Author: admin

In the wake of a gathering of industry leaders at Microsoft to discuss the endpoint-security ecosystem, some thoughts

Seven critical-severity vulnerabilities addressed, including an extraordinary (but narrow) Windows Update flaw

Microsoft is updating SymCrypt, its core cryptographic library, with new quantum-secure algorithms. Microsoft’s details are here. From a news article:

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren’t vulnerable to Shor’s algorithm when the keys are of a sufficient size.

The ML in the ML-KEM name refers to Module Learning with Errors, a problem that can’t be cracked with Shor’s algorithm. As explained here, this problem is based on a “core computational assumption of lattice-based cryptography which offers an interesting trade-off between guaranteed security and concrete efficiency.”

ML-KEM, which is formally known as FIPS 203, specifies three parameter sets of varying security strength denoted as ML-KEM-512, ML-KEM-768, and ML-KEM-1024. The stronger the parameter, the more computational resources are required.

The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it’s based on “stateful hash-based signature schemes.” These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses.

You didn’t get the job. Worse yet, you got scammed. Because the opening was never real in the first place. It was a job scam, through and through.

We’ve covered job scams for some time here in our blogs. And as it is with many other sorts of scams, AI tools have made it easier for scammers to pull them off.

It looks something like this:

• Thousands of phony job listings are written by AI chatbots.
• Bogus social media profiles, many also created with AI, posing as recruiters.
• Scam texts and emails featuring non-existent job offers.
• And all kinds of fake interview loops are held entirely online, all masking the identity of the scammers behind them.

And the number of these attacks? They’re on the rise.

In the Federal Trade Commission’s (FTC) report earlier this year, it called out $491 million in reported losses due to job scams in 2023. Compared to the $367 million reported the year prior, that marked more than a 25% increase in losses. Overall, the median loss per victim was just above $2,000 each.

This aligns with further figures from the Identity Theft Resource Center (ITRC), which also saw a bump in online job scams. Comparing 2023 with 2022, the ITRC reported a 118% jump in reported scams.

As with all such figures, these only capture reported cases of job scams. Not everyone files a complaint with the FTC, law enforcement, or other agencies. Those figures are thus likely higher.

What are social media and job-hunting platforms doing about job scams?

Social media platforms have several mechanisms in place to identify and delete the phony profiles that scammers use for these attacks. In 2023, LinkedIn reported the removal of 86.8 million fake accounts over the year.[i] More than 90% were caught at registration and the remainder were caught through manual investigations. Overall, 99.6% of fake accounts were eliminated before a LinkedIn member reported it.

Likewise, Facebook has its own measures in place. Across 2023, they removed more than 2.6 billion fake accounts.[ii] Automated and other internal safeguards caught roughly 99% before users reported them. As for their latest figures, Facebook says it caught 99.7% of fake accounts before users reported them.

However, other platforms prove problematic. That’s simply due to their nature. As such, many job scam offers come by way of a Telegram message. Here, “recruiters” have a particularly enticing offer, yet say that they only communicate over Telegram. With that, job seekers have no real way of knowing who’s truly on the other end of the conversation.

Needless to say, that’s much the same problem people have with job scams that find them via text.

With that, scammers still find their way through carefully established defenses. And others stick to platforms and technologies that provide them with cover. For them, it’s a numbers game. They create high volumes of scam profiles, posts, and messages — now made easier with AI tools — and reel in their victims who fall for their lures. As the FTC’s data shows, just a handful of victims can reap thousands in return.

As job scams rise, here’s what to look out for

The people behind job scams want the same old things. They want your money, and they want your personal info for identity theft. In some cases, they want you to launder money or pass along bad checks, all under the guise of signing up for onboard training and materials.

Those are just a few of the signs. Here are several other red flags to look for:

They ask for your Social Security or tax ID number.

In the hands of a scammer, your SSN or tax ID is the primary key to your identity. With it, they can open up bank cards, and lines of credit, apply for insurance benefits, collect benefits and tax returns, or even commit crimes, all in your name. Needless to say, scammers will ask for it, perhaps under the guise of a background check or for payroll purposes. The only time you should provide your SSN or tax ID is when you know that you have accepted a legitimate job with a legitimate company, and through a secure document signing service, never via email, text, or over the phone.

They want your banking information.

Another trick scammers rely on is asking for bank account information so that they can wire a payment to you. As with the SSN above, closely guard this info and treat it in the same way. Don’t give it out unless you actually have a legitimate job with a legitimate company.

They want you to pay before you get paid.

Some scammers will take a different route. They’ll promise employment, but first, you’ll need to pay them for training, onboarding, or equipment before you can start work. Legitimate companies won’t make these kinds of requests.

And look at the offer itself — more red flags to look for.

Aside from the types of info they ask for, the way they ask for your info offers other clues that you might be mixed up in a scam. Look out for the following as well:

1) The offer is big on promises but short on details.

