Login
Authored by Anuradha, Sakshi Jaiswal
In 2024, scams in India have continued to evolve, leveraging sophisticated methods and technology to exploit unsuspecting individuals. These fraudulent activities target people across demographics, causing financial losses and emotional distress. This blog highlights some of the most prevalent scams this year, how they operate, some real-world scenarios, tips to stay vigilant and what steps to be taken if you become a victim.
This blog covers the following scams:
Scam Tactics:
Fraudsters on WhatsApp employ deceptive tactics to steal personal information, financial data, or gain unauthorized access to accounts. Common tactics include:
Case 1: In the figure below, a user is being deceived by a message originating from the +244 country code, assigned to Angola. The message offers an unrealistic investment opportunity promising a high return in just four days, which is a common scam tactic. It uses pressure and informal language, along with a link for immediate action.
Case 2: In the figure below, a user is being deceived by a message originating from the +261 country code, assigned to Madagascar. The message claims that you have been hired and asks you to click a link to view the offer or contact the sender which is a scam.
Case 3: In the figure below, a user is being deceived by a message originating from the +91 country code, assigned to India. Scammers may contact you, posing as representatives of a legitimate company, offering a job opportunity. The recruiter offers an unrealistic daily income (INR 2000–8000) for vague tasks like searching keywords, which is suspicious. Despite requests, they fail to provide official company details or an email ID, raising credibility concerns. They also ask for personal information prematurely, a common red flag.
Case 4: In the figure below, a user is being deceived by a message originating from the +84 country code, assigned to Vietnam. The offer to earn money by watching a video for just a few seconds and providing a screenshot is a common tactic used by scammers to exploit individuals. They may use the link to gather personal information, or your action could lead to phishing attempts.
Case 5: In the figure below, a user is being misled by a message originating from the country codes +91, +963, and +27, corresponding to India, Syria, and South Africa, respectively. The message claims to offer a part-time job with a high salary for minimal work, which is a common tactic used by scammers to lure individuals. The use of popular names like “Amazon” and promises of easy money are red flags. The link provided might lead to phishing attempts or data theft. It’s important not to click on any links, share personal details, or respond to such unsolicited offers.
Case 6: The messages encourage you to post fake 5-star reviews for businesses in exchange for a small payment, which is unethical and often illegal. Scammers use such tactics to manipulate online ratings, and the provided links could lead to phishing sites or malware. Avoid engaging with these messages, clicking on the links, or participating in such activities.
How to Identify WhatsApp Scams:
Impact:
Prevention:
Scam Tactics:
How to Identify Instant Loan Scam:
Impact:
Prevention:
Voice-cloning scams use advanced AI technology to replicate the voices of familiar people, such as friends, family members, or colleagues, to manipulate victims into transferring money or providing sensitive information.
Scam Tactics:
How to Identify AI Voice-Cloning Scams:
Impact:
Prevention
Scam Tactics
Scammers use various methods to deceive victims into revealing credit card information or making unauthorized payments:
How to identify Credit card scam:
Impact:
Prevention:
Scam Tactics:
In fake delivery scams, fraudsters pose as delivery services to trick you into providing personal information, card details, or payment. Common tactics include:
How to Identify Fake Delivery Scams:
Impact:
Prevention:
Scam Tactics:
Scammers pose as police officers or government officials, accusing victims of being involved in illegal activities like money laundering or cybercrime. They intimidate victims by threatening arrest or legal action unless immediate payment is made to “resolve the matter.”
How to Identify Digital Arrest Scam:
Impact: Daily losses from such scams run into lakhs, as victims panic and transfer money or provide sensitive information under pressure.
Prevention:
What to Do if You Fall Victim
If you’ve fallen victim to any of the mentioned scams—Digital Arrest Scam, Instant Loan Scam, Voice Cloning Scam, WhatsApp Scam, Fake Delivery Scam or Credit Card Scam—it’s important to take immediate action to minimize damage and protect your finances and personal information. Here are common tips and steps to follow for all these scams:
Conclusion:
As scams in India continue to grow in number and sophistication, it is crucial to raise awareness to protect individuals and businesses from falling victim to these fraudulent schemes. Scams such as phishing, fake job offers, credit card scams, loan scams, investment frauds and online shopping frauds are increasingly targeting unsuspecting victims, causing significant financial loss and emotional harm.
By raising awareness of scam warning signs and encouraging vigilance, we can equip individuals to make safer, more informed decisions online. Simple precautions, such as verifying sources, being cautious of unsolicited offers, and safeguarding personal and financial information, can go a long way in preventing scams.
It is essential for both individuals and organizations to stay informed and updated on emerging scam tactics. Through continuous awareness and proactive security measures, we can reduce the impact of scams, ensuring a safer and more secure digital environment for everyone in India.
The post Rising Scams in India: Building Awareness and Prevention appeared first on McAfee Blog.
McAfee threat researchers have identified several consumer brands and product categories most frequently used by cybercriminals to trick consumers into clicking on malicious links in the first weeks of this holiday shopping season. As holiday excitement peaks and shoppers hunt for the perfect gifts and amazing deals, scammers are taking advantage of the buzz. The National Retail Federation projects holiday spending will reach between $979.5 and $989 billion this year, and cybercriminals are capitalizing by creating scams that mimic the trusted brands and categories consumers trust. From October 1 to November 12, 2024, McAfee safeguarded its customers from 624,346 malicious or suspicious URLs tied to popular consumer brand names – a clear indication that bad actors are exploiting trusted brand names to deceive holiday shoppers.
McAfee’s threat research also reveals a 33.82% spike in malicious URLs targeting consumers with these brands’ names in the run-up to Black Friday and Cyber Monday. This rise in fraudulent activity aligns with holiday shopping patterns during a time when consumers may be more susceptible to clicking on offers from well-known brands like Apple, Yeezy, and Louis Vuitton, especially when deals seem too good to be true – pointing to the need for consumers to stay vigilant, especially with offers that seem unusually generous or come from unverified sources.
McAfee threat researchers have identified a surge in counterfeit sites and phishing scams that use popular luxury brands and tech products to lure consumers into “deals” on fake e-commerce sites designed to appear as official brand pages. While footwear and handbags were identified as the top two product categories exploited by cybercrooks during this festive time, the list of most exploited brands extends beyond those borders:
By mimicking trusted brands like these, offering unbelievable deals, or posing as legitimate customer service channels, cybercrooks create convincing traps designed to steal personal information or money. Here are some of the most common tactics scammers are using this holiday season:
With holiday shopping in full swing, it’s essential for consumers to stay one step ahead of scammers. By understanding the tactics cybercriminals use and taking a few precautionary measures, shoppers can protect themselves from falling victim to fraud. Here are some practical tips for safe shopping this season:
McAfee’s threat research team analyzed malicious or suspicious URLs that McAfee’s web reputation technology identified as targeting customers, by using a list of key company and product brand names—based on insights from a Potter Clarkson report on frequently faked brands—to query the URLs. This methodology captures instances where users either clicked on or were directed to dangerous sites mimicking trusted brands. Additionally, the team queried anonymized user activity from October 1st through November 12th.
The image below is a screenshot of a fake / malicious / scam site: Yeezy is a popular product brand formerly from Adidas found in multiple Malicious/Suspicious URLs. Often, they present themselves as official Yeezy and/or Adidas shopping sites.
The image below is a screenshot of a fake / malicious / scam site: The Apple brand was a popular target for scammers. Many sites were either knock offs, scams, or in this case, a fake customer service page designed to lure users into a scam.
The image below is a screenshot of a fake / malicious / scam site: This particular (fake) Apple sales site used Apple within its URL and name to appear more official. Oddly, this site also sells Samsung Android phones.
The image below is a screenshot of a fake / malicious / scam site: This site, now taken down, is a scam site purporting to sell Nike shoes.
The image below is a screenshot of a fake / malicious / scam site: Louis Vuitton is a popular brand for counterfeit and scams. Particularly their handbags. Here is one site that was entirely focused on Louis Vuitton Handbags.
The image below is a screenshot of a fake / malicious / scam site: This site presents itself as the official Louis Vuitton site selling handbags and clothes.
The image below is a screenshot of a fake / malicious / scam site: This site uses too-good-to-be-true deals on branded items including this Louis Vuitton Bomber jacket.
The image below is a screenshot of a fake / malicious / scam site: Rolex is a popular watch brand for counterfeits and scams. This site acknowledges it sells counterfeits and makes no effort to indicate this on the product.
The post This Holiday Season, Watch Out for These Cyber-Grinch Tricks Used to Scam Holiday Shoppers appeared first on McAfee Blog.
Two-step verification, two-factor authentication, multi-factor authentication…whatever your social media platform calls it, it’s an excellent way to protect your accounts.
There’s a good chance you’re already using multi-factor verification with your other accounts — for your bank, your finances, your credit card, and any number of things. The way it requires an extra one-time code in addition to your login and password makes life far tougher for hackers.
It’s increasingly common to see nowadays, where all manner of online services only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone. That’s where two-step verification comes in. You get sent a code as part of your usual login process (usually a six-digit number), and then you enter that along with your username and password.
Some online services also offer the option to use an authenticator app, which sends the code to a secure app rather than via email or your smartphone. Authenticator apps work much in the same way, yet they offer three unique features:
Google, Microsoft, and others offer authenticator apps if you want to go that route. You can get a good list of options by checking out the “editor’s picks” at your app store or in trusted tech publications.
Whichever form of authentication you use, always keep that secure code to yourself. It’s yours and yours alone. Anyone who asks for that code, say someone masquerading as a customer service rep, is trying to scam you. With that code, and your username/password combo, they can get into your account.
Passwords and two-step verification work hand-in-hand to keep you safer. Yet not any old password will do. You’ll want a strong, unique password. Here’s how that breaks down:
Now, with strong passwords in place, you can get to setting up multi-factor verification on your social media accounts.
When you set up two-factor authentication on Facebook, you’ll be asked to choose one of three security methods:
And here’s a link to the company’s full walkthrough: https://www.facebook.com/help/148233965247823
When you set up two-factor authentication on Instagram, you’ll be asked to choose one of three security methods: an authentication app, text message, or WhatsApp.
And here’s a link to the company’s full walkthrough: https://help.instagram.com/566810106808145
And here’s a link to the company’s full walkthrough: https://faq.whatsapp.com/1920866721452534
And here’s a link to the company’s full walkthrough: https://support.google.com/accounts/answer/185839?hl=en&co=GENIE.Platform%3DDesktop
1. TapProfileat the bottom of the screen.
2. Tap the Menu button at the top.
3. Tap Settings and Privacy, then Security.
4. Tap 2-step verification and choose at least two verification methods: SMS (text), email, and authenticator app.
5. Tap Turn on to confirm.
And here’s a link to the company’s full walkthrough: https://support.tiktok.com/en/account-and-privacy/personalized-ads-and-data/how-your-phone-number-is-used-on-tiktok
The post How to Protect Your Social Media Passwords with Multi-factor Verification appeared first on McAfee Blog.
So, what does your phone know about you? Taken all together it knows plenty — sometimes in ways that feel like your phone is watching you.
It all comes down to the data that courses through your phone and your apps, along with a phone’s built-in tracking capabilities. Indeed, your phone certainly knows plenty about you. And companies keep tabs on that. Here’s how…
The apps on our phones entertain us, inform us, and help us shop. Many of them also track our activities and location — and then sell or share that info with third parties. From there, that info can end up with data brokers who sell that info to anyone who’ll pay. That includes advertisers, spammers, insurance companies, hackers, law enforcement, private investigators, and so on. It’s all legal, and it’s all part of a multi-billion-dollar industry worldwide.
Still, you can take charge of your privacy amidst all this data and info gathering. Several steps can reduce what your phone collects and shares with others.
For starters, though, let’s look at several of the things your phone knows about you.
Unless you’ve turned it off completely, your phone can track you in several ways with several degrees of accuracy:
GPS: The Global Positioning System, or GPS as many of us know it, is a system of satellites run by the U.S. government for navigation purposes. First designed for national defense, the system became available for public use in the 1980s. It’s highly accurate, to anywhere between nine to 30 feet depending on conditions and technology used, making it one of the strongest tools for determining a phone’s location. This is what powers location services on cell phones, and thus can help an app recommend a great burger joint nearby.
Cell towers: Cell phone providers can track a phone’s location by the distance it is to various cell phone towers and by the strength of its signal. The location info this method provides is a bit coarser than GPS, providing results that can place a phone within 150 feet. It’s most accurate in urban areas with high densities of cell phone towers, although it does not always work well indoors as some buildings can weaken or block cell phone signals.
One of the most significant public benefits of this method is that it automatically routes emergency service calls (like 911 in the U.S.) to the proper local authorities without any guesswork from the caller.
Public Wi-Fi: Larger tech companies and internet providers will sometimes provide free public Wi-Fi hotspots that people can tap into at airports, restaurants, coffeehouses, and such. It’s a nice convenience, but connecting to their Wi-Fi might share a phone’s MAC address, a unique identifier for connected devices, along with other identifiers on the smartphone.
Taken together, this can allow the Wi-Fi hosting company to gather location and behavioral data while you use your phone on their Wi-Fi network.
Bluetooth: Like with public Wi-Fi, companies can use strategically placed Bluetooth devices to gather location info as well. If Bluetooth is enabled on a phone, it will periodically seek out Bluetooth-enabled devices to connect to while the phone is awake. This way, a Bluetooth receiver can then capture that phone’s unique MAC address. This provides highly exact location info to within just a few feet because of Bluetooth’s short broadcast range.
In the past, we’ve seen retailers use this method to track customers in their physical stores to better understand their shopping habits. However, newer phones often create dummy MAC addresses when they seek out Bluetooth connections, which helps thwart this practice.
Certain apps pair location info with other info they collect while you use that app. In some cases, an app shares that precise combination of info with third parties. (It all depends on the terms in the user agreement you accepted once you installed it.)
What does that look like in the real world? Third parties might know:
Those are just a few examples of many.
Just to emphasize what we said above, not every app sells shares or sells your info to third parties. However, that gets into the complicated nature of user agreements. The language that covers what’s collected, for what reasons, what’s done with it, and who it’s shared can be tough to tease out because it’s often written in some form of legalese.
Broadly though, apps need to request permission to access location tracking services. In the past, we’ve seen some sketchy apps request location permissions even though they have no reason to. Examples include coupon apps, wallpaper apps, productivity apps, and plenty of games too. When apps like those ask for permission to access location tracking services, raises a red flag that your privacy is in jeopardy.
Depending on what apps and services you use, your phone might know a lot about your health. That can include range of info, as apps can track things like step counts, vital signs, and menstrual cycles. Other apps manage health conditions or work as symptom checkers. In all, this data can get very private. Unfortunately, sometimes that data winds up in the hands of third parties.
With that, we’ve seen cases where people’s medical info was shared without their knowledge by medical apps and services.
In April 2024, The U.S. Federal Trade Commission (FTC) ruled against an online mental health service that “disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes…”[i] Also according to the complaint, the company gave third parties personal data about its users including names, medical and prescription histories, pharmacy and health insurance info, and other health info.
Also in April 2024, U.S. healthcare provider Kaiser Permanente disclosed that more than 13 million people had some of their personal data shared by third parties via tracking technologies on its websites and apps. Companies such as Microsoft (Bing), Google, and X (Twitter) were all named.[ii] That info possibly included how people interacted with and navigated through their website or mobile app, along with search terms used in Kaiser’s health encyclopedia.
So, is someone on the other end of your smartphone listening to your recordings when you use Siri or Google Assistant? Possibly, yes. Companies make constant improvements to their devices and services, which may include the review of commands from users to make sure they are interpreted correctly. There are typically two types of review — machine and human. As the names suggest, a machine review is a digital analysis. Human reviews entail someone listening to and evaluating a recorded command or reading and evaluating a transcript of a written command.
However, several manufacturers let you opt out of those reviews. In fact, you’ll find that they post a fair share of articles about this collection and review process, along with your choices for opting in or out as you wish:
Turn off your phone or switch to Airplane Mode. Disconnect. Without a Wi-Fi or data connection, you can’t get tracked. While this makes you unreachable, it also makes you untraceable, which you might want to consider if you’d rather keep your whereabouts and travels to yourself for periods of time.
Turn off location services altogether. As noted above, your smartphone can get tracked by other means, yet disabling location services in your phone settings shuts down a primary avenue of location data collection. Note that your maps apps won’t offer directions, and your restaurant app won’t point you toward that tasty burger when location services are off, but you’ll be more private than with them turned on.
Provide permissions on an app-by-app basis. Another option is to go into your phone settings and enable location services for specific apps in specific cases. For example, you can set your map app to enable location services only while in use. For other apps, you can disable location services entirely. Yet another option is to have the app ask for permissions each time. Note that this is a great way to discover if apps have defaulted to using location services without your knowledge when you installed them.
On an iPhone, you can find this in Settings -> Privacy & Security -> Location Services. On an Android, go to Settings -> Locations -> App Locations Permissions.
Turn off app tracking. As you’ve seen, some apps will ask to track your activity and potentially share it with data brokers and other third parties. You can halt this by turning off app tracking. On an iPhone, go to Settings -> Privacy & Security -> Tracking and disable “Allow Apps to Request to Track.” On an Android phone, go to Settings -> Privacy and Security, then turn on “Do Not Track.”
And just as you can with location services, you can set apps to make tracking requests on an app-by-app basis. You’ll see it on the same screen that has the global “Do Not Track” option.
Opt yourself out of cell phone carrier ad programs. Different cell phone carriers have different user agreements, yet some might allow the carrier to share insights about you with third parties based on browsing and usage history. Opting out of these programs might not stop your cell phone carrier from collecting data about you, but it might prevent it from sharing insights about you with others.
