Current conditions the perfect ‘breeding ground’ for scams.

The pandemic, ongoing lockdowns and tax return time are leading to a perfect scam storm, says Dr Suranga Seneviratne from the School of Computer Science.

Dr Suranga Seneviratne is a computer scientist and cybersecurity expert from the Faculty of Engineering who warns that conditions caused by the pandemic are leaving Australians vulnerable to a scam surge. He provides timely advice for on how to spot scams and avoid becoming a target.

“The COVID-19 pandemic has hit Australia again. Many of us were caught off guard and we have all had to quickly react and adjust. Changed work conditions – or lack thereof, home-schooling, social isolation and information overload are making many of us,even the tech savvy, vulnerable to scams,” said Dr Suranga Seneviratne.

“Scammers target vulnerability and thrive on disorder – current conditions are the perfect breeding ground for this type of nefarious activity.

“Now, more than ever, we should be on high alert for possible cyber-crime and scam activities targeting us.”

Lessons from lockdown 1.0

“Last year we witnessed several pandemic-specific scamming activities. The early days of the pandemic saw attempts to distribute malware using apps and websites disguised as providing COVID-19 information,” said Dr Seneviratne.

“There were also phone, SMS, and email campaigns around the world where the attackers targeted mobile users with convincing stories, such as pandemic relief packages, test results, information about travel restrictions, and early access to vaccination. During the same time, regular scam activities – such as romance scams and fake advertisements – also increased locally as well as globally.

“For example, according to the Australian Competition and Consumer Commission (ACCC)’s latest report [link?], losses from scam activities sky-rocketed in 2020 – increasing by a staggering 23 percent compared to 2019. The US Federal Trade Commission reported similar trends in the US.”

What’s happening this time around?

“While it remains to be seen whether scam activities have increased during the current outbreak, there’s evidence that attackers are “seizing the moment” with crafty stories designed to exploit people’s heightened vulnerability,” said Dr Seneviratne.

“Just last month, Australian mobile users were targeted by the ‘Flubot’ scam. Targeted users received a seemingly innocuous SMS with a link to a supposed voice mail message. Once the link was clicked, users were asked to install a voicemail app, which was in fact malware. Some thought this message was related to their COVID test results.

“During the pandemic, people have been getting calls from unknown numbers for all sorts of reasons, and not all of them have been nefarious. This increased communication, coupled with many people being more preoccupied than usual, has caused many otherwise cautious people to absent-mindedly click malware links or answer calls from scammers.

“Business emails have also been compromised by scammers. Some businesses or individuals may be behind their payments due to the pandemic or dealing with challenging remote working conditions. Attackers have been pretending to be suppliers, trying to scam money from businesses.”

“Fake postage or logistic texts and emails, claiming to be DHL, Australia Post and Toll have been rife too, with scammers capitalising on the increase in orders and trade by post.”

“Now that we are in a new financial year, increasingly, scammers are posing as the Australian Taxation Office and are requesting large sums of money. There have also been instances where people have received voicemails telling them they have a warrant out for their arrest because of tax evasion.”

6 top tips for avoiding cyber scams

There are several easy, everyday actions we can all take that can protect us against cybercrime, such as: regularly updating our software; using antivirus solutions; creating secure passwords and; enabling multi-factor authentication.

There are also several scenarios in which you should proceed with caution:

1. If you receive an unsolicited message with a link, don’t click it. Many text messages appear to be legitimate, but on closer inspection are not (see fig.2).
2. If you receive a text alerting you to a voicemail, don’t click the link. Instead use your telco provider’s voicemail number to find out if you actually have received one.
3. The same goes with the bank or other similar institutions. If you get a message, don’t click on it. Instead, directly log into the bank from your computer or the app. Many banks are now moving away from sending texts containing links. Rather they only send messages like “there was some suspicious activity in your account, please log in to your online banking portal and check”.
4. Never give out your personal information over the phone on an unsolicited call. There are many occasions that we receive legitimate calls from unexpected numbers at unexpected times. However, if you give away personal information over the phone, it is strongly recommended that you first verify the identity of the other party. For example, if the person claims to be calling from the bank, ask for their name and enquire as to their request, then hang up and call the bank at a verified number and corroborate these details – the bank will be able to tell you if this was a legitimate request.
5. Check email sender information.
   While email filtering solutions are doing a reasonable job in preventing bulk phishing attempts from entering your inbox, highly targeted phishing and scam attempts can still make it into your inbox. Always check the email address of the sender and do a verification of whether it is really coming from the person it claims to be. For example, if one of your work colleagues emails asking for an urgent financial favour, verify whether it is the correct email. These phishing attempts will often get the names and contact information correct and combine it with a plausible story, but if you inspect closely you will realise the email address is not the one you know. For example, a fake University of Sydney email address might read: john.Appleseed@sydney.au.edu or john.appleseed@sydney.co.
   
   Especially on mobile devices, attacks often manipulate sender names so you only see part of the sender name, such as “Australia Post”. But when you expand the actual email address, such emails will not have a valid Australia Post domain name (See Fig.2)
6. Remember everyone is vulnerable to being scammed. While all of this may seem obvious and straightforward, many tech-savvy people have fallen victim to these simple tricks and heightened stress is making us all more susceptible.

