up for replacement, get moving on that project sooner rather than later.

A lack of products will also affect the pricing of items that are still available. SonicWall has increased the price of hardware and software three times in the past two years. They have — for now — indicated they plan to hold the line. Still, I don’t think it will be far-fetched to believe that if they cannot get the necessary components for their firewalls, especially chips, they will increase hardware prices to what they feel is essential to keep moving forward. As a result, a higher price will affect anyone needing a new firewall.

Microsoft is proud of its software and cloud services, generating $25 billion in 2022. The price for Microsoft 365 (most commonly known as Office) will be increasing in 2023 for most business subscriptions. Following an enormous backlash from partners when Microsoft announced a price increase early in 2022, the company offered “discounts” through the end of the year. The cost of Azure, the data center cloud service, will likely increase later in 2023 to account for price spikes for the hardware required in their data centers — mostly solid-state disk drives.

Oddly enough, one of the latest offerings from the world of Artificial Intelligence, ChatGPT, will either wreak havoc for programmers or be a savior. This unique software can provide programming solutions when presented with a mere suggestion of a problem. Companies will still need skilled programmers to complete a full-fledged project. But with the starting point provided by an AI engine, many companies will be willing to reduce their staffing costs by employing this new technology just to hold the line on increasing software costs.

Another feature of ChatGPT is that it can respond to standard English language questions. I foresee customer service help desks will use this functionality before the end of the first quarter to answer commonly asked questions before routing a phone call (or chat session) to a human being. High school English teachers have recently realized the answers to essay questions cannot be reviewed by “did they cheat” software, because ChatGPT responses can be edited to approach grade level equivalency. Only the consistent use of proper grammar and punctuation reveals a software program, rather than an 11th grader, did the work.

With the price of a bitcoin reaching record-level lows, many computer industry pundits believe there will be a decrease in ransomware attempts. I am skeptical and don’t think so. In the past, most cybercriminals requested payment in bitcoin — especially when the price was approaching a record level near $66,000. However, the cyber-currency is now hovering around $16,000, dropping from over $50,000 at the start of 2022. So, in addition to asking for bitcoin to return data, bad actors also threaten to release the data they hold to the public. In some cases, various compliance regulations govern this information, which puts the owners (the victims) in more jeopardy than usual. Kyle Hanslovan, CEO of Huntress Labs, confirmed my thinking in a recent interview with CRN magazine when he said:

With the economy changing, there is no doubt that folks have to get paid. Threat actors have to make money somehow. We‘re noticing, even in some places, they’re holding the data for ransom, but they‘re not actually encrypting. They’re skipping that part and just only holding for extortion, or threatening to maybe call a regulator or threatening like, ‘I’m going to call your customer and show them I have your data.’ So there [are] still other ways even by not using ransomware to still hold data theoretically for ransom. For me, it‘s not going anywhere. It’s such a great source of income for them; it‘s clearly not going away in 2023.

Thanks, and safe computing!

Year End News: Transitions

by Leave a Comment

One aspect of my business that never ceases to amaze me is how hardware and software vendors can make sudden changes that affect vast numbers of clients and end-users with little notice. The two I write about this month are significant; however, they are not representative of the entire industry.

Intuit

Intuit is the maker of QuickBooks, the accounting software many individuals and businesses use to manage their finances. There are three desktop versions of QuickBooks: Pro, Premier, and Enterprise. In 2001, Intuit released a cloud-based version of QuickBooks, which purported to match the desktop versions. Often heated discussions on various forums show this effort has fallen short of expectations for those who are used to the desktop product.

Intuit has had a strict support policy for QuickBooks. It states that support for the current product is valid for three years from when it was issued. For example, Intuit released QuickBooks 2022 in September 2021. It will receive support until the fall of 2024, which means Intuit will publish updates and fix problems with its code during those three years. Anyone who purchases the product can call Intuit’s QuickBooks Support to resolve problems with installation and program errors. Help for how to use QuickBooks is relegated to website forums and accountants. After three years elapse, add-ons to QuickBooks will no longer function. These include Payroll Services, Online Backup, and Online Banking.