To see if you take part in one of these programs, log into your account portal or app. Look for settings around “relevant advertising,” “custom experience,” or even “advertising,” and then figure out if these programs are worth it.
Delete old apps. And be choosy about new ones. Fewer apps mean fewer avenues of potential data collection. If you have old, unused apps, consider deleting them, along with the accounts and data associated with them. Our Online Account Cleanup Online Account Cleanup can make quick work of it. It scans for accounts you no longer use, shows how risky they are, and helps you delete them, along with your personal info. In all, breaches and leaks are a numbers game. The fewer you keep, the better, when it comes to protecting your personal info.
Remove your info from data broker sites. As we’ve seen, the personal info on your smartphone can wind up on data broker sites. And they’ll sell it to practically anyone. Our Personal Data Cleanup can help you remove your personal info from several of the sketchiest brokers out there. Running it periodically can help keep your info off those sites if it crops up again.
[i] https://www.ftc.gov/news-events/news/press-releases/2024/04/proposed-ftc-order-will-prohibit-telehealth-firm-cerebral-using-or-disclosing-sensitive-data?utm_source=govdelivery
[ii] https://www.hipaajournal.com/kaiser-permanente-website-tracker-breach-affects-13-4-million-individuals/
The post Every Step You Take, Every Call You Make: Is Your Phone Tracking You? appeared first on McAfee Blog.
With its built-in location services, your smartphone can point you to plenty of places. To the location of your vacation rental. To the quickest route around a traffic jam. And to a tasty burger. It’s a tremendous convenience. Yet, there’s a flip side. Your smartphone also tracks your location. Getting to know how your phone tracks you and how you can limit that tracking can make you far more private online.
The basic privacy issue with location services is this: many companies use your activities and apps as a way of gathering info on you. They might collect that info for their own purposes, and they might sell that info to third parties.
As to why some companies do that, the answer typically boils down to a handful of things. They will:
So, it’s a bit of a tradeoff. You might use an app to show you the closest Indian restaurant to your hotel — but depending on the user agreement for that app, the company behind it might collect your info for their own financial gain.
We can boil that down yet further. Sometimes what you gain in convenience you lose in privacy.
Let’s look at how smartphones track your movements and follow that up with ways you can limit that tracking.
Unless you’ve turned it off completely, your phone can track you in several ways with several degrees of accuracy:
GPS: The Global Positioning System, or GPS as many of us know it, is a system of satellites operated by the U.S. government for navigation purposes. First designed for national defense, the system became available for public use in the 1980s. It’s highly accurate, to anywhere between nine to 30 feet depending on conditions and technology used, making it one of the strongest tools for determining a phone’s location. This is what powers location services on cell phones, and thus can help an app recommend a great burger joint nearby.
Cell towers: Cell phone providers can track a phone’s location by the distance it is to various cell phone towers and by the strength of its signal. The location info this method provides is a bit coarser than GPS, providing results that can place a phone within 150 feet. It’s most accurate in urban areas with high densities of cell phone towers, although it does not always work well indoors as some buildings can weaken or block cell phone signals.
One of the most significant public benefits of this method is that it automatically routes emergency services calls (like 911 in the U.S.) to the proper local authorities without any guesswork from the caller.
Public Wi-Fi: Larger tech companies and internet providers will sometimes provide free public Wi-Fi hotspots that people can tap into at airports, restaurants, coffeehouses, and such. It’s a nice convenience, but connecting to their Wi-Fi might share a phone’s MAC address, a unique identifier for connected devices, along with other identifiers on the smartphone.
Taken together, this can allow the Wi-Fi hosting company to gather location and behavioral data while you use your phone on their Wi-Fi network.
Bluetooth: Like with public Wi-Fi, companies can use strategically placed Bluetooth devices to gather location info as well. If Bluetooth is enabled on a phone, it will periodically seek out Bluetooth-enabled devices to connect to while the phone is awake. This way, a Bluetooth receiver can then capture that phone’s unique MAC address. This provides highly accurate location info to within just a few feet because of Bluetooth’s short broadcast range.
In the past, we’ve seen retailers use this method to track customers in their physical stores to better understand their shopping habits. However, newer phones often create dummy MAC addresses when they seek out Bluetooth connections, which helps thwart this practice.
So, just to emphasize what we said above, not every app sells shares or sells your info to third parties. However, that gets into the complicated nature of user agreements. The language that covers what’s collected, for what reasons, what’s done with it, and who it’s shared with often finds itself buried in a wall of legalese.
Ultimately, it’s up to you to determine what your comfort level is in any kind of convenience in exchange for a loss of privacy. Everyone has their own comfort levels.
With that, you can take several steps to limit tracking on your smartphone to various degrees — and boost your privacy to various degrees as a result:
Turn off your phone or switch to Airplane Mode. Disconnect. Without a Wi-Fi or data connection, you can’t get tracked. While this makes you unreachable, it also makes you untraceable, which you might want to consider if you’d rather keep your whereabouts and travels to yourself for periods of time.
Turn off location services altogether. As noted above, your smartphone can get tracked by other means, yet disabling location services in your phone settings shuts down a primary avenue of location data collection. Note that your maps apps won’t offer directions and your restaurant app won’t point you toward that tasty burger when location services are off, but you’ll be more private than with them turned on.
Provide permissions on an app-by-app basis. Another option is to go into your phone settings and enable location services for specific apps in specific cases. For example, you can set your map app to enable location services only while in use. For other apps, you can disable location services entirely. Yet another option is to have the app ask for permissions each time. Note that this is a great way to discover if apps have defaulted to using location services without your knowledge when you installed them.
On an iPhone, you can find this in Settings -> Privacy & Security -> Location Services. On an Android, go to Settings -> Locations -> App Locations Permissions.
Delete old apps. And be choosy about new ones. Fewer apps mean fewer avenues of potential data collection. If you have old, unused apps, consider deleting them, along with the accounts and data associated with them.
Use a VPN. A VPN can make your time online more private and more secure by obscuring things like your IP address and by preventing snoops from monitoring your activity.
Turn off app tracking. As you’ve seen, some apps will ask to track your activity and potentially share it with data brokers and other third parties. You can halt this by turning off app tracking. On an iPhone, go to Settings -> Privacy & Security -> Tracking and disable “Allow Apps to Request to Track.” On an Android phone, go to Settings -> Privacy and Security, then turn on “Do Not Track.”
And just as you can with location services, you can set apps to make tracking requests on an app-by-app basis. You’ll see it on the same screen that has the global “Do Not Track” option.
Opt yourself out of cell phone carrier ad programs. Different cell phone carriers have different user agreements, yet some might allow the carrier to share insights about you with third parties based on browsing and usage history. Opting out of these programs might not stop your cell phone carrier from collecting data about you, but it might prevent it from sharing insights about you with others.
To see if you participate in one of these programs, log into your account portal or app. Look for settings around “relevant advertising,” “custom experience,” or even “advertising,” and then determine if these programs are of worth to you.
The post Location, Location, Location: Three Reasons It Matters for Your Smartphone appeared first on McAfee Blog.
What is malware? A dictionary-like definition is “malicious software that attacks computers, smartphones, and other connected devices.”
In fact, “malware” is a mash-up of “malicious software.” It describes any type of software or code specifically designed to exploit a connected device or network without consent. And, unsurprisingly, hackers design most of it for financial gain.
Think of malware as an umbrella term that covers an entire host of “bad stuff,” such as:
Spyware that tracks activity, like what you type and where you type it. (Think snooping on your bank account logins.
Ransomware that holds devices or the data on them hostage, that hackers only release for a price. (And even so, payment is no guarantee you’ll get back your access.)
Adware that serves up spammy ads on your device. (The hacker gets paid for the number of “impressions” the ads have. The more they show up on people’s devices, the more they get paid.)
Botnet software, that hijacks a device into a remote-controlled network of other devices. (These networks are used to shut down websites or even shut down large portions of the internet, just to mention two of the things they can do.)
Rootkit that attacks that give hackers remote-control access to a device. (And with that control, they can wage all manner of attacks — on the device and on other devices too.)
Viruses that modify the way a device and its apps function. Also, they can effectively bring a device or network to a grinding halt. (Yes, viruses are a subset of malware. They can copy, delete, and steal data, among other things.)
You might know malware by its more commonly used name — viruses.
There’s a pretty good reason why people commonly refer to malware as a “virus.” Viruses have been on our collective minds for some time.
Viruses have a long history. You could call it “the original malware.” And depending on how you define what a virus is, the first one took root in 1971 — more than 50 years ago. It was known as Creeper, and rather than being malicious in nature, the creator designed it to show how a self-replicating program could spot other devices on a network, transfer itself to them, and find yet more devices to repeat the process. Later, the same programmer who created a refined version of Creeper developed Reaper, a program that could remove the Creeper program. In a way, Reaper could be considered the first piece of antivirus software.[i]
From there, it wasn’t until the 1980s that malware started affecting the broader population, a time when computers became more commonplace in businesses and people’s homes.
At first, malware typically spread by infected floppy disks, much like the “Brain” virus in 1986. While recognized today as the first large-scale computer virus, its authors say they never intended it to work that way. Rather, they say they created Brain as an anti-piracy measure to protect their proprietary software from theft. However, Brain got loose. It went beyond their software and affected computers worldwide. Although not malicious or destructive in nature, Brain most certainly put the industry, businesses, and consumers on notice. Computer viruses were a thing.[ii]
Another piece of malware that got passed along via floppy disks was the “PC Cyborg” attack that targeted the medical research community in and around 1989. There, the malware would lie in wait until the user rebooted their computer for the 90th time and was presented with a digital ransom note.[iii]
An early example of ransomware – Source, Wikipedia
Upon that 90th boot, PC Cyborg encrypted the computer’s files, which would only get unencrypted if the victim paid a fee, making it the first documented form of ransomware.
Shortly thereafter, the internet started connecting computers, which opened millions of doors for hackers as people went online. Among the most noteworthy was 1999’s “Melissa” virus, which spread by way of infected email attachments and overloaded hundreds of corporate and governmental email servers worldwide.
It was quickly followed in 2000 by what’s considered among the most damaging malware to date — ILOVEYOU, which also spread by way of an attachment, this one posing as a love letter. Specifically, it was a self-replicating worm that installed itself on the victim’s computer where it destroyed some info and stole other info, then spread to other computers. One estimate put the global cost of ILOVEYOU at $10 billion. It further speculated that it infected 10% of the world’s internet-connected computers at the time.[iv]
With that history, it’s no surprise that anti-malware software is commonly called “antivirus.”
Antivirus forms a major cornerstone of online protection software. It protects your devices against malware through a combination of prevention, detection, and removal. Our antivirus uses AI to detect the absolute latest threats — and has for several years now.
Today, McAfee registers more than a million new malicious programs and potentially unwanted apps (PUA) each day, which contributes to the millions and millions already in existence. Now with the arrival of AI-powered coding tools, hackers can create new strains at rates unseen before.
That’s another reason why we use AI in our antivirus software. We use AI to protect against AI-created malware. It does so in three ways:
Once again, it’s important to remind ourselves that today’s malware is created largely for profit. Hackers use it to gain personal and financial info, either for their own purposes or to sell it for profit. The files you have stored on your devices have a street value. That includes tax returns, financial docs, payment info, and so on. Moreover, when you consider all the important things you keep on your devices, like your photos and documents, those have value too. Should you get caught up in a ransomware attack, a hacker puts a price tag on them for their return.
Needless to say, and you likely know this already, antivirus is essential for you and your devices.
You’ll find our AI-powered antivirus in all our McAfee+ plans. Better yet, our plans have dozens of protections that block the ways hackers distribute malware. To name just a few, our Text Scam Detector blocks links to suspicious sites that host malware and other attacks — and our Web Protection does the same for your browser. It also includes our industry-first online protection score that shows you just how safe you are, along with suggestions that can make you safer still. Together, our McAfee+ plans offer more than just antivirus. They protect your devices, your privacy, and your identity overall.
[i] https://www.historyofinformation.com/detail.php?entryid=2860
[ii] https://www.historyofinformation.com/detail.php?id=1676
[iii] https://www.theatlantic.com/technology/archive/2016/05/the-computer-virus-that-haunted-early-aids-researchers/481965/
[iv] https://www.forbes.com/sites/daveywinder/2020/05/04/this-20-year-old-virus-infected-50-million-windows-computers-in-10-days-why-the-iloveyou-pandemic-matters-in-2020
The post What is Malware? appeared first on McAfee Blog.
In my world of middle-aged mums (mams), Instagram is by far the most popular social media platform. While many of us still have Facebook, Instagram is where it all happens: messaging, sharing, and yes, of course – shopping!! So, when one of my gal pals discovers that her Instagram account has been hacked, there is understandably a lot of panic!
Believe it or not, Facebook is still hanging onto the top spot as the most popular social media platform with just over 3 billion active monthly users, according to Statista. YouTube comes in 2nd place with 2.5 billion users. Instagram and WhatsApp tie in 3rd place with 2 billion users each. Interestingly, TikTok has 1.5 billion users and is in 4th place – but watch this space, I say!
Despite Facebook having the most monthly users, it isn’t where the personal conversations and engagement take place. That’s Instagram’s sweet spot. Instagram messaging is where links are shared and real personal interaction occurs. In fact, a new report shows that Instagram accounts are targeted more than any other online account and makeup just over a quarter of all social media hacks. So, it makes sense why hackers would expend considerable energy in trying to hack Instagram accounts. They’ll have a much greater chance of success if they use a platform where there is an appetite and trust for sharing links and personal conversations.
But why do they want to get their hands on your account? Well, they may want to steal your personal information, scam your loyal followers by impersonating you, sell your username on the black market or even demand ransoms! Hacking Instagram is big business for professional scammers!!
So, you reach for your phone early one morning to do a quick scroll on Instagram before you start the day, but you can’t seem to log on. Mmmmm. You then see some texts from friends checking whether you have in fact become a cryptocurrency expert overnight. OK – something’s off. You then notice an email from Instagram notifying you that the email linked to your account has been changed. Looks like you’ve been hacked! But please don’t spend any time stressing. The most important thing is to take action ASAP as the longer hackers have access to your account, the greater the chance they can infiltrate your life and create chaos.
The good news is that if you act quickly and strategically, you may be able to get your account back. Here is what I suggest you do – fast!:
1. Change Your Password & Check Your Account
If you are still able to log in to your account then change your password immediately. And ensure it is a password you haven’t used anywhere else. Then do a quick audit of your account and fix any changes the hacker may have made eg remove access to any device you don’t recognise, any apps you didn’t install, and delete any email addresses that aren’t yours.
Next, turn on two-factor authentication (2FA) to make it harder for the hacker to get back into your account. This will take you less than a minute and is absolutely critical. Instagram will give you the option to receive the login code either via text message or via an authentication app. I always recommend the app in case you ever lose control of your phone.
But, if you are locked out of your account then move on to step 2.
2. Locate The Email From Instagram
Every time there is a change to your account details or some new login activity, Instagram will automatically send a message to the email address linked with the account
But there’s good news here. The email from Instagram will ask you if you in fact made the changes and will provide a link to secure your account in case it wasn’t you. Click on this link!! If you can access your account this way, immediately check that the only linked email address and recovery phone number are yours and delete anything that isn’t yours. Then change your password.
But if you’ve had no luck with this step, move on to step 3.
3. Request a Log-In Link
You can also ask Instagram to email or text you a login link. On an iPhone, you just need to select ‘forgot password?’ and on your Android phone, tap ‘get help logging in’. You will need to enter the username, email address, and phone number linked to your account.
No luck? Keep going…
4. Request a Security Code
If the login link won’t get you back in, the next step is to request a security code. Simply enter the username, email address, or phone number associated with your account, then tap on “Need more help?” Select your email address or phone number, then tap “Send security code” and follow the instructions.
5. Video Selfie
If you have exhausted all of these options and you’ve had no luck then chances are you have found your way to the Instagram Support Team. If you haven’t, simply click on the link and it will take you there. Now, if your hacked account contained pictures of you then you might just be in luck! The Support Team may ask you to take a video selfie to confirm who you are and that in fact you are a real person! This process can take a few business days. If you pass the test, you’ll be sent a link to reset your password.
So, you’ve got your Instagram account back – well done! But wouldn’t it be good to avoid all that stress again? Here are my top tips to make it hard for those hackers to take control of your Insta.
1. It’s All About Passwords
I have no doubt you’ve heard this before but it’s essential, I promise! Ensuring you have a complex and unique password for your Instagram account (and all your online accounts) is THE best way of keeping the hackers at bay. And if you’re serious about this you need to get yourself a password manager that can create (and remember) crazily complex and random passwords that are beyond any human ability to create. Check out McAfee’s TrueKey – a complete no-brainer!
2. Turn on Multifactor Authentication (MFA)
Multi-factor authentication adds another layer of security to your account making it that much harder for a hacker to get in. It takes minutes to set up and is essential if you’re serious about protecting yourself. It simply involves using a code to log in, in addition to your password. You can choose to receive the code via a text message or an authenticator app – always choose the app!
3. Choose How To Receive Login Alerts
Acting fast is the name of the game here so ensure your account is set up with your best contact details, so you receive login alerts ASAP. This can be the difference between salvaging your account and not. Ensure the alerts will be sent to where you are most likely to see them first so you can take action straight away!
4. Audit Any Third-Party Apps
Third-party apps that you have connected to your account could potentially be a security risk. So, only ever give third-party apps permission to access your account when absolutely necessary. I suggest taking a few minutes to disconnect any apps you no longer require to keep your private data as secure as possible.