You can sniff out many online scams with the “too good to be true” test. High pay, low hours, and even offers of things like a laptop and other perks might be the signs of a scam. When pressed for details, some scammers offer an answer full of holes or no reply at all.

2) They communicate only through email or chat.

Job scammers hide behind their screens. They use the anonymity of the internet to their advantage, so they won’t agree to a video chat or call, which are common nowadays. That’s a possible sign. Yet AI tools have changed the game here somewhat. Sophisticated scammers can create real-time deepfakes that overlay faces and voices over a scammer’s face and voice in video calls.

3) Things move too quickly.

Scammers love to keep their scams moving along at a good clip. They want to cash in quickly and move on to their next victim. Pay close attention if the recruiter starts asking for personal info almost right away. Or if they start asking for money or any dealings with money. It might be a scam.

Further ways you can protect yourself from job scams.

Do a little background check. Any time an employer or recruiter comes along, check out their company or employment agency online. It’s just the same as you would if you were prepping for an interview. Look at their history, what they do, how long they’ve been doing it, and where they have locations. Online reviews can help, as can a quick search online with the company’s name followed by “scam.”

You can also dig a little deeper than that.

In the U.S., the Better Business Bureau (BBB) offers a searchable listing of businesses. That includes a brief profile, a rating, and even a list of complaints (and company responses) waged against them. Spending some time here can help sniff out trouble.

Internationally, you can turn to organizations like S&P Global Ratings and the Dun and Bradstreet Corporation. They can provide detailed background info, yet they might require signing up for an account.

Yet be on the lookout for imposters. Many job scammers will pose as recruiters at legitimate companies. They’ll use the logos and digital letterhead of real organizations and generally do what they can to convince you that they, and their offer, are real.

In these cases, look for the warning signs mentioned above. Follow up by visiting the website of the company in question. See if the job is listed there. Also, see if the contact info on the site matches up with the contact info the “recruiter” used to reach you. If they differ, you’re likely looking at a scam.

Lastly, protect yourself and your devices

Given the way we rely so heavily on the internet to get things done and simply enjoy our day, comprehensive online protection software that looks out for your identity, privacy, and devices is a must. Specific to job scams, it can help you in several ways, these being just a few:

• Scammers still use links to malicious sites to trick people into providing their personal information. Web protection, included in our plans, can steer you clear of those links.
• And scammers love lacing texts with links to suspicious sites and other places that can steal personal info. Our Text Scam Detector can block those links and prevent you from clicking on them. AI technology automatically detects scams by scanning URLs in your text messages. If you accidentally click a bad link, it’ll block a risky site.
• Scammers have to reach you one way or another. Many get that contact info from data broker sites. Fueled by thousands of data points on billions of people, they can harvest your contact info, along with other personal info for a highly tailored attack. McAfee’s Personal Data Cleanup scans some of the riskiest data broker sites, shows you which ones are selling your personal info, and, depending on your plan, can help you remove it.

[i] https://about.linkedin.com/transparency/community-report#fake-accounts-2023-jul-dec

[ii] https://transparency.meta.com/reports/community-standards-enforcement/fake-accounts/facebook/#content-actioned

 

The post AI Enters the Mix as Online Job Scams Continue to Rise appeared first on McAfee Blog.

There used to be a saying that ‘nothing is certain except death and taxes’. Well, I now think it needs to be amended – and ‘data breaches’ needs to be added on the end! Regardless of where you live, not a month goes by without details of yet another data breach hitting the news headlines. This year has seen some of the biggest, most damaging breaches in recent history. According to the US Identity Theft Resource Centre, over 1 billion people were impacted by data breaches in the first 6 months of 2024. Up to 560 million people worldwide were affected by the Ticketmaster data breach, 30 million in the Ticketek breach and all AT&T’s cell customers had call and text records exposed in a massive breach. And that’s just a few quick examples.

What Is A Data Breach?

A data breach happens when there is unauthorised access to sensitive, private, or confidential information. This could include account details, purchase histories, customer identities, payment methods, or confidential private data, for example, medical records.

There are a few different ways that a data breach can happen. Firstly, hackers may exploit weaknesses in systems, networks, applications, or even physical security to gain unauthorized access to sensitive information. These hackers may be acting alone or be part of a larger ring. Secondly, it could happen by a ‘malicious insider’ – a disgruntled or recently sacked employee who wants revenge by hurting the company or, an employee who wants to profit off the company’s data by selling it online. And lastly, it can happen accidentally – when an email containing sensitive data ends up in the wrong hands, a laptop with sensitive data gets stolen or even a USB drive with confidential data is lost.

It Feels Like There Are More and More Breaches. Is that True?

It’s hard to really know whether there has actually been an increase in data breaches or if the new reporting laws mean we are now aware of new breaches. For years, data breaches have likely been occurring without our knowledge. In Australia, there has been a consistent rate of data breaches since 2020 – about 450 every 6 months. And while this is higher than when the mandatory reporting laws were brought in in 2018, this could be explained by an increased vigilance by the companies themselves.