For the Pro and Premier versions, you used to be able to go to the Intuit website, Amazon, or a big-box store and purchase the software. You’d either get the CD/DVD and a license key or the license key along with a download link. That software purchase gave you three years of support. The Enterprise version was always an annual subscription.

Last year Intuit changed how you can purchase the product. They have implemented a subscription service for the Pro and Premier versions. (I predicted this more than a year ago for some of my clients.) You must buy the product every year if you wish to continue to use it. To make matters just a little bit worse, you can no longer purchase the Pro version from the Intuit website by clicking a Buy Now button. Intuit removed that option this year. You must call the Sales phone number at the top of the page.

As I learned last month, when you call, the sales agent, using a script, will push you to choose QuickBooks Online. If you say no to that option, they will attempt to get you to upgrade to the Premier version. And if you continue to say no, the sales agent is tasked to offer you additional for-fee options to the Pro version (e.g., Payroll Services, Online Backup, and Online Banking). All in all, not a pleasant buyer’s experience, certainly not one conducive to further purchases – except now, everyone who uses QuickBooks is a captive for a higher priced, not necessarily better, product every year.

Microsoft

Most people probably know Microsoft makes Office primarily consisting of Word, Excel, and Outlook. You might also know that Microsoft has made Office available as a cloud-based offering – in many forms and with different names – since 2010.

Over time, Office was installed from diskettes (6 in 1990), CDs, DVDs, and – most recently – using a license key and a download link. These are known as perpetual licenses. They are valid for as long as you use the computer on which you installed the program. For several years, Microsoft hinted there would come a day when they would stop issuing those product versions. That day is now more visible and inevitable. Last month one of my colleagues reminded me that Office 2013 is going out of support in April 2023. While I wasn’t surprised that a ten-year-old product was ending, what surprised me was the end dates for Office 2016 and 2019. Look a look at the chart below.

OfferingStartMainstream EndExtended End
2013Jan 9, 2013Apr 10, 2018Apr 11, 2023
2016Sep 22, 2015Oct 13, 2020Oct 14, 2025
2019Sep 24, 2018Oct 13, 2023Oct 14, 2025
2021Oct 5, 2021Oct 13, 2026Not applicable

Please note that the last day of support for Windows 10 is also October 14, 2025.

What is someone with a perpetual “Home and Student” or “Home and Business” version of Office supposed to do? The only solution is to purchase a subscription to the appropriate cloud product, as follows:

Consumer (Student):Microsoft 365 Personal$69.99 per year
Business:Microsoft 365 Apps for business$99.00 per year

I will distinguish between an individual purchasing a “Microsoft 365 Personal” or “Microsoft 365 Apps for business” subscription on the Microsoft website versus a business subscribing its staff to Microsoft 365 Business Standard or Business Premium via my Microsoft partner program, NCE. Individuals must create a Microsoft Account (a unique-to-Microsoft email address) to purchase the license because Microsoft will save your credit card information. I can provide subscriptions for businesses through NCE that get are included on their monthly bills.

While it is going to be relatively easy to create a FirstName.LastName@Outlook.com email address for individuals (unless your name is Bob Smith), Business accounts – for actual businesses – must go through NCE to ensure the default “onmicrosoft.com” administrator account gets created. After that, it requires several administrator steps to link the business’ legal website name to the product.

By October 14, 2025, Microsoft will (most likely) require a Microsoft Account to access any new Windows 11 computer. If so, then you must use the same email address for Office!

I can’t say I’m looking forward to these changes because if they are difficult for me to adjust to, they will probably play some havoc for the clients I support.

Thanks, and safe computing!

All Scams. All the Time.

by Leave a Comment

In this particular “scammers” edition of Sun Spots, I will share a few recent emails from clients asking about the validity of the contents. I also want to direct your attention to a feature-length article from Wired magazine’s March 2022 issue that contains a third-party discussion of what happens when someone is an unwitting victim of a phone call.

One client forwarded me an email about urgent warning about his Norton anti-virus license.

He uses AOL, which doesn’t let you see “behind” the email address unless you explicitly look for it; fortunately, Outlook does. But this is such a piss poor example of fraud it isn’t even funny.