Believe it or not, Instagram is not just an arena for middle-aged mums! I can guarantee that your teens will be on there too. So, next time you’re sharing a family dinner, why not tell them what you’re doing to prevent yourself from getting hacked? And if you’re not convinced they are listening? Perhaps remind them just how devastating it would be to lose access to their pics and their people. I am sure that might just work.
Till next time
Stay safe online!
Alex
The post My Instagram Has Been Hacked – What Do I Do Now? appeared first on McAfee Blog.
All day long, it’s almost always within arm’s reach. Your smartphone. And we rely on it plenty. That makes securing your phone so important. Good thing that some of the best tips for making your phone safer are also some of the easiest.
Here’s a quick rundown:
1. Lock your phone.
Locking your phone is one of the most basic smartphone security measures you can take. Trouble is, few of us do it. Our recent global research showed that only 56% of adults said that they protect their smartphone with a password, passcode, or other form of lock.[i] In effect, an unlocked phone is an open book to anyone who finds or steals a phone.
Setting up a lock screen is easy. It’s a simple feature found on iOS and Android devices. iPhones and Androids have an auto-lock feature that locks your phone after a certain period of inactivity. Keep this time on the low end, one minute or less, to help prevent unauthorized access.
We suggest using a six-digit PIN or passcode rather than using a gesture to unlock your phone. They’re more complex and secure. Researchers proved as much with a little “shoulder surfing” test. They looked at how well one group of subjects could unlock a phone after observing the way another group of subjects unlocked it.[ii]
2. Turn on “Find My Phone.”
Another powerful tool you have at your disposal is the Find My Phone feature made possible thanks to GPS technology. The “find my” feature can help you pinpoint your phone if your lost or stolen phone has an active data or Wi-Fi connection and has its GPS location services enabled. Even if the phone gets powered down or loses connection, it can guide you to its last known location.
Setting up this feature is easy. Apple offers a comprehensive web page on how to enable and use their “Find My” feature for phones (and other devices too). Android users can get a step-by-step walkthrough on Google’s Android support page as well.
3. Learn how to remotely track, lock or erase your phone.
In the event of your phone getting lost or stolen, a combination of device tracking, device locking, and remote erasing can help protect your phone and the data on it.
Different device manufacturers have different ways of going about it. But the result is the same — you can prevent others from using your phone, and even erase it if you’re truly worried that it’s in the wrong hands or gone for good. Apple provides iOS users with a step-by-step guide, and Google offers up a guide for Android users as well.
4. Back up your stuff in the cloud.
Thanks to cloud storage, you might be able to recover your photos, files, apps, notes, contact info, and more if your phone is lost or stolen. Android owners can learn how to set up cloud backup with Google Drive here, and iPhone users can learn the same for iCloud here.
5. Update your phone’s operating system and apps.
Keep your phone’s operating system up to date. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks — it’s another tried-and-true method of keeping yourself safer and your phone running great too.
The same goes for the apps on your phone. Ideally, set them up to update automatically so that you don’t have to take extra time to do it yourself. Also, look for opportunities to delete old apps and any data linked with them. Fewer apps on your phone means fewer vulnerabilities. And less data in fewer places can reduce your exposure to data breaches.
6. Stick with official app stores.
Legitimate app stores like Google Play and Apple’s App Store have measures in place that help ensure that apps are safe and secure. And for the malicious apps that sneak past these processes, Google and Apple are quick to remove them once discovered, making their stores that much safer. Meanwhile, third-party app stores might not have these measures in place. Further, they might be a front for hackers looking to spread mobile malware through malicious apps.
7. Go with a strong app recommendation.
Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
That’s not to say that you should overlook user reviews. Certainly, legitimate reviews can be a big help. Look closely at the listing, though. Check out the developer’s track record. Have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
8. Keep an eye on app permissions.
Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos — and they’ll use sketchy apps to do it. So check and see what permissions the app is requesting. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it might be a scam.
Delete the app and find a legitimate one that doesn’t ask for invasive permissions. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permission here, and Android can do the same here.
9. Spot scam texts and their bad links.
Scam texts seem like an unfortunate fact of life. Scammers can blast thousands of phones with texts that contain links to phishing sites and to others that host malware. Our Text Scam Detector puts a stop to scams before you click — detecting any suspicious links and sending you an alert. And if you accidentally tap that bad link, it can still block the site for you.
10. Protect your smartphone with security software.
With all that we do on our phones, it’s important to get security software installed on them, just like we install it on our computers and laptops. Whether you go with comprehensive online protection software that secures all your devices or pick up an app in Google Play or Apple’s App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.
[i] https://www.mcafee.com/content/dam/consumer/en-us/docs/reports/rp-connected-family-study-2022-global.pdf
[ii] https://arxiv.org/abs/1709.04959
The post 10 Quick Tips for Mobile Security appeared first on McAfee Blog.
Scary movies are great. Scary mobile threats, not so much.
Ghosts, killer clowns, and the creatures can stir up all sorts of heebie-jeebies. The fun kind. Yet mobile threats like spyware, living dead apps, and botnets can conjure up all kinds of trouble.
Let’s get a rundown on the top mobile threats — then look at how you can banish them from your phone.
“I Know What You Did Because of Spyware”
Spyware is a type of malware that lurks in the shadows of your trusted device, collecting information around your browsing habits, personal information and more. Your private information is then sent to third parties, without your knowledge. Spooky stuff.
“Dawn of the Dead Apps”
Think haunted graveyards only exist in horror movies? Think again! Old apps lying dormant on your phones are like app graveyards, Many of these older apps may no longer be supported by Google or Apple stores. Lying there un-updated, these apps might harbor vulnerabilities. And that can infect your device with malware or leak your data to a third party.
“Bone Chilling Botnets”
Think “Invasion of the Body Snatchers,” but on your mobile device. What is a botnet you ask? When malware infiltrates a mobile device (like through a sketchy app) the device becomes a “bot.” This bot becomes one in an army of thousands of infected internet-connected devices. From there, they spread viruses, generate spam, and commit sorts of cybercrime. Most mobile device users aren’t even aware that their gadgets are compromised, which is why protecting your device before an attack is so important.
“Malicious Click or Treat”
Clicking links and mobile devices go together like Frankenstein and his bride. Which is why ad and click fraud through mobile devices is becoming more prevalent for cybercriminals. Whether through a phishing campaign or malicious apps, hackers can gain access to your device and your private information. Always remember to click with caution.
“IoT Follows”
The Internet of Things (IoT) has quickly become a staple in our everyday lives, and hackers are always ready to target easy prey. Most IoT devices connect to mobile devices, so if a hacker can gain access to your smartphone, they can infiltrate your connected devices as well. Or vice versa.
1) Avoid third-party app stores. Unlike Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe and secure, third-party sites may very well not. Further, some third-party sites may intentionally host malicious apps as part of a broader scam.
Granted, hackers have found ways to work around Google and Apple’s review process, yet the chances of downloading a safe app from them are far greater than anywhere else. Further, both Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer.
2) Review with a critical eye. As with so many attacks, hackers rely on people clicking links or tapping “download” without a second thought. Before you download, take time to do some quick research. That may uncover some signs that the app is malicious. Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews.
Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
3) Go with a strong recommendation. Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
4) Keep an eye on app permissions. Another way hackers weasel their way into your device is by getting permission to access things like your location, contacts, and photos—and they’ll use sketchy apps to do it. (Consider the long-running free flashlight app scams mentioned above that requested up to more than 70 different permissions, such as the right to record audio, and video, and access contacts.
So check and see what permissions the app is requesting. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it may be a scam. Delete the app and find a legitimate one that doesn’t ask for invasive permissions like that. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permission here, and Android can do the same here.
5) Get scam protection. Plenty of scams find your phone by way of sketchy links sent in texts, messages, and emails. Our Text Scam Detector can block them before they do you any harm. And if you tap that link by mistake, Scam Protection still blocks it.
6) Protect your smartphone with security software. With all that we do on our phones, it’s important to get security software installed on them, just like we install it on our computers and laptops. Whether you go with comprehensive security software that protects all of your devices or pick up an app in Google Play or Apple’s App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.
The post The Top 5 Scariest Mobile Threats appeared first on McAfee Blog.
Mobile banking is highly secure — when you take a few straightforward steps, it becomes even safer.
And those steps only take minutes, leaving you and your finances far more secure than before.
Use strong passwords.
Start here. Strong and unique passwords for each of your accounts form your first line of defense. However, one thing that can be a headache is the number of passwords we have to juggle — a number that seems like it’s growing every day. To help with that, you should strongly consider using a password manager. A good choice generates strong, unique passwords for each of your accounts and stores them securely for you.
If you want to set up your own passwords, check out this article on how you can make them strong and unique.
Use two-factor authentication to protect your accounts.
Two-factor authentication is practically a banking standard nowadays. What exactly is two-factor authentication? It’s an extra layer of defense for your accounts. With two-factor authentication, you also receive a special one-time-use code when logging in. That code might be sent to you via email or to your phone by text. In some cases, you can also receive that code by a call to your phone. In all, this makes it much tougher for a hacker to hijack your account.
Quick note — never share your unique code with anyone. If someone asks you for it at any time, it’s a scam.
Keep an eye out for phishing attacks.
Scammers use phishing attacks to steal personal info through emails, texts, and even social media messages. In the case of banking, they look to phish (“fish”) personal and financial info out of you by posing as your bank. They typically make their message sound urgent, like your account shows some unusual activity.
When you get these messages, always check the sender. Is the address or phone number one that your bank uses? And note that scammers often “spoof” addresses and phone numbers — making them look legit even though they’re fake. If you’re ever unsure, don’t reply. Contact your bank directly to see if your account indeed has an issue. Also, ignore such messages on social media. Banks don’t use social media messages to contact their account holders.
Yet better, you can use our Text Scam Detector to detect the sketchy links scammers use in their attacks. AI technology automatically detects scams by scanning URLs in your text messages. If you accidentally tap? Don’t worry, it can block risky sites if you tap on a suspicious link in texts, emails, social media, and more.
Be skeptical about calls as well. Fraudsters use the phone too.
It might seem a little traditional, yet criminals still like to use phone calls. In fact, they rely on the fact that many still see the phone as a trusted line of communication. This is known as “vishing,” which is short for “voice phishing.” The aim is the same as it is with phishing. The fraudster is looking to lure you into a bogus financial transaction or attempting to steal info, whether that’s financial, personal, or both.
The same advice applies here. End the call and then dial your bank directly to follow up.
Steer clear of financial transactions on public Wi-Fi in cafes, hotels, and elsewhere.
There’s a good reason not to use public Wi-Fi: it’s not private. They’re public networks, and that means they’re unsecured and shared by everyone who’s using it. With that, determined hackers can read any data passing through them like an open book. And that includes your accounts and passwords.
Instead of public Wi-Fi, use your smartphone’s data connection, which is far more secure. Yet better, consider connecting with a VPN. Short for a “virtual private network,” a VPN helps you stay safer with bank-grade encryption and private browsing. Think of it as a secure tunnel for your data, which keeps unwanted eyes from snooping. It’s a particularly excellent option if you find yourself needing to use public Wi-Fi, as a VPN effectively makes a public network connection private.
Some basic digital hygiene goes a long way toward protecting you even more. It’ll protect your banking and finances and all the things you do online as well.
Update your software.
That includes the operating system of your computers, smartphones, and tablets, along with the apps that are on them. Many updates include security upgrades and fixes that make it tougher for hackers to launch an attack.
Lock up.
Your computers, smartphones, and tablets have a way of locking them with a PIN, a password, your fingerprint, or your face. Take advantage of that protection, which is particularly important if your device is lost or stolen.
Use security software.
Protecting your devices with comprehensive online protection software fends off the latest malware, spyware, and ransomware attacks. Online protection like our McAfee+ plans further protects your privacy and identity in several ways:
The post How to Safely Bank Online appeared first on McAfee Blog.
Your smart home hums right along. It sets your alarm, opens your garage door, pops up recipes on your refrigerator screen, turns up your lighting, and even spins selections as your in-house DJ. That’s to name just a few of the things it can do. Yet with all these connected conveniences, can smart homes get hacked?
The short answer is, unfortunately, yes. Yet you have plenty of ways you can prevent it from happening.
Smart homes and the Internet of Things (IoT) devices that populate them often offer prime targets for hackers. The reason? Many IoT smart home devices have poor security features in place. And because a home network is only as strong as its weakest point, smart home devices offer a ready means of entry. With that access to the network, a hacker has access to all the other devices on it…computers, tablets, smartphones, baby monitors, and alarm systems. Everything.
Recent research sheds light on what’s at stake. Cybersecurity teams at the Florida Institute of Technology found that companion apps for several big brand smart devices had security flaws. Of the 20 apps linked to connected doorbells, locks, security systems, televisions, and cameras they studied, 16 had “critical cryptographic flaws” that might allow attackers to intercept and modify their traffic. These flaws might lead to the theft of login credentials and spying, the compromise of the connected device, or the compromise of other devices and data on the network.[i]
Over the years, our research teams at McAfee Labs have uncovered similar security vulnerabilities in other IoT devices like smart coffee makers and smart wall plugs.
Let’s imagine a smart lightbulb with poor security measures. As part of your home network, a motivated hacker might target it, compromise it, and gain access to the other devices on your network. In that way, a lightbulb might lead to your laptop — and all the files and data on it.
In all, hackers have many reasons why they might break into your smart home.
You can take several steps to make your current smart home safer. Some of them involve protecting your devices, while others focus on protecting your home network.
Aside from protecting your devices, there’s protecting yourself. Comprehensive online protection software will protect your privacy and identity as well. Depending on your location and the plan you select, ours includes up to $2 million in identity theft coverage, plus features that clean up old and risky online accounts. Further features remove your personal info from the sketchiest of online data brokers and help you monitor all your transactions in one place — including retirement and investment accounts. It’s comprehensive protection for a reason.
Check out our Smart Home Security Guide. It offers further details on device protection and privacy advice for smart devices and smart speakers too. It’s free, and part of the McAfee Safety Series that covers topics ranging from online shopping and cyberbullying to identity protection and ransomware prevention.
[i] https://news.fit.edu/academics-research/apps-for-popular-smart-home-devices-contain-security-flaws-new-research-finds/
[ii] https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/
[iii] https://docs.fcc.gov/public/attachments/DOC-401201A1.pdf
The post Is Your Smart Home Vulnerable to a Hack Attack? appeared first on McAfee Blog.
If you’re the parent of a tween or teen, chances are they’re not the only ones going back to school. Their smartphones are going back too.
Our global research showed just how many tweens and teens use a smartphone. Plenty. Depending on the age band, that figure ranges anywhere from 76% to 93%, with some noteworthy variations between countries.
One of the top reasons parents give their child a phone is to stay in touch, so it likely follows that those phones will likely make their way into the classroom. Whether or not that’s the case for your child, back-to-school time is still a great time to help your child stay safer on their phone—and keep their phones safer too in the event of loss or theft.
Comprehensive online protection software can protect your phone in the same way that it protects your laptops and computers. Unfortunately, while many people use it on their laptops and computers, far fewer people use it on their phones—only about 42% of tweens and teens worldwide use it on their smartphones according to our most recent research.
Installing it can protect their privacy, keep them safe from attacks on public Wi-Fi, and automatically block unsafe websites and links, just to name a few things it can do. You can find our smartphone apps in both Google Play and the Apple App Store.
Updates do all kinds of great things for gaming, streaming, and chatting apps, such as adding more features and functionality over time. Updates do something else—they make those apps more secure. Hackers will hammer away at apps to find or create vulnerabilities, which can steal personal info or compromise the device itself. Updates will often include security improvements, in addition to performance improvements.
iPhones update apps automatically by default, yet you can learn how to turn them back on here if they’ve been set to manual updates. For Android phones, this article can help you set apps to auto-update if they aren’t set that way already.
Much the same goes for the operating system on smartphones too. Updates can bring more features and more security. iOS users can learn how to update their phones automatically in this article. Likewise, Android users can refer to this article about automatic updates for their phones.
Another finding from our latest global research is just how few people use a lock screen on their phones. Only 56% of parents said that they protect their smartphone with a password or passcode, and only 42% said they do the same for their child’s smartphone—a further 14% drop between parents and kids.
The issue here is clear. If an unlocked phone gets lost or stolen, all the information on it is an open book to a potential hacker, scammer, or thief. Enabling a lock screen if you haven’t already. It’s a simple feature found in both iOS and Android devices.
Preventing the actual theft of your phone is important too, as some hacks happen simply because a phone falls into the wrong hands. This is a good case for password or PIN protecting your phone, as well as turning on device tracking so that you can locate your phone or even wipe it remotely if you need to. Apple provides iOS users with a step-by-step guide for remotely wiping devices, and Google offers up a guide for Android users as well.
Strong, unique passwords offer another primary line of defense. Yet with all the accounts we have floating around, juggling dozens of strong and unique passwords can feel like a task—thus the temptation to use (and re-use) simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well.
Google Play and Apple’s App Store have measures in place to review and vet apps to help ensure that they are safe and secure. Third-party sites may not have that process in place. In fact, some third-party sites may intentionally host malicious apps as part of a broader scam. Granted, cybercriminals have found ways to work around Google and Apple’s review process, yet the chances of downloading a safe app from them are far greater than anywhere else. Furthermore, both Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer.
One way that crooks can hack their way into your phone is via public Wi-Fi, such as at coffee shops, libraries, and other places on the go. These networks are public, meaning that your activities are exposed to others on the network—your banking, your password usage, all of it. One way to make a public network private is with a VPN, which can keep you and all you do protected from others on that Wi-Fi hotspot. Note that our VPN can turn on automatically for public Wi-Fi, protecting account credentials, search habits, and other activities online.
The same advice applies to these devices as well—strong online protection software, password management, VPN usage, and so on. What’s good for a smartphone is good for laptops and desktops too.