Is It Inevitable That We Will All Be Affected?

Over the last 2 years in Australia, we have had some significant data breaches that have affected more than 10 million Aussies each time. In 2022, the Optus and Medibank breaches each affected around 10 million Aussies, in 2023 the Latitude Financial breach affected 14 million consumers and the recent Medisecure breach in May 2024 affected close to 15 million customers. And who can forget the Canva data breach in 2019 that affected 139 million customers worldwide? And that’s only the large ones! It’s now widely accepted that most Aussies would have been affected by a data breach with some affected on multiple occasions.

So, I believe the time has come when we need to accept that data breaches are part of modern, digital life and redirect the energy we could use worrying into protecting ourselves so that the fallout will be minimal. Here are three areas where I suggest you spend some energy.

1. It’s All About Passwords

Ensuring you have a unique, long, and complex password for each of your online accounts is the ABSOLUTE best way of protecting yourself in case of a data breach. Let me explain. It’s pretty common for hackers to steal customer’s personal data as part of a data breach and this will include login credentials. Hackers will then use bots to test the stolen email and password combination to see where else they could possibly get entry. So, if you’ve used the same password elsewhere then you could be in for a world of pain.

But let’s keep it real. Many of us don’t have a separate password for every online account. It takes a lot of work to reorganise your digital life. Most folks have a handful of passwords they use on rotation. But as you can see, this isn’t ideal.

And remember, if you find out a company you have an account with was hacked, change your password immediately. And of course, if you have used that password, or even something similar, on any other accounts then you’ll need to change it too.

Why a Password Manager Might Just Be Your New Best Friend

The best way to get on top of this whole situation is to invest in a password manager like McAfee’s free software TrueKey that can both generate and remember super complex passwords. With many people having 100+ online accounts, you would need to have to be a member of Mensa to remember all those passwords on your own. A password manager takes all the stress away.

2. Multi-Factor Authentication

If someone has managed to get their hands on your email/password combination but you have multi-factor authentication in place then you will be protected as it will stop any unauthorised access to your account. How good!! So, if any platform or company that you have an account with offers it then PLEASE action it.

Now, there are two main types of two-factor authentication: one that sends a code via text message, and another that uses an authentication app, typically installed on a mobile device. Since phone numbers can be hijacked and text messages intercepted, I always recommend using an authentication app for added security.

3. Be Careful What You Share

Believe it or not, a company’s security breach may not be the reason that your data is stolen. All it can take is a small slip-up – and remember we are all human! Here’s what you need to do to be vigilant:

• Shred all documents that contain sensitive information. Don’t just throw them in the bin.
• Be wary of providing sensitive information over the phone
• Avoid clicking on links in emails. Instead, visit the company’s website directly
• Use security software such as McAfee’s Total Protection
• Never share sensitive information over Wi-Fi
• Use credit cards where possible as they usually offer stronger fraud protections than debit cards

4. Be Alert and Informed

Staying up to date with the news and abreast of data breaches is a great way to stay vigilant. Services like Have I Been Pwned allows anyone to check if their email addresses or phone numbers have been involved in a data breach. Simply enter your email address on their site, and they will provide a list of breaches in which your information was compromised. Firefox also offers data breach alerts, while Apple lets you check for leaked passwords stored in iCloud.

You can also subscribe to credit monitoring services which will alert you to any major changes in your credit report that could indicate identity theft or fraud.

I also recommend taking the time to check your bank and credit card account statements for anything unusual or unauthorised. And always report anything suspicious to your bank ASAP.

5. Don’t Overshare

I also recommend that you rethink everything you share online. Remember, anything you share online could resurface in a breach and that includes private messages, photos, and social media posts. If you do need to upload sensitive files to the cloud for storage such as a picture of your birth certificate or passport, why not encrypt the image first so that no one else can retrieve it?

Encrypted messaging services are also a great idea if you are concerned about your privacy. I’m a big fan of Signal but WhatsApp and Telegram are also good options.

So, the bad news my friends, is that data breaches are inevitable unless you are planning on dropping out of society and living off the grid – tempting, I know! But the good news is that there are steps you can take to ‘future-proof’ yourself for that moment when you will be affected. So, rethink your password strategy, turn on 2-factor authentication, limit what you share, and you’ll make it hard for cyber criminals to get entrenched in your digital life.

Till next time

Stay safe online

Alex

The post How To Minimise the Fallout From a Data Breach appeared first on McAfee Blog.

Excessive use of remote access tools is leaving operational technology devices vulnerable, with even basic security features missing

As the US presidential election draws near, polling company Gallup acts to block XSS vulnerability

The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) reported a 45% increase in cryptocurrency-related scams in 2023

ISC2 found that the cybersecurity workforce gap is now at 4.8 million, a 19% increase from 2023

The Polish Supreme Court has ruled that a parliamentary commission investigating the previous government’s use of the Pegasus spyware was unconstitutional