The email return address is justforconsumers.com, which doesn’t resemble Norton at all! The links in the email route to http://aoolldearbox.bond, which is not a secure website. Worse yet, if you click any link, you are re-directed to a website hosted by aquaticbees.com (definitely not Norton). That page has a warning about an increase in “Malware and Viruses.” Click on any of the links on that page, and I’m certain your computer would be flooded by tons of the stuff they “warn” you about.

And, of course, he has SentinelOne with his SPF+ subscription, not Norton!

This email is fraudulent; it should be marked as “spam” and then deleted.

Another client returned from a recent vacation to find an email with the subject, “Your order has been confirmed.”

Attached was a PDF file that resembled an Amazon invoice indicating that a payment of $769.99 had been received for a “SAMSUNG 55-Inch Class QLED 4K UHD Dual LED Smart TV with Alexa built-in.”

It also included the following information:

If you want to cancel or modify this purchase and want to claim your money back. Please call us Immediately to our Billing Department : +1- 877-542-2099

Let’s forget, for a moment, the atrocious grammar and punctuation. Let’s ignore the email address that isn’t from Amazon.com. This email and invoice features one of the more insidious scamming aspects. It requires you to call them to ask for assistance. The moment you do that, you are an active (unwitting) participant, and — if you are not careful — will be providing con artists and thieves with your personal information. I cannot stress how important it is to DELETE garbage like this immediately!

This leads me to the Wired article: They Were ‘Calling to Help.’ Then They Stole Thousands. Take the time to read this, and if you have any questions afterward, please let me know.

Thanks, and safe computing!

Lenovo Supply Chain Woes Continue

by Leave a Comment

By mid-February 2022, the line of container ships waiting to dock at the ports of Los Angeles and Long Beach was down to 78 vessels from a high of more than 110 at the start of the year. I’m writing this in late March, and the number has remained steady.

I was fortunate to obtain Lenovo monitors for a handful of clients a few weeks ago, but that was an exception. When I saw 140 monitors available in a Texas distribution center, I called my distributor and asked to have them shipped from there, rather than Pennsylvania. By the end of that 30-minute call, the number was down to 39.

I had hoped that by now things would improve, and computers and monitors would become more readily available. Then reality shifted. The Omicron wave that we experienced during the winter is now hitting China. Their approach to dealing with Covid-19 is to lock down entire cities. Many of those are industrial centers, which means factories are closing and manufacturing is stopping. So, even if there were slots available in the ports to handle cargo ships, there won’t be many ships to fill for a few more months.

As many of you know, I prefer that my clients have fully-warrantied computers because it is an insurance policy against something going wrong. Lenovo’s technicians will be there within a day or two with a replacement part. However, because of the scarcity of monitors, I will loosen my rules and allow everyone one extra year before I consider replacement. The caveat being, if something goes wrong off-warranty, a full replacement is required.

The primary advantage I now see in Lenovo’s Tiny-in-One approach to computing is that monitors usually will last twice as long as computers. This means I can slip a new computer into the cubbyhole at the back of the monitor, and you can avoid an added expense.

But it sure would be nice to have monitors available for home users and businesses who need them. I’m going to revise my estimate for availability to late summer. Another factor to consider is that Lenovo announced a slew of new products, which are supposed to become available starting in April. Well, we’ll see about that.

Thanks, and safe computing!

What You Should Know About Crypto Miners

by Leave a Comment

Let’s start with some basic facts. A crypto miner is a malicious software that uses the resources of your computer to generate cryptocurrency for someone other than yourself. It is, at its most basic level, theft of services.

In 2018, crypto jacking (the practice of using browser-based programs to mine cryptocurrency without your knowledge or consent) and crypto mining (malware that usurps your computer’s CPU to mine cryptocurrency) grew to be major threats. The only way you’d know something was amiss was when you realized your internet browsing was very slow and, after a while, your computer stopped working until you restarted it. After a few days, the malware would cause you to “lather, rinse, repeat.” The biggest player in this arena was Coinhive.

Why did Coinhive target browsers? Because it was relatively easy to slip in as an add-on since the code appeared to be innocuous. It was, until you restarted your browser. At that point, the program would run any time your browser was open, using up electricity and processing power to generate minuscule amounts of the cryptocurrency called Monero.

In February 2019, Coinhive publicly announced it was ceasing operations the following month. The service stated that it wasn’t “economically viable anymore” and that the “crash” (of Bitcoin) had severely adversely affected the business. That pretty much sent a death knell to browser-based crypto coin mining.