For laptops in particular, you can track these devices as well, just like a smartphone. The process differs from smartphones, yet it’s still quite straightforward. Windows and Mac users can enable the following settings—and you can click the links below for complete instructions from the source:
Putting these same protections in place on your laptops and desktops will help make your child, and your whole family, safer than before.
Note that on school-issued devices, your school district will likely have technology teams who manage them. As part of that, they typically have policies and restrictions in place to help keep them running safe and sound. If you have any questions about what kind of protections are in place on these school-issued devices, contact your school district.
While we’ve largely focused on protecting the phone itself, there’s also the importance of protecting the person who’s using it. In this case, your child—what they see, do, and experience on the internet. Device security is only part of the equation there.
Parents of tweens and teens know the concerns that come along with smartphone usage, ranging anywhere from cyberbullying, too much screen time, and simply wanting to know what their child is up to on their phone.
As you can imagine, each of these topics deserves its own treatment. The “Family Safety” section of our blog offers parents and their kids alike plenty of resources, and the list below can get you started on a few of the most pressing issues:
Without a doubt, while a child may get their first smartphone to “keep in touch,” that ownership blossoms into something far greater. And quite quickly. As they dive into the world of apps, social media, messaging, and gaming, take an interest, take it as an opportunity to spend time talking about their day and what it was like online.
By asking if they grabbed any cool pictures, what their favorite games are, and how their friends are when your child is texting them, questions like these can open a look into a world that would otherwise remain closed. This way, talking about the phone and what they’re doing on it becomes part of normal, everyday conversation. This can reap benefits down the road when your child encounters the inevitable bumps along the way, whether they’re dealing with a technical issue or something as difficult as cyberbullying or harassment. Talking about their life online on a regular basis may make them more apt to come forward when there’s a problem than they otherwise might.
In all, think of the smartphone as a fast pass into adulthood, thanks to how it puts the entirety of the internet right in your child’s hand. Protecting the device and the kid who’s using it will help ensure they get the absolute best out of all that potential.
The post Getting Your Kids Ready for School—And Their Smartphones Too appeared first on McAfee Blog.
With a buzz, your phone lets you know you got a text. You take a peek. It’s from the U.S. Postal Service with a message about your package. Or is it? You might be looking at a smishing scam.
“Smishing” takes its form from two terms: SMS messaging and phishing. Effectively, smishing is a phishing attack on your phone. Scammers love these attacks year-round, and particularly so during holiday shopping rushes. The fact remains that we ship plenty of packages plenty often, and scammers use that to their advantage.
Smishing attacks try to slip into the other legitimate messages you get about shipments. The idea is that you might have a couple on the way and might mistake the smishing attack for a proper message. Scammers make them look and sound legit, posing as the U.S. Postal Service or other carriers like UPS, DHL, and FedEx.
Let’s dive into the details of this scheme and what you can do to protect yourself from SMS phishing.
To pull off these attacks, scammers send out text messages from random numbers saying that a delivery has an urgent transit issue. When a victim taps on the link in the text, it takes them to a form page that asks them to fill in their personal and financial info to “verify their purchase delivery.” With the form completed, the scammer can then exploit that info for financial gain.
However, scammers also use this phishing scheme to infect people’s devices with malware. For example, some users received links claiming to provide access to a supposed postal shipment. Instead, they were led to a domain that did nothing but infect their browser or phone with malware. Regardless of what route the hacker takes, these scams leave the user in a situation that compromises their smartphone and personal data.
While delivery alerts are a convenient way to track packages, it’s important to familiarize yourself with the signs of smishing scams. Doing so will help you safeguard your online security without sacrificing the convenience of your smartphone. To do just that, take these straightforward steps.
Go directly to the source.
Be skeptical of text messages from companies with peculiar requests or info that seems too good to be true. Be even more skeptical if the link looks different from what you’d expect from that sender — like a shortened link or a kit-bashed name like “fed-ex-delivery dot-com.” Instead of clicking on a link within the text, it’s best to go straight to the organization’s website to check on your delivery status or contact customer service.
Enable the feature on your mobile device that blocks certain texts.
Many spammers send texts from an internet service to hide their identities. You can combat this by using the feature on your mobile device that blocks texts sent from the internet or unknown users. For example, you can disable all potential spam messages from the Messages app on an Android device. Head to “Settings,” tap on “Spam protection,” and then enable it. On iPhones, head to “Settings” > “Messages” and flip the switch next to “Filter Unknown Senders.”
One caveat, though. This can block legitimate messages just as easily. Say you’re getting your car serviced. If you don’t have the shop’s number stored on your phone, their updates on your repair progress will get blocked as well.
Block smishing texts with AI.
Our new AI-powered Text Scam Detector puts up a great defense. It automatically detects scams by scanning URLs in your text messages. If you accidentally tap? Don’t worry, it can block risky sites if you tap on a suspicious link in texts, emails, social media, and more.
Protect your privacy and identity all around.
While McAfee+ plans include Scam Protection, our plans offer strong protection for your identity, privacy, and finances. All the things those smishers are after. It includes credit and identity monitoring, social privacy management, and a VPN, plus several transaction monitoring features. Together, they spot scams and give you the tools to stop them dead in their tracks.
And if the unfortunate happens, our Identity Theft Coverage & Restoration can get you on the path to recovery. It offers up to $2 million in coverage for legal fees, travel, and funds lost because of identity theft. Further, a licensed recovery pro can do the work for you, taking the necessary steps to repair your identity and credit.
The post How Not to Fall for Smishing Scams appeared first on McAfee Blog.
Before your phone gets lost or stolen, put some basic steps in place.
You’ll want to act quickly, so preparation is everything. With the right measures, you can find it, recover it, or even erase it if needed. These steps can get you set up so you can do exactly that.
Lock your phone.
Locking your phone is one of the most basic smartphone security measures you can take. Trouble is, few of us do it. Our recent global research showed that only 56% of adults said that they protect their smartphone with a password, passcode, or other form of lock.[i] In effect, an unlocked phone is an open book to anyone who finds or steals a phone
Setting up a lock screen is easy. It’s a simple feature found on iOS and Android devices. iPhones and Androids have an auto-lock feature that locks your phone after a certain period of inactivity. Keep this time on the low end, one minute or less, to help prevent unauthorized access.
We suggest using a six-digit PIN or passcode rather than using a gesture to unlock your phone. They’re more complex and secure. Researchers proved as much with a little “shoulder surfing” test. They looked at how well one group of subjects could unlock a phone after observing the way another group of subjects unlocked it.[ii]
Turn on “Find My Phone.”
Another powerful tool you have at your disposal is the Find My Phone feature made possible thanks to GPS technology. The “find my” feature can help you pinpoint your phone if your lost or stolen phone has an active data or Wi-Fi connection and has its GPS location services enabled. Even if the phone gets powered down or loses connection, it can guide you to its last known location.
Setting up this feature is easy. Apple offers a comprehensive web page on how to enable and use their “Find My” feature for phones (and other devices too). Android users can get a step-by-step walkthrough on Google’s Android support page as well.
Back up your stuff in the cloud.
Thanks to cloud storage, you might be able to recover your photos, files, apps, notes, contact info, and more if your phone is lost or stolen. Android owners can learn how to set up cloud backup with Google Drive here, and iPhone users can learn the same for iCloud here.
Write down your phone’s unique ID number.
Here are a couple of acronyms. IMEI (International Mobile Equipment Identity) or MEID (Mobile Equipment Identifier) are two types of unique ID numbers assigned to smartphones. Find yours and write it down. In case of loss or theft, your mobile carrier, police department, or insurance provider might ask for the info to assist in its return or reimbursement for loss.
Beyond digital security measures, plenty of loss and theft prevention falls on you. Treat your phone like the desirable item it is. That’s a big step when it comes to preventing theft.
Keep your phone close.
And by close, we mean on your person. It’s easy to leave your phone on the table at a coffee shop, on a desk in a shared workspace, or on a counter when you’re shopping. Thieves might jump on any of these opportunities for a quick snatch-and-grab. You’re better off with your phone in your pocket or zipped up in a bag that you keep close.
Secure your bags and the devices you carry in them.
Enterprising thieves will find a way. They’ll snatch your bag while you’re not looking. Or they might even slice into it with a knife to get what’s inside, like your phone.
Keep your bag or backpack close. If you’re stopping to grab a bite to eat, sling the handles through a chair leg. If you have a strong metal carabiner, you can use that too. Securing your bag like that can make it much tougher for a thief to walk by and swipe it. For extra security, look into a slash-resistant bag.
If you have a credit card and ID holder attached to the back of your phone, you might want to remove your cards from it. That way, if your phone gets snatched, those important cards won’t get snatched as well.
In the event of your phone getting lost or stolen, a combination of device tracking, device locking, and remote erasing can help protect your phone and the data on it.
Different device manufacturers have different ways of going about it. But the result is the same — you can prevent others from using your phone, and even erase it if you’re truly worried that it’s in the wrong hands or gone for good. Apple provides iOS users with a step-by-step guide, and Google offers up a guide for Android users as well.
Apple’s Find My app takes things a step further. Beyond locating a lost phone or wiping it, Find My can also mark the item as lost, notify you if you’ve left it behind, or trigger a sound to help you locate it. (A huge boon in that couch cushion scenario!) Drop by Apple’s page dedicated to the Find My app for more details on what you can do on what devices, along with instructions how.
With preparation and prevention, you can give yourself reassurance if your phone gets lost or stolen. You have plenty of recovery options, in addition to plenty of ways to prevent bad actors from getting their hands on the sensitive info you keep on it.
[i] https://www.mcafee.com/content/dam/consumer/en-us/docs/reports/rp-connected-family-study-2022-global.pdf
[ii] https://arxiv.org/abs/1709.04959
The post What Should I do If My Phone Gets Stolen or Lost? appeared first on McAfee Blog.
We all love free stuff. (Costco samples, anyone?) However, when it comes to your family’s security, do free online protection tools offer the coverage you truly need?
Not always. In fact, they might invade the privacy you’re trying to protect.
Here’s why.
Free tools don’t offer the level of advanced protection that life on today’s internet needs. For starters, you’ll want malware and antivirus protection that’s as sophisticated as the threats they shut down. Ours includes AI technology and has for years now, which helps it shut down even the latest strains of malware as they hit the internet for the first time. We’re seeing plenty of that, as hackers have also turned to AI tools to code their malicious software.
Malware and antivirus protection protects your devices. Yet a comprehensive approach protects something else. You and your family.
Comprehensive online protection looks after your family’s privacy and identity. That keeps you safe from prying eyes and things like fraud and identity theft. Today’s comprehensive protection offers more features than ever, and far more than you’ll find in a free, and so incomplete, offering.
Consider this short list of what comprehensive online protection like ours offers you and your family:
Scam Protection
Is that email, text, or message packing a scam link? Our scam protection lets you know before you click that link. It uses AI to sniff out bad links. And if you click or tap on one, no worries. It blocks links to malicious sites.
Web Protection
Like scam protection, our web protection sniffs out sketchy links while you browse. So say you stumble across a great-looking offer in a bed of search results. If it’s a link to a scam site, you’ll spot it. Also like scam protection, it blocks the site if you accidentally hit the link.
Transaction Monitoring
This helps you nip fraud in the bud. Based on the settings you provide, transaction monitoring keeps an eye out for unusual activity on your credit and debit cards. That same monitoring can extend to retirement, investment, and loan accounts as well. It can further notify you if someone tries to change the contact info on your bank accounts or take out a short-term loan in your name.
Credit Monitoring
This is an important thing to do in today’s password- and digital-driven world. Credit monitoring uncovers any inconsistencies or outright instances of fraud in your credit reports. Then it helps put you on the path to setting them straight. It further keeps an eye on your reports overall by providing you with notifications if anything changes in your history or score.
Social Privacy Manager
Our social privacy manager puts you in control of who sees what on social media. With it, you can secure your profiles the way you want. It helps you adjust more than 100 privacy settings across your social media accounts in just a few clicks. It offers recommendations as you go and makes sure your personal info is only visible to the people you want. You can even limit some of the ways that social media sites are allowed to use your data for greater peace of mind.
Personal Data Cleanup
This provides you with another powerful tool for protecting your privacy. Personal Data Cleanup removes your personal info from some of the sketchiest data broker sites out there. And they’ll sell those lines and lines of info about you to anyone. Hackers and spammers included. Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info. From there, it provides guidance for removing your data from those sites. Further, when part of our McAfee+ Advanced and Ultimate, it sends requests to remove your data automatically.
Password Manager
Scammers love weak or reused passwords. Even more so when they’re weak and reused. It offers them an easy avenue to force their way into people’s accounts. Our password manager creates and securely stores strong, unique passwords for you. That saves you the hassle of creating strong, unique passwords for your dozens and dozens of accounts. And helps protect you from fraud.
Identity Theft Coverage & Restoration
This provides you with extra assurance while you shop. Say the unfortunate happens to you and find yourself a victim of identity theft. Our coverage and restoration plan provides up to $2 million in lawyer fees and reimbursement for lawyer fees and stolen funds. Further, a licensed expert can help you repair your identity and credit. In all, this saves you money and your time if theft happens to you.
Say your online protection leaves gaps in your family’s safety, or that it uses less-effective methods and technologies. That exposes you to threats — threats can cost you time and money alike if one of those threats gets through.
One example, consider the online crimes reported to the U.S. Federal Trade Commission. In 2023, they fielded 5.4 million fraud reports. Of them, 2.6 million reported a loss for a total of $10 billion. The median loss was $500 across all reports. Of course, that’s only the median dollar amount. That number can climb much higher in individual cases.
Source: U.S. Federal Trade Commission
Without question, protection is prevention, which can spare you some significant financial losses. Not to mention the time and stress of restoring your credit and identity — and getting your money back.
A “free” solution has to make its money somehow.
Free security solutions sometimes carry in-app advertising. More importantly, they might try to gather your user data to target ads or share it with others to make a profit. Also by advertising for premium products, the vendor indirectly admits that a free solution doesn’t provide enough security.
Further, these tools also offer little to no customer support, leaving users to handle any technical difficulties on their own. What’s more, most free security solutions are meant for use on only one device, whereas the average person owns several connected devices. And that’s certainly the case for many families.
Lastly, free solutions often limit a person’s online activity too. Many impose limits on which browser or email program the user can leverage, which can be inconvenient as many already have a preferred browser or email platform.
Free security products might provide the basics, but a comprehensive solution can protect you from a host of other risks — ones that could get in the way of enjoying your time online.
With comprehensive online protection in place, your family’s devices get protection from the latest threats in the ever-evolving security landscape. It keeps your devices safe. And it keeps you safe. With that, we hope you’ll give us a close look when you decide to upgrade to comprehensive protection.
The post Why Should I Pay for Online Protection? appeared first on McAfee Blog.
A text pops up on your phone. It’s your pal, and the text says, “What’s the password again?” It might be for a video streaming app, a delivery service, or a music site. But is it really OK to share passwords?
The answer to that question takes a couple of forms.
For starters, that app, service, or site you’re sharing has terms of use. Those terms might allow for sharing. Others might not. From that standpoint, sharing might break those terms.
Secondly, sharing passwords with someone outside your household carries security risks. And that’s what we’ll focus on here.
One set of research found that 79% of Americans surveyed said they shared passwords. Video streaming came in at 35%, delivery services at 29%, and music streaming at 9%.[i]
Yet that same research revealed something else. Only 7% of Americans said they worried about getting hacked despite all that password sharing.
The broader use a password sees, the more vulnerable it is. And that has a couple of dimensions to it.
The first is the more obvious of the two. Reusing passwords across accounts can lead to identity theft and fraud. Say a hacker gets a hold of a password on the dark web or directly through a data breach. If it’s reused across accounts, all those accounts could get compromised. The same is largely true of passwords that have little variation between them. When not unique, a hacker can figure out the variation with relatively little effort.
The second is a bit more subtle. Sharing passwords with people outside the household means those passwords get used on devices outside of the household. The question then is, are those devices secure? Do the people who own them use online protection software to keep themselves safer online? If not, those passwords could get exposed. One example — a friend logs into a streaming site on unprotected Wi-Fi. A hacker monitors the traffic, skims the password, and sells it on the dark web.
So, for several reasons, sharing passwords is not OK. And it brings up an important point about passwords in general. We have a lot of them. Yet each one must be secure.
So, we’ve mentioned some of the security risks around passwords. Primary among them, weak and reused passwords.
It’s no wonder people go the route of easy-to-remember passwords they use again and again. According to Pew Research, American adults feel overwhelmed by the number of passwords they have to keep track of. Depending on the age group, that feeling ranges from 61% to 74%.[ii]
That sense of overwhelm takes shape in another interesting way. Increasingly, people are doing something about it. Faced with creating strong and unique passwords, more people let a password manager do the work for them. In 2019, only 20% of Americans surveyed said they used one. In 2023, that number leapt up to 32%.[iii] A solid 12% rise that now covers nearly a third of all Americans.
So, for anyone bogged down by passwords, a password manager offers an excellent solution.
And a safe one at that.
A password manager like ours helps you protect your accounts from hackers by securely creating and storing strong and unique passwords. The very kind of passwords that hackers hate. While you’re online, it auto-fills your info for faster logins. Best of all, you only have to remember a single password.
Don’t.
For one, sharing passwords might break the terms of use for the app, service, or site in question. Next, it can bring security issues with it as multiple people use it on multiple devices — ones that might or might not be secure.
On a related note, re-using passwords across several accounts increases your risk of getting hacked even more. Whether they’re weak and memorable or variations on a common theme, passwords like these make life easier for hackers.
As always, each of your accounts calls for a strong and unique password. And if you’re like the many who have dozens and dozens of accounts, a password manager can make that easy. And highly secure, too.
