Category: Warning

Google Warns of Government Backed Phishing

From Google security blog at https://security.googleblog.com/

Foreign governments using phishing attacks have been in the news lately. If you receive a warning about such from Gmail, it could well be genuine. You may wish to consider two-factor authentication on your account. There is also the Google Advanced Protection Program if you are a strategic target for such attackers.

One of the main threats to all email users is phishing, attempts to trick you into providing a password that an attacker can use to sign into your account.

Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from many countries. Since 2012, Google have shown prominent warnings within Gmail notifying users that they may be targets of these types of phishing attempts; we show thousands of these warnings every month, even if the specific attempt has been blocked.

Google intentionally send these notices in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defence strategies. Google have an expert team in their Threat Analysis Group, and use a variety of technologies to detect these attempts. Google also notify law enforcement about what they’re seeing; they have additional tools to investigate these attacks.

Even if you don’t receive such a warning, you may wish to consider enabling 2-step verification in Gmail. And if you think you’re at particular risk of government-backed phishing, consider enrolling in the Advanced Protection Program, which provides even stronger levels of security.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Fake Designer Goods

Market stalls, tourist spots, high streets, beaches, the Internet – all places where you are likely to come across people selling fake designer goods.

But is there any harm in nabbing a pair of “Louboutins” from a market, or a “Chanel” handbag from a girl selling them on a foreign beach?

The answer depends a lot on the situation and what the buyer expects. If you make an impulse buy in a tourist market and pick up fake perfume – as long as you know it’s going to be fake then that’s up to you. Whereas if you invest a lot of money in an APPLE iPhone believing it to be genuine but at a bargain price and then find out the item is a cheap knock-off – you’re not going to be pleased.

The argument that by buying fakes you are doing the legitimate business out of their sales is true sometimes but most people are never going to buy the expensive designer goods and buying something that looks expensive but was cheap may be harmless fun.

Fake goods do damage the reputation of the legitimate companies and chances are the fakes are made in much worse factories and conditions than the genuine articles, so should be avoided for that reason alone.

The National Fraud Intelligence Bureau advises consumers to avoid buying fake goods because “you’re helping the trader to break the law”. “Many fraudsters use the proceeds from selling counterfeit goods to fund drug dealing or other types of organised crime”

“In 2010, Louis Vuitton initiated 10,673 raids and 30,171 anti-counterfeiting procedures worldwide, resulting in the seizure of thousands of counterfeit products and the breaking up of criminal networks.”

“So long as people know what they’re getting, there’s really no need to get worked up about it.”

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

Fake Trip Advisor Reviewer Jailed

An Italian has been jailed for selling hundreds of fake TripAdvisor reviews.

The owner of an Italian business (Promo Salento) that sold fake TripAdvisor reviews has been sentenced to nine months in prison. He posted favourable reviews on behalf of hundreds of restaurants and was sentenced by a court in Italy and also ordered to pay around €8000 euros (£7,100) in damages and legal costs.

The unnamed businessman submitted over 1,000 paid-for reviews to TripAdvisor, pretending to be satisfied diners. He charged restaurants €100 euros for 10 reviews.

The court in Puglia ruled that writing fictional reviews using a false identity is criminal conduct. Paid review fraud is illegal in EU countries, but this is the first case to result in a jail term. TripAdvisor hailed the result as “a landmark ruling for the Internet”.

TripAdvisor said that writing fake reviews has always been fraud, but this is the first time we’ve seen someone sent to jail as a result” – Brad Young, the company’s vice-president, in a statement. He also said that since 2015, they’d put a stop to the activity of more than 60 different paid review companies worldwide.

TripAdvisor is the world’s biggest travel website with more than 600 million reviews covering accommodation, airlines, museums and restaurants. The quality of the customer reviews is essential to TripAdvisor and there has been bad publicity over fake reviews at times with complaints that TripAdvisor doesn’t do enough to weed out the fake ones.

There has been the development of a market for businesses offering reputation management which can them include writing good reviews and submitting negative reviews of their competitors.  This not legal but is difficult to prove.