So why am I bringing this up at the start of 2022? I recently read two articles and learned that crypto mining is alive and well. And it is not being used solely by cybercriminals. Nope, no, siree. Given the pandemic, it seems marketing types have prevailed at Norton, the eponymous Security 360 product maker. A new feature is the inclusion of crypto mining. Avast, a European maker of security software, has announced it is doing the same.

Apparently we live in an upside-down world when security companies allow their crypto miners but claim they can keep out everyone else’s crypto miners. But what does this mean? Well, for one, you have to opt-in to use this feature; Norton doesn’t install it indiscriminately. Also, your computer has to meet some stringent hardware requirements before you’d even see the option. The critical condition is that your computer has an advanced video card (where the computing will take place) so that you can mine Ethereum.

And then comes the kicker: Norton is going to take a good percentage of the money generated. They get 85% while you get 15%. And if you want to obtain your portion — having donated your computing resources — you are faced with additional fees (one a transaction fee and the other a processing fee to cash it in), which reduce your overall take. But suppose that’s not enough to dissuade you. In that case, this money is considered extra income by the Internal Revenue Service, so you will be responsible for including it on your annual tax return.

But the biggest question (and complaint) from security-conscious netizens is: Why would any security company think of doing this? The answer is simple: They want more money from consumers than they get from the annual subscription to their products. Consumers have learned that when subscribing to Norton 360 for the first year, they get a terrific discount. Norton sets the subscription to auto-renew and keeps your credit card on file. Savvy users realize they can turn off the auto-renewal and remove the saved credit card. The day after the current subscription expires, they can purchase a new discounted subscription with a different email address (e.g., larry2022@gmail.com for the current year because it was larry2021@gmail.com for last year’s subscription). It seems Norton is simply fighting back in a very unusual manner.

Do I think this is a good idea? Absolutely not! Is it well-intentioned? Undeniably no. Should all consumers be extremely wary about this? Resoundingly yes! Are you (my clients) affected by this? Not at all, because your computer is running SentinelOne Vigilance, part of your SPF+ or SHADE subscription. But if you know of someone who thinks Norton has a terrific security product, I would urge you to let them know that’s not necessarily the case.

Thanks, and safe computing!

Internet Explorer 11 and the June 15, 2022 Deadline

by Leave a Comment

Microsoft will end support for Internet Explorer 11 (IE) on June 15, 2022, as announced in May 2021.

Starting with Windows 10 version 20H2, which Microsoft released in October 2020, if you attempt to use IE, Windows will prompt you to use the Microsoft Edge browser.  You must make an explicit choice to deny that to continue to use the Internet Explorer browser.

Note: If you want to know what version of Windows you have, type the word winver in the Windows Search box (next to the Start button in the lower left-hand corner). The resulting “About Windows” window contains the version and build information.

The critical point to all of this is that Microsoft will jettison some outdated, still risk-prone software in favor of its new Edge browser, built on the same base as Google’s Chrome.

What does that mean for you? If you have an Internet Explorer icon on your desktop, it is time to delete it. Similarly, if you use IE to browse the web, you should transfer your Favorites (bookmarked websites) and your saved user IDs and passwords over to Edge or Chrome.

While Microsoft will provide a hybrid form of IE under Edge’s covers, the rest of the world has moved on. According to W3Schools, the internet’s most extensive tutor of web-based material, Chrome held the lead in usage with a commanding 81% of the market. Edge came in second with 6.6%, and Firefox held on with 5.5%. I am, and probably always will be, a stalwart fan of Firefox (at least until Mozilla stops supporting it).

In the upcoming months, I am hopeful that companies whose websites contain code explicitly built for Internet Explorer will remove that code to strengthen the security of their website. However, if they don’t, your browser should automatically switch to IE mode in Edge. But I won’t be surprised if bad actors make multiple attempts to figure out how to take over those websites to try to introduce malware to the unsuspecting.

Thanks, and safe computing!

Mistakes, I’ve Made a Few, But Verizon Has Made Many

by Leave a Comment

Yes, I’ll admit it: I make mistakes. And yes, sometimes my clients make mistakes. But most of the time, Verizon simply compounds them. Here’s one recent nightmare experience.