[i] https://www.thezebra.com/resources/home/dangers-of-sharing-passwords/
[ii] https://www.pewresearch.org/internet/2023/10/18/how-americans-protect-their-online-data/
[iii] Ibid.
The post Do You Share Passwords with Friends and Family? appeared first on McAfee Blog.
Are smartphones less secure than PCs? The answer to that is, they’re different. They face different security threats. Yet they certainly share one thing in common — they both need protection.
So, what makes a smartphone unique when it comes to security? And how do you go about protecting it? We’ll cover both here.
Several facts of life about smartphones set them apart when it comes to keeping your devices safer. A quick rundown looks like this:
First off, people keep lots of apps on their phones. Old ones, new ones, ones they practically forgot they had. The security issue that comes into play there is that any app on a phone is subject to vulnerabilities.
A vulnerability in just one of the dozens of apps on a phone can lead to problems. The adage of “the weakest link” applies here. The phone is only as secure as its least secure app. And that goes for the phone’s operating system as well.
Additionally, app permissions can also introduce risks. Apps often request access to different parts of your phone to work — such as when a messenger app asks for access to contacts and photos. In the case of malicious apps, they’ll ask for far more permissions than they need. A classic example involves the old “flashlight apps” that invasively asked for a wide swath of permissions. That gave the hackers all kinds of info on users, including things like location info. Today, the practice of malicious, permission-thirsty apps continues with wallpaper apps, utility apps, games, and more.
As for other malicious apps, sometimes people download them without knowing. This often happens when shopping in third-party app stores, yet it can happen in legit app stores as well — despite rigorous review processes from Apple and Google. Sometimes, hackers sneak them through the review process for approval. These apps might include spyware, ransomware, and other forms of malware.
Many people put their smartphones to personal and professional use.[i] That might mean the phone has access to corporate apps, networks, and data. If the phone gets compromised, those corporate assets might get compromised too. And it can work in the other direction. A corporate compromise might affect an employee’s smartphone.
More and more, our phones are our wallets. Digital wallets and payment apps have certainly gained popularity. They speed up checkout and make splitting meals with friends easy. That makes the prospect of a lost or stolen phone all the more serious. An unsecured phone in the hands of another is like forking over your wallet.
Lastly, spam texts. Unique to phones are the sketchy links that crop up in texting and messaging apps. These often lead to scam sites and other sites that spread malware.
With a good sense of what makes securing your smartphone unique, let’s look at several steps you can take to protect it.
Keeping your phone’s apps and operating system up to date can greatly improve your security. Updates can fix vulnerabilities that hackers rely on to pull off their malware-based attacks. it’s another tried and true method of keeping yourself safer — and for keeping your phone running great too.
With all that you keep and conduct on your phone, a lock is a must. Whether you have a PIN, passcode, or facial recognition available, put it into play. The same goes for things like your payment, banking, and financial apps. Ensure you have them locked too.
As mentioned above, app stores have measures in place to review and vet apps that help ensure they’re safe and secure. Third-party sites might very well not, and they might intentionally host malicious apps as part of a front. Further, legitimate app stores are quick to remove malicious apps from their stores once discovered, making shopping there safer still.
Check out the developer — have they published several other apps with many downloads and good reviews? A legit app typically has many reviews. In contrast, malicious apps might have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it.
Yet better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or app store editors themselves. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download.
Another way hackers weasel their way into your device is by getting permissions to access things like your location, contacts, and photos — and they’ll use malicious apps to do it. If an app asks for way more than you bargained for, like a simple puzzle game that asks for access to your camera or microphone, it might be a scam. Delete the app.
So what happens if your phone ends up getting lost or stolen? A combination of device tracking, device locking, and remote erasing can help protect your phone and the data on it. Different device manufacturers have different ways of going about it, but the result is the same — you can prevent others from using your phone. You can even erase it if you’re truly worried that it’s gone for good. Apple provides iOS users with a step-by-step guide, and Google offers a guide for Android users as well.
Comprehensive online protection software can secure your phone in the same ways that it secures your laptops and computers. Installing it can protect your privacy, and keep you safe from attacks on public Wi-Fi, just to name a few things it can do. Ours also includes Text Scam Detector that blocks sketchy links in texts, messages, and email before they do you any harm. And if you tap that link by mistake, Text Scam Detector still blocks it.
[i] https://www.statista.com/statistics/1147490/share-adults-use-personal-smartphone-business-activities-by-country/
The post Are Mobile Devices Less Secure than PCs? appeared first on McAfee Blog.
It takes a bit of effort, but iPhones can wind up with viruses and malware. And that can indeed lead to all kinds of snooping.
Whether through malware or a bad app, hackers can skim personal info while you browse, bank, and shop. They can also infect your phone with ransomware that locks up your personal info or that locks up the phone itself.
Those are some worst-case scenarios. However, good for you and unfortunate hackers is the way iPhones run apps. It makes it tough for viruses and malware to get a toehold. Apple designed the iOS operating system to run apps in what’s called a “virtual environment.” This limits the access apps have to other apps, which helps prevent viruses and malware from spreading.
Still, malware can end up on an iPhone in a couple of ways:
The owner “jailbreaks” the iPhone
This practice gives people more control over their iPhones. By jailbreaking, they gain “root control” of the phone. With that, they can do things like remove pre-installed apps and download third-party apps from places other than the App Store. And that’s where the trouble can start.
Jailbreaking removes several of those barriers that keep viruses and malware from spreading. Further, downloading apps outside of the App Store exposes the phone to viruses and malware. Apple doesn’t review the apps in those stores. That way, a hacker with malicious intent can post a bad app with relative ease.
A malicious app sneaks into the App Store
Apple has a strict review policy before apps are approved for posting in the App Store. Per Apple, “Apple’s App Review team of over 500 experts evaluates every single app submission — from developers around the world — before any app ever reaches users. On average, the team reviews approximately 132,500 apps a week.”
However, bad actors find ways to sneak malware into the store. Sometimes they upload an app that’s initially innocent and then push malware to users as part of an update. Other times, they’ll embed malicious code such that it only triggers after it’s run in certain countries. They will also encrypt malicious code in the app that they submit, which can make it difficult for reviewers to sniff out.
So, barring a jailbroken phone, the chances of getting a virus or malware on your iPhone remain low. Still, it can happen.
Because we spend so much time on our phones, it’s fairly easy to tell when something isn’t working quite like it is supposed to. While you can chalk up some strange behavior to technical issues, sometimes those issues are symptoms of an infection. Malware can eat up system resources or conflict with other apps on your phone, causing it to act in odd ways.
Some possible signs that your device has been hacked include:
Performance issues
A slower device, webpages taking way too long to load, or a battery that never keeps a charge are all things that can be attributed to a device reaching its retirement. However, these things might also be signs that malware has compromised your phone.
Your phone feels like it’s running hot
Malware running in the background of a device might burn extra computing power, causing your phone to feel hot and overheated. If your device is quick to heat up, it might be due to malicious activity.
Mysterious calls, texts, or apps appear
If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you don’t remember making pop up on your phone bill, that is a definite red flag and a potential sign that your device has been hacked.
Changes or pop-ups crowd your screen
Malware might also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your phone has been hacked.
To avoid the hassle of having a hacked phone in the first place, here are some tips that can help.
Promptly updating your phone and apps is a primary way to keep your device safer. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks.
Apple’s App Store has those protections in place that we mentioned before. That’s unlike those third-party sites, which might not have those same protections. Further, some purposely host malicious apps. Avoiding these sites altogether can prevent these apps from allowing hackers into your device.
As we’ve seen, jailbreaking a phone introduces all kinds of security issues. Your best bet as an everyday internet user is to rely on iOS and the protections that come with it.
If you are worried that your device has been hacked, follow these steps:
Completely power down your phone. Powering down and then giving your phone a fresh start can put a halt to any malicious activity.
Remove any apps you didn’t download. From there, power down your phone and restart it as before.
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone.
Check your accounts and credit for any unauthorized purchases. Several features in our McAfee+ plans can help. Identity Monitoring can alert you if your info winds up on the dark web. Our Credit Monitoring along with our transaction monitoring can also alert you of unusual activity across your accounts.
Lastly, if you spot an issue, get some help from a pro. Our Identity Theft Coverage & Restoration service offers $2 million that covers travel, losses, and legal fees associated with identity theft. It also offers the services of a licensed recovery pro who can repair your credit and your identity in the wake of an attack.
On a non-jailbroken phone, no. You don’t need antivirus. Yet your phone should certainly get extra protection. Phones face far more threats than viruses and malware alone.
Comprehensive online protection software like ours can keep you and your phone safer. It can:
Those are only a handful of the many features that protect more than your phone. You’ll find yet more that protect you — namely, your identity and your privacy.
So while iPhones don’t need antivirus, they certainly benefit from extra online protection.
The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blog.
In today’s interconnected world, our mobile devices serve as essential tools for communication, productivity, and entertainment. However, for some tech-savvy users, the allure of unlocking the full potential of their devices through jailbreaking (for iOS) or rooting (for Android) can be tempting. While these processes offer users greater control and customization over their devices, they also raise significant questions about security implications.
To “jailbreak” means to allow the phone’s owner to gain full access to the root of the operating system and access all the features. Jailbreaking is the process of removing the limitations imposed by Apple and associated carriers on devices running the iOS operating system. Jailbroken phones came into the mainstream when Apple first released their iPhone and it was only on AT&T’s network. Users who wanted to use an iPhone with other carriers were not able to unless they had a jailbroken iPhone.
Similar to jailbreaking, “rooting” is the term for the process of removing the limitations on a mobile or tablet running the Android operating system. By gaining privileged control, often referred to as “root access,” over an Android device’s operating system, users can modify system files, remove pre-installed bloatware, install custom ROMs, and unlock features not accessible on stock devices.
Rooting or jailbreaking grants users deeper access to the device’s operating system, allowing for extensive customization of the user interface, system settings, and even hardware functionality. Advanced users can optimize system performance, remove unnecessary bloatware, and tweak settings to improve battery life, speed, and responsiveness.
However, hacking your device potentially opens security holes that may have not been readily apparent or undermines the device’s built-in security measures. Jailbroken and rooted phones are much more susceptible to viruses and malware because users can avoid Apple and Google application vetting processes that help ensure users are downloading virus-free apps.
In addition to security vulnerabilities, hacking your device may lead to a voided manufacturer’s warranty, leaving you without official support for repairs or replacements. Altering the device’s operating system can also lead to instability, crashes, and performance issues, especially if incompatible software or modifications are installed.
While rooting or jailbreaking may offer users enticing opportunities for customization and optimization of their mobile devices, the associated risks cannot be overlooked. By circumventing built-in security measures, users expose their devices to potential security vulnerabilities, making them more susceptible to viruses and malware. Ultimately, the decision to root or jailbreak a mobile device should be made with careful consideration of the trade-offs involved, as the security risks often outweigh the benefits.
When thinking about mobile security risks, consider adding reputable mobile security software to your device to augment the built-in security measures. These security solutions provide real-time scanning and threat detection capabilities, helping to safeguard sensitive data and maintain the integrity of the device’s operating system.
The post How Does Jailbreaking Or Rooting Affect My Mobile Device Security? appeared first on McAfee Blog.
“Vishing” occurs when criminals cold-call victims and attempt to persuade them to divulge personal information over the phone. These scammers are generally after credit card numbers and personal identifying information, which can then be used to commit financial theft. Vishing can occur both on your landline phone or via your cell phone.
The term is a combination of “voice,” and “phishing,” which is the use of spoofed emails to trick targets into clicking malicious links. Rather than email, vishing generally relies on automated phone calls that instruct targets to provide account numbers. Techniques scammers use to get your phone numbers include:
Once vishers have phone numbers, they employ various strategies to deceive their targets and obtain valuable personal information:
To protect yourself from vishing scams, you should:
Staying vigilant and informed is your best defense against vishing scams. By verifying caller identities, being skeptical of unsolicited requests for personal information, and using call-blocking tools, you can significantly reduce your risk of falling victim to these deceptive practices. Additionally, investing in identity theft protection services can provide an extra layer of security. These services monitor your personal information for suspicious activity and offer assistance in recovering from identity theft, giving you peace of mind in an increasingly digital world. Remember, proactive measures and awareness are key to safeguarding your personal information against vishing threats.
The post How to Protect Yourself from Vishing appeared first on McAfee Blog.
This has to be a first. Something from our blogs got made into a movie.
We’re talking about voice scams, the soundalike calls that rip people off. One such call sets the action in motion for a film released this weekend, “Thelma.”
The synopsis of the comedy reads like this …
“When 93-year-old Thelma Post gets duped by a phone scammer pretending to be her grandson, she sets out on a treacherous quest across the city to reclaim what was taken from her.”
Voice scams have been around for some time. They play out like an email phishing attack, where scammers try to trick people into forking over sensitive info or money — just in voice form over the phone. The scammer poses as someone the victim knows, like a close family member.
Yet the arrival of AI has made voice scams far more convincing. Cheap and freely available AI voice cloning tools have flooded the online marketplace in the past couple of years. They’re all completely legal as well.
Some cloning tools come in the form of an app. Others offer cloning as a service, where people can create a clone on demand by uploading audio to a website. The point is, practically anyone can create a voice clone. They sound uncanny too. Practically like the real thing, and certainly real enough over the phone. And it only takes a small sample of the target’s voice to create one.
Our own labs found that just a few seconds of audio was enough to produce a clone with an 85% voice match to the original. That number bounced up to 95% when they trained the clone further on a small batch of audio pulled from videos.
As to how scammers get a hold of the files they need, they have a ready source. Social media. With videos harvested from public accounts on YouTube, Instagram, TikTok, and other platforms, scammers have little trouble creating clones — clones that say whatever a scammer wants. All it takes is a script.
That’s where the attack comes in. It typically starts with a distress call, just like in the movie.
For example, a grandparent gets an urgent message on the phone from their grandchild. They’re stuck in the middle of nowhere with a broken-down car. They’re in a hospital across the country with a major injury. Or they’re in jail overseas and need to get bailed out. In every case, the solution to the problem is simple. They need money. Fast.
Sure, it’s a scam. Yet in the heat of the moment, it all sounds terribly real. Real enough to act right away.
Fearing the worst and unable to confirm the situation with another family member, the grandparent shoots the money off as instructed. Right into the hands of a scammer. More often than not, that money is gone for good because the payment was made with a wire transfer or through gift cards. Sometimes, victims pay out in cash.
Enter the premise for the movie. Thelma gets voice-scammed for thousands, then zips across Los Angeles on her friend’s mobility scooter to get her money back from the voice scammers.
The reality is of course more chilling. According to the U.S. Federal Trade Commission (FTC), nearly a million people reported a case of imposter fraud in 2023. Total reported losses reached close to $2.7 billion. Although not tracked and reported themselves, voice clone attacks certainly figure into this overall mix.
Even as we focus on the character of Thelma, voice clone attacks target people of all ages. Parents have reported cases involving their children. And married couples have told of scams that impersonate their older in-laws.
Common to each of these attacks is one thing: fear. Something horrible has happened. Or is happening. Here, scammers look to pull an immediate emotional trigger. Put plainly, they want to scare their victim. And in that fear, they hope that the victim immediately pays up.
It’s an odds game. Plenty of attacks fail. A parent might be sitting at the dinner table with their child when a voice clone call strikes. Or a grandchild might indeed be out of town, yet traveling with their grandmother when the scammer gives her a ring.
Yet if even a handful of these attacks succeed, a scammer can quickly cash in. Consider one attack for hundreds, if not thousands, or dollars. Multiply that by five, ten, or a dozen or so times over, a few successful voice clone scams can rack up big returns.
Yet you can protect yourself from these attacks. A few steps can make it more difficult for scammers to target you. A few others can prevent you from getting scammed if a voice clone pops up on the other end of the phone.
Make it tougher for scammers to target you by:
Clear your name from data broker sites. How’d that scammer get your phone number anyway? Chances are, they pulled that info off a data broker site. Data brokers buy, collect, and sell detailed personal info, which they compile from several public and private sources, such as local, state, and federal records, in addition to third parties. Our Personal Data Cleanup scans some of the riskiest data broker sites, shows you which ones are selling your personal info, and helps you remove your data.
Set your social media accounts to private. Scammers sift through public social media profiles in search of info on their targets. In some cases, an account can provide them with everything they need to launch an attack. Family names, family interests, where the family goes for vacation, where family members work — and videos that they can use for cloning. By making your accounts private, you deny scammers the resources they require. Our Social Privacy Manager can do this for you across all your accounts in only a few clicks.
Prevent getting scammed by:
Recognize that voice clone attacks are a possibility. As we’re still in the relatively early days of AI tools, not everyone is aware that this kind of attack is possible. Keeping up to date on what AI can do and sharing that info with your family and friends can help them spot an attack. As we’ve reported here before, voice clones are only the start. Other imposter scams run on video calls where a scammer takes on someone else’s voice and looks. All in real-time.
Always question the source. In addition to voice cloning tools, scammers have other tools that can spoof phone numbers so that they look legitimate. Even if it’s a voicemail or text from a number you recognize, stop, pause, and think. Does that really sound like the person you think it is? Hang up and call the person directly or try to verify the info before responding.
Set a verbal codeword with kids, family members, or trusted close friends. Even in the most high-tech of attacks, a low-tech precaution can keep everyone safe. Have a codeword. Save it for emergencies. Make sure everyone uses it in messages and calls when they ask for help. Further, ensure that only you and those closest to you know what the codeword is. This is much like the codewords that banks and alarm companies use to help ensure that they’re speaking to the proper account holder. It’s a simple, powerful step. And a free one at that.
The post Thelma – The Real-Life Voice Scam That Made It into the Movies appeared first on McAfee Blog.