As an experiment, a Vice journalist wanted to see if he could get a ridiculous non existent restaurant to rank high on TripAdvisor.

He selected his garden shed, called it “The Shed”, created a pretentious website and made photographs of ridiculous looking food – largely created with shaving foam, colourants and anything to hand. Then using friends he created so many top reviews that his shed became the number one restaurant in London according to TripAdvisor.

Oh dear, TripAdvisor.

Almost all reviews on TripAdvisor and similar sites are believed to be real, but do beware the fakes.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

The New Breed of Computer Takeover Compensation Scam

A computer takeover scam has been doing the rounds for years now, where a scammer will call, claiming to be from Microsoft or Virgin or

BT or a similarly well-known company, saying that your computer has been hit with a virus and that they can remove it for you remotely. When you let them take over your computer, they then try to take as much personal information as possible (logins, password, card payment details etc.) in order to steal your identity or steal from your accounts.  

However, according to Financial Fraud Action (FFA) UK, scammers are branching out by impersonating other firms or organisations, and offering to help with a slow computer or internet connection, or even claiming your information has been hacked and you are due compensation.

The Scam

Once the victim has handed over remote control of their computer, the fraudster will tell the victim that they may be entitled to compensation, or put them through to a supervisor who will appear to make an offer of compensation.

The scammer will say that they are sending the money and ask the victim to log into their bank account to check that it has arrived.

But the fraudsters will put up a fake screen to make it appear that the money has arrived. Meanwhile they will be working away in the background to empty your bank account.

They may ask for a bank passcode to be sent by text, which they will claim is necessary in order to process the refund. In reality, they need this to set themselves up as a new payee from your bank account and take your money.

How to Protect Yourself

The FFA recommends following these steps to ensure you aren’t duped by this version of the scam:

  • be wary of any unsolicited approaches by phone offering compensation
  • do not let someone you do not know have access to your computer, especially remotely
  • do not log onto your bank account while someone else has control of your computer
  • do not share one-time passcodes or card reader codes with anyone
  • do not share your Pin or online banking password, even by tapping them into a telephone keypad.

If you are in doubt, then call the organisation back on a number you trust; if they are legitimate they will help.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

WordPress Owners Survey

Dan Moen carried out a survey in 2016 of people who have WordPress websites that have been attacked, seeking to understand why and how the attacks were being made.  1,032 people responded to the survey.

The most telling statistic is that 61% of respondents didn’t know how the attacker compromised their website.

This is of concern as if you don’t know how the attack was made it is difficult to be sure you have blocked a repeat.

For the site owners who did figure out how the attackers entered, there are two main fidnings:-

  1. Plugins Are A Big Risk

Plugins play a big part in making WordPress very popular and very useful and there are tens of thousands of plugins available for WordPress. But you obviously need to be careful with them, as plugin vulnerabilities represented 56% of the known entry points reported by respondents.

  1. Brute Force Attacks Are A Big Problem

A brute force attack is a password guessing attack. The attacker needs to both identify a valid username on your website and then guess the password for that username. This type of attack is a huge problem, representing 16% of known entry points.

How to Protect Your WordPress Site

  1. Don’t Use Obvious Usernames

Every WordPress site has an administrator login and this should be renamed as administrator or admin are too easy to guess and the most used in brute force attacks.

Make the login something impossible to guess and not used elsewhere on the site.

  1. Add Security Plugins

e.g. WordFence, Jetpack etc. which typically use these kind of features:-

  • Enforce strong passwords
  • Lock users out after a defined number of login failures
  • Lock out users after a number of forgot password attempts
  • Lock out invalid usernames
  1. Keep Plugins updated

Reputable plugin creators fix any vulnerabilities quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. Check for updates at least weekly if your WordPress website does not do this automatically.

  1. Only download plugins from reputable sites

If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised plugin.

Keep your WordPress website safe.

If your website has been attacked – let me know the details and the outcome by email.

Fightback Ninja Signature