Originaly posted at https://www.sydney.edu.au/news-opinion/news/2021/09/23/covid–lockdowns–tax-time–scammers-pose-triple-threat.html

What will 2020 have in store for cybersecurity? Tighter regulation, increasingly sophisticated attacks on key infrastructure and AI-driven cyber warfare, according to Dr Suranga Seneviratne from the School of Computer Science.

Internet of (Insecure) Things

“Internet-of-Things technology is becoming increasingly popular, with smart home devices on the rise in Australia,” said cybersecurity expert from the University of Sydney’s School of Computer Science, Dr Suranga Seneviratne.

“Domestically, the household Internet of Things market reached $1.1 billion in 2018, which was a 57 percent increase compared to the previous year.

“We can’t deny IoT’s ubiquity, but are all these devices really secure? Are we opening up our houses to attackers to build botnets (ie: secretly using our smart home devices to attack other internet hosts), steal our data, or worse, control our houses?

“Perhaps it’s time we looked at enforcing stricter regulations to make these devices more secure, which is already happening in the UK and US. The draft Australian Voluntary Code of Practice: Securing the Internet of Things for Consumers is definitely a step in the right direction.”

Tech giants under scrutiny: what to expect

“Under the European Union’s General Data Protection Regulation (GDPR) framework we saw some big tech companies being held accountable for collecting personal data without proper consent,” said Dr Seneviratne.

“The Cambridge Analytica incident also generated a much-needed and overdue discourse on how to collect and handle personal data.

“In California, where the majority of US tech-companies are based, the CCPA (California Consumer Privacy Act) will come into effect from January 2020.

“Yet, globally, we still don’t have a proper framework on how to balance the trade-offs between privacy and consumer utility, particularly with data that’s stored remotely. Will storing data on devices finally become trendy?”

Cyberthreats on critical infrastructure — are we ready?

“This year we witnessed several global attack attempts on critical infrastructure, such as electrical grids and government services. These attacks are likely to become more frequent, more sophisticated and increasingly politically motivated,” said Dr Seneviratne.

“While it is important for governments and businesses to take all possible measures to detect and prevent these attacks, they must begin preparing for worst-case scenarios. In 2015 Ukraine bore the first ever attack of this kind. Attackers were able to disrupt the power supply of more than 200,000 people for a few hours.

“Do governments and large service providers have proper incident response protocols in place to prevent such attacks? Are employees well trained to handle such threats? In some cases, the way we react to an attack could make things far worse.”

AI-driven security and privacy threats

“Artificial intelligence is becoming pervasive: already we’ve witnessed demonstrations that have used AI to bypass CAPTCHA and facial-recognition software. For example, on one occasion, researchers showed how specially printed patterns on spectacle frames could trick state-of-the-art commercial facial recognition systems to think the wearer was someone else,” said Dr Seneviratne.

“It can be expected that these attacks will soon go beyond prototypes and into the real world, with hackers using AI to circumvent traditional antivirus solutions, such as malware detection systems and intrusion detection systems.”

Define: Internet of Things

The Internet of Things, or IoT, are physical devices that collect and share data and are connected to the internet. They include devices like smart speakers, televisions, and even fridges.

Originally posted at https://www.sydney.edu.au/news-opinion/news/2020/01/07/cybersecurity-trends-in-2020.html

School of Computer Science academic, Dr Suranga Seneviratne shares his advice on how to stay safe online to avoid malware and hackers corrupting your devices.

1. Keep your devices up-to-date

“If a manufacturer or Operating System provider recommends a software update for any device you use, be it a laptop, desktop, tablet, or smartphone, simply do it,” said Dr Suranga Seneviratne.

“These updates can contain important security patches for recently discovered vulnerabilities. Updating software will keep your devices safe,” he said. 

2. Use more than one trusted security software

“Use several trusted security software such as antivirus, internet or browser security (for example, a browser plugin that will warn you about harmful websites), and a password vault to manage your passwords. But do your due diligence and select this software carefully. Read reviews and stick to well established providers. Be cautious, especially if you are thinking of using free security software,” said Dr Seneviratne. 

3. Enable multi-factor authentication

“If you are connecting to your online services from a range of devices it might be worthwhile to enable multi-factor authentication such as SMS codes or use of a security key. This means a hacker cannot simply log in to your account using just a password,” he said.

4. Don’t use untrusted WiFi networks

“It might be tempting to use free WiFi networks, especially when you are on the move or travelling overseas without mobile coverage,” said Dr Seneviratne.

“Free WiFi could be a gateway for malicious behaviour. Be extra careful when using these networks and always use a VPN by a trusted provider,” he said.

5. Don’t open email attachments from unknown senders

“Be mindful in opening email attachments as they can contain software that can infiltrate your device,” warned Dr Seneviratne.

“It is highly recommended that you don’t open email attachments from unknown sources. Even if you have the slightest doubt about an attachment, always verify with the senders. If you can’t find their number or details online, delete the email,” he said.