By now you’ve probably heard of the term “phishing”—when scammers try to fool you into revealing your personal info or sending money, usually via email — but what about “vishing”? Vishing, or voice phishing, is basically the same practice, but done by phone.
There are a few reasons why it’s important for you to know about vishing. First off, voice phishing scams are prevalent and growing. A common example around tax season is the IRS scam, where fraudsters make threatening calls to taxpayers pretending to be IRS agents and demanding money for back taxes. Another popular example is the phony tech support scam, in which a scammer calls you claiming that they represent a security provider.
The scammers might say they’ve noticed a problem with your computer or device and want money to fix the problem, or even request direct access to your machine. They might also ask you to download software to do a “security scan” just so they can get you to install a piece of malware that steals your personal info. They might even try to sell you a worthless computer warranty or offer a phony refund.
These kinds of attacks can be very persuasive because the scammers employ “social engineering” techniques. This involves plays on emotion, urgency, authority, and even sometimes threats. The end result, scammers manipulate their victims into doing something for fraudulent purposes. Because scammers can reach you at any time on your most private device, your smartphone, it can feel more direct and personal.
Vishing scams don’t always require a phone call from a real person. Often, scammers use a generic or targeted recording, claiming to be from your bank or credit union. For instance, they might ask you to enter your bank account number or other personal details, which opens you up to identity theft.
Increasingly, scammers use AI tools in voice cloning attacks. With readily available voice cloning apps, scammers can replicate someone else’s voice with remarkable accuracy. While initially developed for benign purposes such as voice assistants and entertainment, scammers now use voice cloning tools to exploit unsuspecting victims.
The incoming number might even appear to have come from your bank, thanks to a trick called “caller ID spoofing,” which allows scammers to fake the origin of the call. They can do this by using Voice over Internet Protocol (VoIP) technology, which connects calls over the internet instead of traditional phone circuits, allowing them to easily assign incoming phone numbers.
Don’t risk losing your money or valuable personal info to these scams. Here’s how to avoid vishing attacks:
The post How to Avoid Being Phished by Your Phone appeared first on McAfee Blog.
Authored by Dexter Shin
Many government agencies provide their services online for the convenience of their citizens. Also, if this service could be provided through a mobile app, it would be very convenient and accessible. But what happens when malware pretends to be these services?
McAfee Mobile Research Team found an InfoStealer Android malware pretending to be a government agency service in Bahrain. This malware pretends to be the official app of Bahrain and advertises that users can renew or apply for driver’s licenses, visas, and ID cards on mobile. Users who are deceived by advertisements that they are available on mobile will be provided with the necessary personal information for these services without a doubt. They reach users in various ways, including Facebook and SMS messages. Users who are not familiar with these attacks easily make the mistake of sending personal information.
In Bahrain, there’s a government agency called the Labour Market Regulatory Authority (LMRA). This agency operates with full financial and administrative independence under the guidance of a board of directors chaired by the Minister of Labour. They provide a variety of mobile services, and most apps provide only one service per app. However, this fake app promotes providing more than one service.
Figure 1. Legitimate official LMRA website
Figure 2. Fake app named LMRA
Excluding the most frequently found fake apps pretending LMRA, there are various fake apps included Bank of Bahrain and Kuwait (BBK), BenefitPay, a fintech company in Bahrain, and even apps pretending to be related to Bitcoin or loans. These apps use the same techniques as the LMRA fake apps to steal personal information.
Figure 3. Various fake apps using the same techniques
From the type of app that this malware pretends, we can guess that the purpose is financial fraud to use the personal information it has stolen. Moreover, someone has been affected by this campaign as shown in the picture below.
Figure 4. Victims of financial fraud (Source: Reddit)
They distribute these apps using Facebook pages and SMS messages. Facebook pages are fake and malware author is constantly creating new pages. These pages direct users to phishing sites, either WordPress blog sites or custom sites designed to download apps.
Figure 5. Facebook profile and page with a link to the phishing site
Figure 6. One of the phishing sites designed to download app
In the case of SMS, social engineering messages are sent to trick users into clicking a link so that they feel the need to urgently confirm.
Figure 7. Phishing message using SMS (Source: Reddit)
When the user launches the app, the app shows a large legitimate icon for users to be mistaken. And it asks for the CPR and phone number. The CPR number is an exclusive 9-digit identifier given to each resident in Bahrain. There is a “Verify” button, but it is simply a button to send information to the C2 server. If users input their information, it goes directly to the next screen without verification. This step just stores the information for the next step.
Figure 8. The first screen (left) and next screen of a fake app (right)
There are various menus, but they are all linked to the same URL. The parameter value is the CPR and phone numbers input by the user on the first screen.
Figure 9. All menus are linked to the same URL
The last page asks for the user’s full name, email, and date of birth. After inputting everything and clicking the “Send” button, all information inputted so far will be sent to the malware author’s c2 server.
Figure 10. All data sent to C2 server
After sending, it shows a completion page to trick the user. It shows a message saying you will receive an email within 24 hours. But it is just a counter that decreases automatically. So, it does nothing after 24 hours. In other words, while users are waiting for the confirmation email for 24 hours, cybercriminals will exploit the stolen information to steal victims’ financial assets.
Figure 11. Completion page to trick users
In addition, they have a payload for stealing SMS. This app has a receiver that works when SMS is received. So as soon as SMS comes, it sends an SMS message to the C2 server without notifying the user.
Figure 12. Payload for stealing SMS
We confirmed that there are two types of these apps. There is a type that implements a custom C2 server and receives data directly through web API, and another type is an app that uses Firebase. Firebase is a backend service platform provided by Google. Among many services, Firestore can store data as a database. This malware uses Firestore. Because it is a legitimate service provided by Google, it is difficult to detect as a malicious URL.
For apps that use Firebase, dynamically load phishing URLs stored in Firestore. Therefore, even if a phishing site is blocked, it is possible to respond quickly to maintain already installed victims by changing the URL stored in Firestore.
Figure 13. Dynamically loading phishing site loaded in webview
According to our detection telemetry data, there are 62 users have already used this app in Bahrain. However, since this data is a number at the time of writing, this number is expected to continue to increase, considering that new Facebook pages are still being actively created.
Recent malware tends to target specific countries or users rather than widespread attacks. These attacks may be difficult for general users to distinguish because malware accurately uses the parts needed by users living in a specific country. So we recommend users install secure software to protect their devices. Also, users are encouraged to download and use apps from official app stores like Google Play Store or Apple AppStore. If you can’t find an app in these stores, you must download the app provided on the official website.
McAfee Mobile Security already detects this threat as Android/InfoStealer. For more information, visit McAfee Mobile Security.
Samples:
| SHA256 | Package Name | App Name |
| 6f6d86e60814ad7c86949b7b5c212b83ab0c4da65f0a105693c48d9b5798136c | com.ariashirazi.instabrowser | LMRA |
| 5574c98c9df202ec7799c3feb87c374310fa49a99838e68eb43f5c08ca08392d | com.npra.bahrain.five | LMRA Bahrain |
| b7424354c356561811e6af9d8f4f4e5b0bf6dfe8ad9d57f4c4e13b6c4eaccafb | com.npra.bahrain.five | LMRA Bahrain |
| f9bdeca0e2057b0e334c849ff918bdbe49abd1056a285fed1239c9948040496a | com.lmra.nine.lmranine | LMRA |
| bf22b5dfc369758b655dda8ae5d642c205bb192bbcc3a03ce654e6977e6df730 | com.stich.inches | Visa Update |
| 8c8ffc01e6466a3e02a4842053aa872119adf8d48fd9acd686213e158a8377ba | com.ariashirazi.instabrowser | EasyLoan |
| 164fafa8a48575973eee3a33ee9434ea07bd48e18aa360a979cc7fb16a0da819 | com.ariashirazi.instabrowser | BTC Flasher |
| 94959b8c811fdcfae7c40778811a2fcc4c84fbdb8cde483abd1af9431fc84b44 | com.ariashirazi.instabrowser | BenefitPay |
| d4d0b7660e90be081979bfbc27bbf70d182ff1accd829300255cae0cb10fe546 | com.lymors.lulumoney | BBK Loan App |
Domains:
Firebase(for C2):
The post Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud appeared first on McAfee Blog.
According to Pew, three-in-ten U.S. adults say they have used a dating site or app. That number climbs to 53% for people under the age of 30. More and more people are turning to digital platforms to find love and companionship or simply to expand their social circles. However, as the popularity of online dating grows, so do the potential risks associated with it. From privacy concerns to identity theft, the digital dating world can be fraught with peril if you’re not careful. But fear not, by following a few simple guidelines, you can navigate the online dating scene safely and securely.
This article is for you or anyone you know who may be hopping onto an online dating app like Match, Bumble, Plenty of Fish, eHarmony, Tinder, or OkCupid. Think of it as an advice column of a different sort, where we talk about dating in light of your online privacy and safety.
For starters, we have a couple of previous blogs that offer sound advice about online dating. The first covers ways you can protect your privacy when you’re using online dating apps, which starts with picking a dating app that has a good reputation. The second rounds out the topic with further online dating advice for adults and teens alike. Give them a look!
It starts with basic hygiene. Digital hygiene, that is. Before you dive into a dating app, ensure that your device (and all your connected devices while you’re at it) has a comprehensive security solution in place. As you surf, chat, and meet up online, you’ll want to know that you’re protected against malware, viruses, phishing attacks, sketchy links, and so forth. Other features will come in handy (and be necessary as well), like ones that help you manage your passwords, protect your identity, safeguard your privacy, and more—all of which we’ll talk about in a bit.
Picking the right app is like picking the right date. From a security standpoint, these apps are the keepers of highly personal information about you, so you’ll want to know how they handle data, what privacy protections are in place, what information they gather when you first sign up, and what they continue to gather as you use the app. Do your research. Read up on their privacy policies. See what other people have to say about their experiences. And get a sense of what the app is all about. What’s its approach to dating? What kind of relationships are they focusing on? Make sure all of it feels right to you.
Only give the app the information that’s absolutely necessary to sign up. Dating apps ask questions so that they can help you find an ideal match, yet only share what you feel comfortable sharing. This is true from a personal standpoint, but it’s true from a security standpoint too. Anything you share along those lines could be at risk of a hack or a breach, the likes of which were reported by Wired and Forbes last year. If your info is compromised, it could lead to anywhere from identity theft to harassment, so when you use a dating app, keep the sharing to a minimum—and keep your eyes peeled for any suspicious activity across your social media, online accounts, and even your finances.
Another password to remember! That’s just what you need, right? Right! It absolutely is, and a strong one is vital. You can create one and manage all of your passwords with McAfee+’s password manager. It’ll encrypt your passwords and use multi-factor authentication, which offers even further protection from hacks and attacks on your account.
You can help keep your chats more private, and just about anything else you’re doing online, by using a VPN (virtual private network). For example, our VPN uses bank-level encryption to keep your personal data and activities private from hackers. And it’ll hide other information associated with your dating account while you’re online, like personal details, credit card numbers, and so forth. Given the security risks we’ve talked about so far, you’ll want to look into a VPN.
If you’re not using a VPN on your device, don’t use your dating app on public Wi-Fi. The issue is this: plenty of public Wi-Fi hotspots aren’t secure. Someone else on the network could easily intercept the information you send over it, including your passwords, any photos you share, and any chats you have. In other words, using public Wi-Fi without protection is like opening a door that leads right to you and your most personal data. This applies to everything on public Wi-Fi, not just dating apps. If you use public Wi-Fi at all, you really should use a VPN.
In the ever-evolving landscape of online dating, safeguarding your privacy and security is paramount. By implementing strategies such as using strong passwords, employing a reliable VPN, and exercising caution on public Wi-Fi, you can navigate the digital dating sphere with confidence. Remember, your safety and privacy are non-negotiable priorities in the pursuit of love and companionship online.
The post How to Safely Date Online appeared first on McAfee Blog.
There are now over 5 billion active social media users worldwide, representing 62.3% of the global population. While social networks serve as valuable tools for staying connected with loved ones and documenting life events, the ease of sharing information raises concerns. With a mere few clicks, posts and messages can inadvertently divulge significant personal details, potentially compromising privacy and leaving individuals vulnerable to identity theft. That’s why it’s crucial to make sure you’ve got the know-how to keep your privacy protected while using these platforms.
To empower you in this digital age, we’ve compiled a comprehensive guide featuring ten essential tips to fortify your online security and preserve your privacy on social networks:
Whether you’re a seasoned social media user or just dipping your toes into the digital waters, these strategies will equip you with the knowledge and tools needed to safeguard your online identity effectively. With the added support of McAfee+, you can ensure an extra layer of security to keep your online presence more secure and private through advanced privacy features, 24/7 identity monitoring and alerts, and real-time protection against viruses, hackers, and risky links.
The post How to Protect Yourself on Social Networks appeared first on McAfee Blog.
From impersonating police officers in Pennsylvania to employees of the City of San Antonio, scammers have been impersonating officials nationwide in order to scam people. A nurse in New York even lost her life savings to a spoofing scam. Phone spoofing is a technique used by callers to disguise their true identity and phone number when making calls. By altering the caller ID information displayed on the recipient’s phone, spoofers can make it appear as though the call is coming from a different number, often one that looks more trustworthy or familiar to the recipient. This deceptive practice is commonly employed by telemarketers, scammers, and individuals seeking to engage in fraudulent activities, making it more difficult for recipients to identify and block unwanted or suspicious calls.
Most spoofing is done using a VoIP (Voice over Internet Protocol) service or IP phone that uses VoIP to transmit calls over the internet. VoIP users can usually choose their preferred number or name to be displayed on the caller ID when they set up their account. Some providers even offer spoofing services that work like a prepaid calling card. Customers pay for a PIN code to use when calling their provider, allowing them to select both the destination‘s number they want to call, as well as the number they want to appear on the recipient’s caller ID.
Scammers often use spoofing to try to trick people into handing over money, personal information, or both. They may pretend to be calling from a bank, a charity, or even a contest, offering a phony prize. These “vishing” attacks (or “voice phishing”), are quite common, and often target older people who are not as aware of this threat.
For instance, one common scam appears to come from the IRS. The caller tries to scare the receiver into thinking that they owe money for back taxes, or need to send over sensitive financial information right away. Another common scam is fake tech support, where the caller claims to be from a recognizable company, like Microsoft, claiming there is a problem with your computer and they need remote access to fix it.
There are also “SMiShing” attacks, or phishing via text message, in which you may receive a message that appears to come from a reputable person or company, encouraging you to click on a link. But once you do, it can download malware onto your device, sign you up for a premium service, or even steal your credentials for your online accounts.
The convenience of sending digital voice signals over the internet has led to an explosion of spam and robocalls over the past few years. Between January 2019 and September 2023, Americans lodged 2.04 million complaints about unwanted phone calls where people or robots falsely posed as government representatives, legitimate business entities, or people affiliated with them.
Since robocalls use a computerized autodialer to deliver pre-recorded messages, marketers and scammers can place many more calls than a live person ever could, often employing tricks such as making the call appear to come from the recipient’s own area code. This increases the chance that the recipient will answer the call, thinking it is from a local friend or business.
And because many of these calls are from scammers or shady marketing groups, just registering your number on the FTC’s official “National Do Not Call Registry” does little help. That’s because only real companies that follow the law respect the registry.
To really cut back on these calls, the first thing you should do is check to see if your phone carrier has a service or app that helps identify and filter out spam calls.
For instance, both AT&T and Verizon have apps that provide spam screening or fraud warnings, although they may cost you extra each month. T-Mobile warns customers if a call is likely a scam when it appears on your phone screen, and you can sign up for a scam-blocking service for free.
There are also third-party apps such as RoboKiller that you can download to help you screen calls, but you should be aware that you will be sharing private data with them.
Enhance your smartphone security effortlessly with McAfee+ which has 24/7 identity monitoring and alerts, advanced privacy features, and AI-powered security for real-time protection against viruses, hackers, and risky links.
The post How to Stop Phone Spoofing appeared first on McAfee Blog.
You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in a taxi or lost an expensive ring down the drain. You never let your smartphone out of your sight, yet one day you notice it’s acting oddly.
Did you know that your device can fall into cybercriminals’ hands without ever leaving yours? SIM swapping is a method that allows criminals to take control of your smartphone and break into your online accounts.
Don’t worry: there are a few easy steps you can take to safeguard your smartphone from prying eyes and get back to using your devices confidently.
First off, what exactly is a SIM card? SIM stands for subscriber identity module, and it is a memory chip that makes your phone truly yours. It stores your phone plan and phone number, as well as all your photos, texts, contacts, and apps. In most cases, you can pop your SIM card out of an old phone and into a new one to transfer your photos, apps, etc.
Unlike what the name suggests, SIM swapping doesn’t require a cybercriminal to get access to your physical phone and steal your SIM card. SIM swapping can happen remotely. A hacker, with a few important details about your life in hand, can answer security questions correctly, impersonate you, and convince your mobile carrier to reassign your phone number to a new SIM card. At that point, the criminal can get access to your phone’s data and start changing your account passwords to lock you out of your online banking profile, email, and more.
SIM swapping was especially relevant right after the AT&T data leak. Cybercriminals stole millions of phone numbers and the users’ associated personal details. They could later use these details to SIM swap, allowing them to receive users’ text or email two-factor authentication codes and gain access to their personal accounts.
The most glaring sign that your phone number was reassigned to a new SIM card is that your current phone no longer connects to the cell network. That means you won’t be able to make calls, send texts, or surf the internet when you’re not connected to Wi-Fi. Since most people use their smartphones every day, you’ll likely find out quickly that your phone isn’t functioning as it should.