A client called and told me she was having trouble getting Wi-Fi on her phone. I asked her to reboot her Verizon modem, and if that didn’t fix it, to call Verizon. My expectation was they would identify any Wi-Fi problem.

Mistake number one: Mine, for not asking if any other Wi-Fi devices she had were working. I forgot she also had a tablet — and it was working.

When she called Verizon, the Customer Service Representative (CSR) looked at her account and said that her router was eight years old (effectively blaming the hardware) and arranged for a service call to replace it. My client, innocently enough, said OK.

Mistake number two: Hers, for not calling me back after she spoke with Verizon to let me know what happened.

Several days later, a Verizon technician came to her apartment. He removed her old, perfectly good router and installed a new huge device in her hallway closet. Then he went to her computer, enabled the Wi-Fi (which I had explicitly disabled when I delivered the computer a few years ago), and told her everything was working. Hours after he left, she realized that he had taken the old router.

I came along the following week to deliver a new all-in-one printer. Almost as an aside my client told me what the technician had done. I don’t know how many times I have to say this, but I will keep on repeating this forever: DO NOT LET ANYONE ELSE ACCESS YOUR COMPUTER! And if you do, let me know immediately.

I got over my anger and uninstalled the old printer’s software in preparation for the new one. I rebooted the computer, and… Darn it! The computer did not connect to the Wi-Fi. I tried every trick I knew, but the computer could not connect to the new Verizon router.

I called Verizon to complain and to get the new device set up as a wired connection. The CSR who handled this call told me that there were two fees associated with my request. The first was a $60 service charge to move the router; the second was a $99 dispatch fee to arrange the appointment with a technician to do the work.

Here’s what I told the CSR, “No! My client is not going to pay $160 to fix your mistakes. The first CSR should not have tried any form of upselling — that’s just despicable. (The new device will cost my client $15 a month forever.) The technician should not have placed the new router in the hall before asking what she wanted. And he should never have set her computer to use Wi-Fi.”

Mistake number three: All of them Verizon’s for sheer greed and stupidity.

“What would you do if this was your mother or your grandmother?” I asked the CSR. “Would you expect her to come up with $160 to fix a problem that wasn’t hers to begin with? In the spirit of the holiday season, let’s make this right.” Eventually, the CSR got a supervisor who listened to the story and agreed to waive the fees.

Another Verizon technician arrived a week later and listened to the story. He explained that the original CSR had also upgraded the old service to a new speed level and there was no way to go back. We discussed what options my client had — most were going to cost her significantly more money each month. He had a thought and followed it up. He told us that a network extender could use the old cables to connect to the network. He hooked one up, it worked spectacularly, and my client learned that because of a glitch in Verizon’s system, she wouldn’t have to pay $55 for the part. And I got to install her new all-in-one printer, albeit a week later.

Here are the lessons to be learned from this awful experience. If I don’t ask all the appropriate questions when a problem is reported, then that’s an item for improvement on my list of New Year’s resolutions. But if you are not technologically inclined (and that’s many of you), DO NOT take it upon yourself to go forward with computer-related changes without doubling back and checking with me. And I’ll offer my appreciation to the second Verizon technician who was willing to take the time to fix a problem others in his organization had caused.

Thanks, and safe computing!

Stay Cyber Safe This Holiday Season!

by Leave a Comment

Cyber Monday 2020 set a record for e-commerce spending in one day, totaling $10.8 billion. With the pandemic raging on, many customers took to online stores to do their holiday shopping. While New Jersey COVID-19 cases have declined in recent weeks and vaccinations continue, I expect many people will choose to conduct their shopping online and potentially start shopping earlier than usual, given concerns for supply chain issues and shipping delays. Some predict that online shopping spending will total over $200 billion for the first time by the end of the holiday season.

Given that volume of e-commerce shopping, cybercriminals will continue to target online shoppers and marketplaces for financial gain. Therefore, it is vital to maintain awareness of the many cyber threats posed by these individuals and groups. Threat actors may target victims through various methods, including compromised or spoofed websites, phishing emails, social media ads and messages, or unsecured Wi-Fi networks. I’m going to present a list of common attack vectors, along with some tips and best practices that will help you to combat cybercriminals’ threats during this holiday season.