6. Research software and apps before installing

“Not all software and apps are secure. A high number of smartphone apps are counterfeit and riddled with nefarious software. Stick to the official app stores and read reviews before you install anything,” he said.

7. Be vigilant when it comes to phone scams

“Over $100 million has been lost to scams this year in Australia. Phone scams are a popular choice for scammers as they employ emotional tactics to lure their victims into giving up huge sums of money,” explained Dr Seneviratne. 

“Never share any of your user credentials over the phone. Most of the legitimate providers don’t ask for your login credentials over the phone. So always remember, if you receive a phone call asking for information to fix a problem on your account, it’s probably a scam,” he said. 

8. Update Smart TVs, WiFi routers, and other devices

“Did you know that even your smart TV or WiFi router can be a target for hackers and scammers? As a habit, log in regularly and perform routine check-ups,” said Dr Seneviratne.

“See whether there are pending software updates, change the passwords periodically, and check for any security notifications. It is very easy to set up these devices once and totally forget about them, but even they can be used by hackers to access your personal information or gain entry to your private networks,” he concluded.

Originally posted at https://www.sydney.edu.au/news-opinion/news/2019/10/11/how-to-stay-safe-online.html

Suranga Seneviratne, University of Sydney

It’s been a busy few weeks for cybersecurity researchers and reporters. There was the Facebook hack, the Google plus data breach, and allegations that the Chinese government implanted spying chips in hardware components.

In the midst of all this, some other important news was overlooked. In early September, Apple removed several Trend Micro anti-malware tools from the Mac app store after they were found to be collecting unnecessary personal information from users, such as browser history. Trend Micro has now removed this function from the apps.

It’s a good reminder that not all security apps will make your online movements more secure – and, in some cases, they could be worse than doing nothing at all. It’s wise to do your due diligence before you download that ad-blocker or VPN – read on for some tips.

Security apps

There are range of tools people use to protect themselves from cyber threats:

• Virtual private networks (VPNs) allow you to establish a secure connection with a remote server and route all your traffic through it so it can’t be tracked by your internet service provider. VPNs are commonly used to access geo-blocked content, and for additional privacy.
• Ad-blockers prevent advertisements from appearing on the websites you visit.
• App-lockers allow you to set passwords for individual apps. For example, if somebody borrowed your phone to make a call, and then tried to access your Facebook app.
• Tor hides your identity while you browse the internet, by encrypting and moving your traffic across multiple Tor nodes.

Know the risks

There are multiple dangers in using these kinds of security software, especially without the proper background knowledge. The risks include:

Accessing unnecessary data

Many security tools request access to your personal information. In many cases, they need to do this to protect your device. For example, antivirus software requires information such as browser history, personal files, and unique identifiers to function. But in some cases, tools request more access than they need for functionality. This was the case with the Trend Micro apps.

Creating a false sense of security

It makes sense that if you download a security app, you believe your online data is more secure. But sometimes mobile security tools don’t provide security at the expected levels, or don’t provide the claimed services at all. If you think you can install a state-of-the-art mobile malware detection tool and then take risks online, you are mistaken.

For example, a 2017 study showed it was not hard to create malware that can bypass 95% of commercial Android antivirus tools. Another study showed that 18% of mobile VPN apps did not encrypt user traffic at all. And if you are using Tor, there are many mistakes you can make that will compromise your anonymity and privacy – especially if you are not familiar with the Tor setup and try to modify its configurations.

Lately, there have been reports of fake antivirus software, which open backdoors for spyware, ransomware and adware, occupying the top spots on the app charts. Earlier this year it was reported that 20 million Google Chrome users had downloaded fake ad-blocker extensions.

Software going rogue

Numerous free – or paid – security software is available in app stores created by enthusiastic individual developers or small companies. While this software can provide handy features, they can be poorly maintained. More importantly, they can be hijacked or bought by attackers, and then used to harvest personal information or propagate malware. This mainly happens in the case of browser extensions.

Know what you’re giving away

The table below shows what sort of personal data are being requested by the top-10 antivirus, app-locker and ad-blocking apps in the Android app store. As you can see, antivirus tools have access to almost all the data stored in the mobile phone.

That doesn’t necessarily mean any of these apps are doing anything bad, but it’s worth noting just how much personal information we are entrusting to these apps without knowing much about them.

How to be safer

Follow these pointers to do a better job of keeping your smart devices secure:

Consider whether you need a security app

If you stick to the official apps stores, install few apps, and browse only a routine set of websites, you probably don’t need extra security software. Instead, simply stick to the security guidelines provided by the manufacturer, be diligent about updating your operating system, and don’t click links from untrusted sources.

If you do, use antivirus software

But before you select one, read product descriptions and online reviews. Stick to solutions from well-known vendors. Find out what it does, and most importantly what it doesn’t do. Then read the permissions it requests and see whether they make sense. Once installed, update the software as required.

Be careful with other security tools

Only install other security tools, such as ad-blockers, app-lockers and VPN clients, if it is absolutely necessary and you trust the developer. The returns from such software can be minimal when compared with the associated risks.

Suranga Seneviratne, Lecturer – Security, University of Sydney

This article is republished from The Conversation under a Creative Commons license. Read the original article.