Additionally, when a SIM card is no longer active, the carrier will often send a notification text. If you receive one of these texts but didn’t deactivate your SIM card, use someone else’s phone or landline to contact your wireless provider.
Check out these tips to keep your device and personal information safe from SIM swapping.
With just a few simple steps, you can feel better about the security of your smartphone, cellphone number, and online accounts. If you’d like extra peace of mind, consider signing up for an identity theft protection service like McAfee+. McAfee, on average, detects suspicious activity ten months earlier than similar monitoring services. Time is of the essence in cases of SIM swapping and other identity theft schemes. An identity protection partner can restore your confidence in your online activities.
The post How to Protect Your Smartphone from SIM Swapping appeared first on McAfee Blog.
According to reports from the Federal Trade Commission’s Consumer Sentinel database, text message scams swindled $372 million from Americans in 2023 alone. The staggering figure highlights a growing concern for consumers globally, who increasingly interact with brands and service providers via text, email, and even social media. As our reliance on technology continues, it is important for everyone to understand how to spot scam texts amid the real messages they receive. amid the real messages they receive.
With such frequent communication from brands and organizations, you can be hard-pressed to figure out what is a scam or not. This practical and actionable advice may be able to help you spot the imposters and protect yourself against even the most hard-to-identify scam messages.
Most of us probably avoid reading disclaimers and terms of service from brands and organizations. Paying attention to guidelines for how an organization will contact you will help you stay safe from scams. Just take it from entertainment host, Andy Cohen.
Cohen received an email he thought was from his bank’s fraud department. Later, the scammer texted Cohen claiming to be from the bank, asking for more information. Cohen ended up sending the scammer money because he believed they were a bank representative. These days, many banks and brands have FYIs on their website about how to spot a legitimate text. Like this page from Chase, which goes over what a real Chase text looks like.
We have a similar disclosure on our site. For example, our customer service teams will never request sensitive information such as social security numbers, PINs, or bank or payment details. As soon as you sign up for a new account, it’s a good idea to check for this sort of disclaimer and familiarize yourself with contact methods and the type of information organizations might request.
Scam messages are so successful because scammers make them look real. During the holidays, when shoppers are ready to leap at deals, scam messages can be hard to resist. With an increased volume of scam texts during major shopping seasons, it’s no wonder open rates can be as high as 98%.
Consumers can protect themselves against realistic-looking scam messages by verifying the source of the message. If an email hits your mobile inbox, click on the sender’s name to expand their full email address. Typical brand emails will have a “do not reply” somewhere in the address or an official “@branddomain.com” email address. Scam email addresses often appear as strings of gibberish.
If unsure whether a text from a company is real, log into your account directly to see if it reflects the overdue bill or extra store credit that the text message suggests.
Knowing about the latest cybersecurity trends is always good practice. Scammers change their tactics constantly. Text scams that were popular one year may be totally out of style the next time you get a scam message.
Individuals looking for a place to start can check out FTC, FBI, and CISA websites. Those agencies offer valuable insights about fraud trends and recommendations about how people can protect themselves. The Better Business Bureau (BBB) has an interactive scam tracking tool, and AARP provides tips for older Americans who may not be as in tune with the latest tech trends and tools.
Thankfully, the software designed to protect against scams evolves, as well. Consumers can turn to product suites that offer features like finding and removing personal info from sites that sell it, adjusting social media controls, and even providing alerts about suspicious financial transactions.
For scam texts, AI is here to help. Text Scam Detector uses AI to scan SMS text messages and alert you about unsafe links. Users can delete those messages without opening them, reducing the risk of compromise and removing any question about whether the message is fraudulent or for real.
The $372 million figure is a stark reminder of growing fraud. As we continue into the digital age, the threat of fraudulent communications from scammers looms. To safeguard against bad actors, consumers must be proactive. By paying attention to brand communication guidelines, verifying the source of messages, remaining educated, and using modern privacy and identity products, consumers can avoid scams before they start.
The post How to Tell If Your Text Message Is Real appeared first on McAfee Blog.
APKDeepLens is a Python based tool designed to scan Android applications (APK files) for security vulnerabilities. It specifically targets the OWASP Top 10 mobile vulnerabilities, providing an easy and efficient way for developers, penetration testers, and security researchers to assess the security posture of Android apps.
APKDeepLens is a Python-based tool that performs various operations on APK files. Its main features include:
To use APKDeepLens, you'll need to have Python 3.8 or higher installed on your system. You can then install APKDeepLens using the following command:
FreshRSS 
git clone https://github.com/d78ui98/APKDeepLens/tree/main
cd /APKDeepLens
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python APKDeepLens.py --help
git clone https://github.com/d78ui98/APKDeepLens/tree/main
cd \APKDeepLens
python3 -m venv venv
.\venv\Scripts\activate
pip install -r .\requirements.txt
python APKDeepLens.py --help
To simply scan an APK, use the below command. Mention the apk file with -apk argument. Once the scan is complete, a detailed report will be displayed in the console.
python3 APKDeepLens.py -apk file.apk
If you've already extracted the source code and want to provide its path for a faster scan you can use the below command. Mention the source code of the android application with -source parameter.
python3 APKDeepLens.py -apk file.apk -source <source-code-path>
To generate detailed PDF and HTML reports after the scan you can pass -report argument as mentioned below.
python3 APKDeepLens.py -apk file.apk -report
We welcome contributions to the APKDeepLens project. If you have a feature request, bug report, or proposal, please open a new issue here.
For those interested in contributing code, please follow the standard GitHub process. We'll review your contributions as quickly as possible :)
Four in ten Americans say they use peer-to-peer payment services, like Venmo, PayPal, or Apple Pay, at least once a month. These platforms have made it even easier to send money by adding QR codes that people can quickly scan to pull up someone’s profile and complete a payment. Two-thirds of restaurants have started including QR codes on tables to access menus. Scanning QR codes has become a normal, convenient way to exchange money or information.
Unfortunately, scammers are always looking for ways to take advantage of moments when people are primed to part with their money. The Federal Trade Commission is warning that scammers now use QR codes to hide harmful links to steal personal information. This new type of phishing attack, called “quishing,” highlights how scamming methods are constantly changing. In response, artificial intelligence (AI) is becoming an even more crucial part of defending against scammers.
To protect yourself against phishing attacks, it’s crucial to remain vigilant and employ proactive measures. Make sure to scrutinize all incoming emails, text messages, or social media communications for any signs of suspicious or unsolicited requests, especially those urging immediate action or requesting sensitive information.
Avoid clicking links, downloading attachments, or scanning QR codes from unknown or untrusted sources. Check the legitimacy of the sender by cross-referencing contact information with official sources or contacting the organization directly through trusted channels.
Before accepting where a QR code is going to take you, carefully examine the associated URL. Verify its authenticity by scrutinizing for any discrepancies, such as misspellings or altered characters, especially if it resembles a familiar URL.
Safeguard your mobile device and accounts by regularly updating the operating system. Additionally, bolster the security of your online accounts by implementing robust passwords and integrating multi-factor authentication measures to thwart unauthorized access.
As fraudsters continually evolve their tactics, distinguishing between what’s real and what’s fake becomes increasingly challenging. However, there is formidable technology available to safeguard against their schemes. AI can analyze vast amounts of data in real-time to detect patterns and anomalies indicative of fraudulent behavior. By continuously learning from new data and adapting algorithms, AI can stay ahead of evolving fraud tactics.
The McAfee+ suite of identity and privacy protections uses AI for identity protection, transaction monitoring, credit monitoring, and proactive Text Scam Detector to keep you safe from even the most sophisticated scam attempts. Text Scam Detector employs AI technology to block risky sites, serving as a secondary defense against accidental clicks on spam links. This ensures that even after being tricked into clicking, your device won’t open the fraudulent site.
Don’t leave your digital defenses to chance. See for yourself what advanced security looks like today.
The post How to Protect Against New Types of Scams Like QR Phishing appeared first on McAfee Blog.
Smartphones have enabled a whole new digital world, where apps are gateways to just about any service imaginable. However, like many technological developments, mobile app proliferation can be a bit of a two-edged sword. A report analyzing more than 1 billion smartphone transactions found 45,000 malicious mobile apps, many of which were in the gaming category.
From ad fraud to taking advantage of embedded system security issues, fraudsters are consistently targeting smartphone apps. The trouble is that it’s not always immediately clear which apps pose a threat in a world where one in 36 mobile apps are considered high-risk.
These security concerns require a proactive approach with the ability to spot the signs of fraud or malice so that those apps can be avoided from the get-go. That’s where the four Rs of personal mobile security come into play.
Review
Staying informed about common scam tactics and emerging threats through reliable cybersecurity resources can empower consumers to make informed decisions and recognize potential risks more effectively. Our annual Consumer Mobile Threat Report always gives up-to-date information about the cyberattack landscape.
Understanding what a malicious or scam app looks like can help you avoid downloading a fraudulent app. For example, many fraud apps have very short descriptions or reviews from people who have previously been duped. In addition to scrutinizing the descriptions and reviews of apps, it’s essential to download apps only from trusted sources such as official app stores like Google Play Store or Apple App Store. Third-party app stores or unknown websites may host malicious apps.
Re-check
Fraudsters excel at creating seemingly legitimate apps to carry out scams, often by deploying deceptive tactics such as requesting unnecessary permissions or operating stealthily in the background. Exercise caution and conduct thorough checks of device settings whenever installing a new app.
It’s also essential to remain vigilant for indicators of suspicious activity, especially if you may have installed apps without security checks in the past. Be on the lookout for anomalies, such as unauthorized subscriptions, unfamiliar social media logins, or unusually rapid battery drain, which could signal the presence of fraudulent apps operating without their knowledge. Some malicious apps may also consume data in the background, leading to unusual spikes in data usage. Regularly monitoring data usage can help individuals detect and address any unauthorized app activity.
Revoke
Over time, it’s easy to inadvertently grant excessive permissions to apps or connect accounts to services that you no longer use or trust. This can create vulnerabilities that malicious actors could exploit to gain unauthorized access to sensitive information.
Conduct an app review on your phone and revoke permissions or access granted to apps or services that are no longer needed or trusted. It’s essential to regularly audit and remove unnecessary permissions, apps, or connections to minimize the potential attack surface and reduce the risk of unauthorized access.
Reinforce
Reinforce your security posture with modern tools. Antivirus software remains a cornerstone of digital defense, offering proactive detection and mitigation of various threats, including malware, ransomware, and phishing attempts. For enhanced protection, consumers can opt for comprehensive security suites such as McAfee+, which not only includes antivirus capabilities but also integrates features like firewall protection, secure browsing, and identity theft prevention.
By leveraging these advanced security solutions, users can significantly reduce their vulnerability to cyberattacks and safeguard their personal and sensitive information effectively. Additionally, staying informed about emerging threats and regularly updating security software ensures ongoing resilience against evolving cyber threats in today’s dynamic digital landscape.
The post The Four Rs of Personal Mobile Security appeared first on McAfee Blog.
There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of course, those days are nearly long gone, in large part thanks to “peer to peer” (P2P) mobile payment apps, like Venmo, Zelle, or Cash App. Now with a simple click on an app, you can transfer your friend money for brunch before you even leave the table. Yet for all their convenience, P2P mobile payment apps could cost you a couple of bucks or more if you’re not on the lookout for things like fraud. The good news is that there are some straightforward ways to protect yourself.
You likely have one of these apps on your phone already. If so, you’re among the many. It’s estimated that 49% of adults in the U.S. use mobile payment apps like these.
Yet with all those different apps come different policies and protections associated with them. So, if you ever get stuck with a bum charge, it may not always be so easy to get your money back.
With that, here are seven quick tips for using your P2P mobile payment apps safely.
In addition to securing your account with a strong password, go into your settings and set up your app to use a PIN code, facial ID, or fingerprint ID. (And make sure you’re locking your phone the same way too.) This provides an additional layer of protection in the event your phone is stolen or lost and someone, other than you, tries to make a payment with it.
What’s worse than sending money to the wrong person? When paying a friend for the first time, have them make a payment request for you. This way, you can be sure that you’re sending money to the right person. With the freedom to create account names however one likes, a small typo can end up as a donation to a complete stranger. To top it off, that money could be gone for good!
Another option is to make a test payment. Sending a small amount to that new account lets both of you know that the routing is right and that a full payment can be made with confidence.
Bye, bye, bye! Unlike some other payment methods, new mobile payment apps don’t have a way to dispute a charge, cancel a payment, or otherwise use some sort of recall or retrieval feature. If anything, this reinforces the thought above—be sure that you’re absolutely making the payment to the right person.
Credit cards offer a couple of clear advantages over debit cards when using them in association with mobile payment apps (and online shopping for that matter too). Essentially, they can protect you better from fraud:
Report any activity like this immediately to your financial institution. Timing can be of the essence in terms of limiting your liabilities and losses. For additional info, check out this article from the Federal Trade Commission (FTC) that outlines what to do if your debit or credit card is stolen and what your liabilities are.
Also, note the following guidance from the FTC on payment apps:
“New mobile apps and forms of payment may not provide these same protections. That means it might not always be easy to get your money back if something goes wrong. Make sure you understand the protections and assurances your payment services provider offers with their service.”
It’s sad but true. Crooks are setting up all kinds of scams that use mobile payment apps. A popular one involves creating fake charities or posing as legitimate ones and then asking for funds by mobile payment. To avoid getting scammed, check and see if the charity is legit. The FTC suggests researching resources like Better Business Bureau’s Wise Giving Alliance, Charity Navigator, Charity Watch or, GuideStar.
Overall, the FTC further recommends the following to keep yourself from getting scammed:
With so much of your life on your phone, getting security software installed on it can protect you and the things you keep on your phone. Whether you’re an Android owner or iOS owner, mobile security software can keep your data, shopping, and payments secure.
The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blog.
There’s little rest for your hard-working smartphone. If you’re like many professionals today, you use it for work, play, and a mix of personal business in between. Now, what if something went wrong with that phone, like loss or theft? Worse yet, what if your smartphone got hacked? Let’s try and keep that from happening to you.
Globally, plenty of people pull double duty with their smartphones. In Spain, one survey found that 55% of people use the same phone for a mix of personal and and work activity. The same survey showed that up to half of people interviewed in Japan, Australia, and the U.S. do so as well, while nations like the UK and Germany trailed at 31% and 23% respectively.
Whether these figures trend on the low or high end, the security implications remain constant. A smartphone loaded with business and personal data makes for a desirable target. Hackers target smartphones because they’re often unprotected, which gives hackers an easy “in” to your personal information and to any corporate networks you may use. It’s like two hacks with one stone.
Put simply, as a working professional with a smartphone, you’re a high-value target.
As both a parent and a professional, I put together a few things you can do to protect your smartphone from hacks so that you can keep your personal and work life safe:
First up, the basics. Locking your phone with facial ID, a fingerprint, pattern or a pin is your most basic form of protection, particularly in the event of loss or theft. (Your options will vary depending on the device, operating system, and manufacturer.) Take it a step further for even more protection. Secure the accounts on your phone with strong passwords and use two-factor authentication on the apps that offer it, which doubles your line of defense.
Or, put another way, don’t hop onto public Wi-Fi networks without protection. A VPN masks your connection from hackers allowing you to connect privately when you are on unsecure public networks at airports, cafes, hotels, and the like. With a VPN connection, you’ll know that your sensitive data, documents, and activities you do are protected from snooping, which is definitely a great feeling given the amount of personal and professional business we manage with our smartphones.
Both Google Play and Apple’s App Store have measures in place to help prevent potentially dangerous apps from making it into their stores. Malicious apps are often found outside of the app stores, which can run in the background and compromise your personal data like passwords, credit card numbers, and more—practically everything that you keep on your phone. Further, when you are in the app stores, look closely at the descriptions and reviews for apps before you download them. Malicious apps and counterfeits can still find their way into stores, and here are a few ways you can keep those bad apps from getting onto your phone.
Backing up your phone is always a good idea for two reasons:
Both iPhones and Android phones have straightforward ways of backing up your phone regularly.
Worst case scenario—your phone is gone. Really gone. Either it’s hopelessly lost or got stolen. What now? Lock it remotely or even wipe its data entirely. While that last bit about wiping the phone seems like a drastic move, if you maintain regular backups as mentioned above, your data is secure in the cloud—ready for you to restore. In all, this means that hackers won’t be able to access you, or your company’s, sensitive information—which can keep you out of trouble and your professional business safe. Apple provides iOS users with a step-by-step guide for remotely wiping devices, and Google offers up a guide for Android users as well.
We all download apps, use them once, and then forget they are on our phone. Take a few moments to swipe through your screen and see which ones you’re truly done with and delete them along with their data. Some apps have an account associated with them that may store data off your phone as well. Take the extra step and delete those accounts so any off-phone data is deleted.
The reason for this is that every extra app is another app that needs updating or that may have a security issue associated with it. In a time of data breaches and vulnerabilities, deleting old apps is a smart move. As for the ones you keep, update them regularly and turn on auto-updates if that’s an option. Updates not only introduce new features to apps, but they also often address security issues too.
With so much of your life on your phone, getting security software installed on it can protect you and the things you keep on your phone. Whether you’re an Android owner or iOS owner, mobile security software can keep your data, your shopping, and payments secure.
The post 7 Tips to Protect Your Smartphone from Getting Hacked appeared first on McAfee Blog.
According to reports from the Federal Trade Commission’s Consumer Sentinel database, text message scams swindled $330 million from Americans in 2022 alone. The staggering figure highlights a growing concern for consumers globally, who increasingly interact with brands and service providers via text, email, and even social media. As our reliance on technology continues, it is important for everyone to understand how to spot scam texts amid the real messages they receive. amid the real messages they receive.