Magecart and Other Online Skimming Attacks

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Magecart attacks are conducted by many threat actors and are not specific to one group.

Once they steal payment card data, they can make fraudulent purchases or sell it on the dark web or other marketplaces. Cybercriminals are likely to continue to target online marketplaces this year. As such, I encourage you to use credit cards rather than debit cards because they often have better consumer fraud protections. Also, if you are especially concerned about fraudulent attempts on your card, you can consider enabling charge notifications for every card transaction. Enabling these notifications may make it easier for you to identify a fraudulent transaction as soon as it occurs. If you discover fraudulent activity on your account, lock the affected card, notify your bank immediately, and request a new payment card.

Be Wary of Links and Attachments in Unsolicited Emails

Around the holidays, you will likely receive emails from known retailers regarding sales and coupons, order confirmations, and shipping notices. Cybercriminals can create spoofed emails by stealing retailer branding to make fraudulent emails appear legitimate and may contain links or attachments that install malware or lead you to spoofed websites that steal your credentials. These emails may attempt to convey a sense of urgency — “Limited Time Offer!” — to prevent you from thoroughly inspecting the email for red flags. I urge you to avoid these schemes and go directly to retailer websites by typing the legitimate URL in your browser instead of clicking on links in emails. And please refrain from entering your login credentials on websites if you clicked on a link in an email that looks even slightly suspicious!

Take Caution with Social Media Ads

Everyone is blasted with ads as you scroll social media platforms. While many of these ads link to known, legitimate vendor websites, you may also be confronted with ads that link to malicious or otherwise suspicious sites that could be used to install malware, steal credentials, or sell counterfeit goods. Cybercriminals frequently employ URL shortening to trick people on social media sites and other outlets by hiding the true destination of a link. I suggest you use a URL expander (e.g., https://urlexpander.net) to reveal the true destination of shortened URLs before you visit any website and verify it is a legitimate vendor before making any purchases.

Look Out for Holiday-Themed eCards and Messages Meant to Install Malware

In the past, people have reported being targeted with various Thanksgiving Day-related scams. In some cases, spoofed emails were sent appearing to originate from legitimate organizations and contained the subject line “Thanksgiving eCard.” Last year, an Emotet banking trojan campaign was observed using Thanksgiving lures, with the subject lines “Happy Thanksgiving Day Greeting Message” and “Thanksgiving Day Card.” As malicious actors commonly leverage public interest and current events to conduct financial fraud and disseminate malware, I want to remind you to exercise caution with unsolicited emails, especially those with a holiday theme.

Do Your Online Shopping at Home

Avoid using public computers, such as those at a library or hotel, or public Wi-Fi connections to log in to your accounts or conduct online shopping. Miscreants could infect public computers with malware designed to steal your information, and hackers can intercept network traffic traveling over unencrypted Wi-Fi signals. If you must connect to public Wi-Fi, use a virtual private network (VPN) to secure information transmitted between your device and the internet. Additionally, I advise you to refrain from using your office (or work) computer to make online purchases as cyberthreats could endanger company and customer information.

Beware of ‘Secret Sister’ Gift Exchange Scam

Many people enjoy participating in group gift exchanges this time of year; however, beware of potential scams. Social media posts promoting a “Secret Sister” gift exchange promise between 6 and 36 gifts in exchange for sending one gift. While this type of chain letter appears innocent, it is illegal and considered a pyramid scheme. The scam, detailed by the Better Business Bureau, begins by requesting the name and address of the recipient and their friends. This holiday season, only participate in gift exchanges with individuals you know personally and refrain from sharing too much (or any) personal information online.

Verify Charities Before Donating

It is common around the holidays to donate to charities, particularly those that provide goods or services to those individuals and families in need. You may be prompted to donate via solicitations received through email or social media; however, these could be promoting fake charities or impersonating legitimate charities. Prior to donating, research the charity through a nonprofit site such as https://charitywatch.org or https://charitynavigator.org for information on charity legitimacy and other details, such as the percentage of donations that go directly to the associated cause.

Be cautious with your online activities, think before responding to emails, and call me if you have any questions.

Thanks, and safe computing!