With such frequent communication from brands and organizations, you can be hard-pressed to figure out what is a scam or not. This practical and actionable advice may be able to help you spot the imposters and protect yourself against even the most hard-to-identify scam messages.
Most of us probably avoid reading disclaimers and terms of service from brands and organizations. Paying attention to guidelines for how an organization will contact you will help you stay safe from scams. Just take it from entertainment host, Andy Cohen.
Cohen received an email he thought was from his bank’s fraud department. Later, the scammer texted Cohen claiming to be from the bank, asking for more information. Cohen ended up sending the scammer money because he believed they were a bank representative. These days, many banks and brands have FYIs on their website about how to spot a legitimate text. Like this page from Chase, which goes over what a real Chase text looks like.
We have a similar disclosure on our site. For example, our customer service teams will never request sensitive information such as social security numbers, PINs, or bank or payment details. As soon as you sign up for a new account, it’s a good idea to check for this sort of disclaimer and familiarize yourself with contact methods and the type of information organizations might request.
Scam messages are so successful because scammers make them look real. During the holidays, when shoppers are ready to leap at deals, scam messages can be hard to resist. With an increased volume of scam texts during major shopping seasons, it’s no wonder open rates can be as high as 98%.
Consumers can protect themselves against realistic-looking scam messages by verifying the source of the message. If an email hits your mobile inbox, click on the sender’s name to expand their full email address. Typical brand emails will have a “do not reply” somewhere in the address or an official “@branddomain.com” email address. Scam email addresses often appear as strings of gibberish.
If unsure whether a text from a company is real, log into your account directly to see if it reflects the overdue bill or extra store credit that the text message suggests.
Knowing about the latest cybersecurity trends is always good practice. Scammers change their tactics constantly. Text scams that were popular one year may be totally out of style the next time you get a scam message.
Individuals looking for a place to start can check out FTC, FBI, and CISA websites. Those agencies offer valuable insights about fraud trends, and recommendations about how people can protect themselves. The Better Business Bureau (BBB) has an interactive scam tracking tool, and AARP provides tips for older Americans who may not be as in tune with the latest tech trends and tools.
Thankfully, the software designed to protect against scams evolves, as well. Consumers can turn to product suites that offer features like finding and removing personal info from sites that sell it, adjusting social media controls and even providing alerts about suspicious financial transactions.
For scam texts, AI is here to help. Text Scam Detector uses AI to scan SMS text messages and alert you about unsafe links. Users can delete those messages without opening them, reducing the risk of compromise and removing any question about whether the message is fraudulent or real.
The $330 million figure is a stark reminder of growing fraud. As we continue into the digital age, the threat of fraudulent communications from scammers looms. To safeguard against bad actors, consumers must be proactive. By paying attention to brand communication guidelines, verifying the source of messages, remaining educated and using modern privacy and identity products, consumers can avoid scams before they start.
The post Scam or Not? How to Tell Whether Your Text Message Is Real appeared first on McAfee Blog.
Authored by Fernando Ruiz
McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.
The second stage payload can take full control of the infected device due to the powerful accessibility services that were already granted during the first stage which also contains functions to self-update the main APK which means that it has the potential to perform any type of activity like a spyware or banking trojan without user interaction. However, we identified a link between Xamalicious and the ad-fraud app “Cash Magnet” which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card. This means that the developers behind these threats are financially motivated and drive ad-fraud therefore this might be one of the main payloads of Xamalicious.
The usage of the Xamarin framework allowed malware authors to stay active and without detection for a long time, taking advantage of the build process for APK files that worked as a packer to hide the malicious code. In addition, malware authors also implemented different obfuscation techniques and custom encryption to exfiltrate data and communicate with the command-and-control server.
We’ve identified about 25 different malicious apps that carry this threat. Some variants have been distributed on Google Play since mid-2020. The apps identified in this report were proactively removed by Google from Google Play ahead of our reporting. McAfee is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices. McAfee Mobile Security detects this threat as Android/Xamalicious.
Based on the number of installations these apps may have compromised at least 327,000 devices from Google Play plus the installations coming from third-party markets that continually produce new infections based on the detection telemetry of McAfee clients around the world. This threat remains very active.
Figure 1. “Count Easy Calorie Calculator” was available on Google Play on August 2022 and carries Android/Xamalicious
Android/Xamalicious trojans are apps related to health, games, horoscope, and productivity. Most of these apps are still available for download in third-party marketplaces.
Previously we detected malware abusing Xamarin framework such as the open-sourced AndroSpy and forked versions of it, but Xamalicious is implemented differently. Technical details about Xamarin architecture are well documented and detail how .NET code is interpreted by Android using Mono.
Let’s use the app “Numerology: Personal horoscope & Number predictions” as an example. Once started it immediately requests the victim to enable accessibility services for “correct work” and provides directions to activate this permission:
Figure 2. Tricking users into granting accessibility services permission
Users need to manually activate the accessibility services after several OS warnings such as the following on the accessibility options:
Figure 3. Accessibility services configuration prompt highlights the risks of this permission.
This is not the traditional Java code or native ELF Android application, the malware module was written originally in .NET and compiled into a dynamic link library (DLL). Then it is LZ4 compressed, and it might be embedded into a BLOB file, or directly available in the /assemblies directory on the APK structure. This code is loaded then by a native library (ELF) or by the DEX file at runtime level. In simple words, this means that in some samples the reversing of the DLL assemblies is straightforward while in others it requires extra steps to unpack them.
The malicious code is usually available in two different assembly files in the /assemblies directory on the apk. Usually, file names are core.dll and a <package-specific>.dll.
Some malware variants has obfuscated the DLL assemblies to avoid analysis and reversing of the malicious code while others keep the original code available.
Figure 4. Core.dll and GoogleService.dll contain malicious code.
Once accessibility permissions are granted the malware initiates communication with the malicious server to dynamically load a second-stage payload.
Figure 5. App execution and communication with the malicious server
Android/Xamalicious collects multiple device data including the list of installed applications obtained via system commands to determine if the infected victim is a good target for the second stage payload. The malware can collect location, carrier, and network information among device rooting status, adb connectivity configuration, for instance, if the device is connected via ADB or is rooted, the C2 will not provide a second-stage payload DLL for download.
| Method/Command | Description |
| DevInfo |
Hardware and device information that includes:
|
| GeoInfo |
Location of the device based on IP address, the malware contacts services such as api.myip.com to verify the device location and ISP data.
FraudScore: Self-protection to identify if the device is not a real user |
| EmuInfo |
It lists all adbProperties that in a real device are around 640 properties. This list is encoded as a string param in URL encoded format.
This data may be used to determinate if the affected client is a real device or emulator since it contains params such as:
|
| RootInfo | After trying to identify if the device is rooted or not with multiple techniques the output is consolidated in this command |
| Packages | It uses the system commands “pm list packages -s” and “pm list packages -3” to list system and installed apps on the device. |
| Accessibility | It provides the status if accessibility services permissions are granted or not |
| GetURL | This command only provides the Android Id and it’s a request for the second-stage payload. The C2 evaluates the provided client request and returns a status and an encrypted assembly DLL. |
To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm however the RSA key values used by the Xamalicious are hardcoded in the decompiled malicious DLL so decryption of transmitted information is possible if C2 infrastructure is available during the analysis.
In the Send() function Android/Xamalicious first prepares the received object, usually a JSON structure calling the function encrypt() which creates the JWT using a hardcoded RSA key. So the data is exfiltrated fully encrypted to the malware host pointing to the path “/Updater” via HTTP POST method.
Then it waits for the C2 response and passes it to the decrypt() function which has a hardcoded RSA private key to properly decrypt the received command which might contain a second stage payload for the “getURL” command.
Encrypt Method:
Figure 6. Encrypt function with hardcoded RSA Key values as XML string
The decryption method is also hardcoded into malware which allowed the research team to intercept and decrypt the communication from the C2 using the RSA key values provided as XML string it’s possible to build a certificate with the parameters to decrypt the JWE tokens content.
Collected data is transmitted to the C&C to determine if the device is a proper target to download a second-stage payload. The self-protection mechanism of the malware authors goes beyond traditional emulation detection and country code operator limitations because in this case, the command-and-control server will not deliver the second stage payload if the device is rooted or connected as ADB via USB or does not have a SIM card among multiple other environment validations.
With the getURL command, the infected client requests the malicious payload, if the C&C Server determines that the device is “Ok” to receive the malicious library it will encrypt a DLL with Advanced encryption standard (AES) in Cipher block chaining (CBC) using a custom key for the client that requested it based on the device id and other parameters explained below to decrypt the code since it’s a symmetric encryption method, the same key works for encryption and decryption of the payload.
The encrypted DLL is inserted as part of the HTTP response in the encrypted JSON Web Token “JWT”. Then the client will receive the token, decrypt it, and then decrypt the ‘url’ parm with AES CBC and a custom key.
The AES key used to decrypt the assembly is unique per infected device and its string of 32 chars of length contains appended the device ID, brand, model, and a hardcoded padding of “1” up to 32 chars of length.
For instance, if the device ID is 0123456ABCDEF010 and the affected device is a Pixel 5, then the AES key is: “0123456ABCDEF010googlePixel 5111”
This means that the DLL has multiple layers of encryption.
All these efforts are related to hiding the payload and trying to stay under the radar where this threat had relative success since some variants might have been active years ago without AV detections.
Xamalicious will name this DLL “cache.bin” and store it in the local system to finally dynamically load it using the Assembly.Load method.
Once the second stage payload has been loaded the device can be fully compromised because once accessibility permissions are granted, it can obverse and interact with any activity opening a backdoor to any type of malicious activity.
During the analysis, the downloaded second stage payload contained a DLL with the class “MegaSDKXE” which was obfuscated and incomplete probably because the C2 didn’t receive the expected params to provide the complete malicious second stage that might be limited to a specific carrier, language, app installed, location, time zone or unknown conditions of the affected device, however, we can assure that this is a high-risk backdoor that leaves the possibility to dynamically execute any command on the affected device not limited to spying, impersonation or as a financially motivated malware.
One of the Xamalicious samples detected by McAfee Mobile generic signatures was “LetterLink” (com.regaliusgames.llinkgame) which was available on Google Play at the end of 2020, with a book icon. It was poorly described as a hidden version of “Cash Magnet”: An app that performs ad-fraud with automated clicker activity, apps downloads, and other tasks that lead to monetization for affiliate marketing. This application offers users points that are supposed to be redeemable by retail gift cards or cryptocurrency.
Figure 8a. LetterLink login page after running the app for the first time.
Figure 8b. LetterLink agreement for Cash Magnet
Originally published in 2019 on Google Play, “Cash Magnet” (com.uicashmagnet) was described as a passive income application offering users to earn up to $30 USD per month running automated ads. Since it was removed by Google the authors then infiltrated LetterLink and more recently “Dots: One Line Connector” (com.orlovst.dots) which are hidden versions of the same ad-fraud scheme.
Figure 9. LetterLink Icon that hides Cash Magnet
“LetterLink” performs multiple Xamalicious activities since it contains the “core.dll” library, it connects to the same C2 server, and it uses the same hardcoded private RSA certificate to build the JWE encrypted tokens which provide a non-repudiation proof that the developers of Cash Magnet are behind Xamalicious.
Figure 10. Cash Magnet infiltrated the app as a Game, available until the end of 2023
“Dots: One Line Connector” app is not a game, the screenshot published by Google Play does not correspond to the application behavior because once it is started it just asks for authentication credentials without any logo or reference to Cash Magnet. “Dots” does not contain the same DLLs as its predecessor, however the communication with the C2 is similar using the same RSA key parameters. We reported this app to Google and they promptly removed it from Google Play.
Based on our telemetry we observed that more affected users are in the American continent with the most activity in the USA, Brazil, and Argentina. In Europe, clients also reported the infection, especially in the UK, Spain, and Germany.
Figure 11. McAfee detections Android/Xamalicious around the world
Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets.
Avoid using apps that require accessibility services unless there is a genuine need for use. If a new app tries to convince you to activate accessibility services claiming that it’s required without a real and reasonable reason and requesting to ignore the operative system warning, then it’s a red flag.
The second stage payload might take control of the device because accessibility permissions are granted so any other permission or action can then be performed by the malware if these instructions are provided in the injected code.
Because it is difficult for users to actively deal with all these threats, we strongly recommend that users install security software on their devices and always keep up to date. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience.
Android/Xamalicious Samples Distributed on Google Play:
| Package Name | App Name | Installs |
| com.anomenforyou.essentialhoroscope | Essential Horoscope for Android | 100,000 |
| com.littleray.skineditorforpeminecraft | 3D Skin Editor for PE Minecraft | 100,000 |
| com.vyblystudio.dotslinkpuzzles | Logo Maker Pro | 100,000 |
| com.autoclickrepeater.free | Auto Click Repeater | 10,000 |
| com.lakhinstudio.counteasycaloriecalculator | Count Easy Calorie Calculator | 10,000 |
| com.muranogames.easyworkoutsathome | Sound Volume Extender | 5,000 |
| com.regaliusgames.llinkgame | LetterLink | 1,000 |
| com.Ushak.NPHOROSCOPENUMBER | NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS | 1,000 |
| com.browgames.stepkeepereasymeter | Step Keeper: Easy Pedometer | 500 |
| com.shvetsStudio.trackYourSleep | Track Your Sleep | 500 |
| com.devapps.soundvolumebooster | Sound Volume Booster | 100 |
| com.Osinko.HoroscopeTaro | Astrological Navigator: Daily Horoscope & Tarot | 100 |
| com.Potap64.universalcalculator | Universal Calculator | 100 |
|
The post Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices appeared first on McAfee Blog.
Imagine paying $16,000 to park your car in a lot for a couple of hours. That’s what happened to one woman in the UK who fell for a QR code scam posted in a parking lot.
As reported by The Independent, scanning the posted QR code with her phone took her to a phony parking payment site that stole her card info. After her bank blocked several attempted fraudulent transactions, the scammers contacted her directly. They posed as the bank and convinced her to open a new account, racking up the equivalent of $16,000 in stolen funds.
Scams like that have spiked in popularity with crooks out there. In the U.S., the Federal Trade Commission (FTC) has warned of a fresh wave of QR code scams that have led to lost funds and identity theft. Not to mention infected devices with a glut of spyware, ransomware, and viruses.
Yet even as QR code scams become increasingly common, you can protect yourself. And enjoy the convenience they offer too, because they can truly make plenty of transactions go far more quickly.
You can find them practically anywhere nowadays.
QR stands for “quick-response,” thus a quick-response code. They look like a square of pixels and share many similarities with the bar codes you see on grocery items and other products. Yet a QR code can hold more than 300 times the data of a barcode. They’ve been around for some time. Dating back to industrial use in the 1990s, QR codes pack high volumes of visual info in a relatively compact space.
You can spot them popping up in plenty of places nowadays. With a click of your smartphone’s camera, they can quickly whisk you away to all kinds of sites.
You might see them pop up in TV ads, tacked up in a farmer’s market stand, and stapled onto telephone poles as part of a concert poster. Restaurants place QR codes on their tables so you can order from your phone. Parking lots post them on signs so you can quickly pay for parking (like above). Your drugstore might post them on shelves so that you can download a digital coupon.
Anyone can create one. A quick search for “QR code creator” turns up dozens of results. Many offer QR codes free of charge. It’s no wonder they show up in restaurants and farmer’s markets the way they do. And now in scams too.
As it is anywhere people, devices, and money meet, scammers have weaseled their way into QR codes. With the QR code scam, pointing your smartphone’s camera at a bogus QR code and giving it a scan, scammers can lead you to malicious websites and commit other attacks on your phone.
In several ways, the QR code scam works much like any other phishing attack. With a few added wrinkles, of course.
Classically, phishing attacks use doctored links that pose as legitimate websites in the hopes you’ll follow them to a scammer’s malicious website. It’s much the same with a QR code, yet they have a couple of big differences:
Typically, one of two things:
It’ll send you to a scam website designed to steal your personal and financial info. For example, a phony QR code for parking takes you to a site where you enter your credit card and license plate number. Instead of paying for parking, you pay a scammer. And they can go on to use your credit card in other places after that.
It can take you to a download that infects your device with malware. Downloads include spyware that snoops on your browsing and passwords, ransomware that locks up your device until you pay for its release (with no guarantees), or viruses that can delete or damage the things you’ve stored on your device.
Aside from appearing in emails, direct messages, social media ads, and such, there are plenty of other places where phony QR codes can show up. Here are a few that have been making the rounds in particular:
Scanning a QR code might open a notification on your smartphone screen to follow a link. Like other phishing-type scams, scammers will do their best to make that link look legitimate. They might alter a familiar company name so that it looks like it might have come from that company. Also, they might use link shorteners that take otherwise long web addresses and compress them into a short string of characters. The trick there is that you really have no way of knowing where it will send you by looking at it.
In this way, there’s more to using QR codes than simply “point and shoot.” A mix of caution and eagle-eyed consideration is called for to spot legitimate uses from malicious ones. Online protection software can help keep you safe as well.
Luckily, you can follow some basic rules and avoid QR code attacks. The U.S. Better Business Bureau (BBB) has put together a great list that can help. Their advice is right on the mark, which we’ve paraphrased and added to here:
1. Don’t open links or scan QR codes from strangers. Scammers send QR codes by email, over social media, and sometimes they even send them by physical mail as part of a “Special offer, just scan here” ploy. In all, if a QR code comes to you out of the blue, even from a friend, skip scanning it. See if you can type in a physical address to a site that you can trust instead.
2. Check the link and the destination. Given that many QR codes lead to phishing sites, look at the link that pops up after you scan it. Scammers alter addresses for known websites in subtle ways — or that differ from them entirely. For example, they might use “fed-exdeliverynotices.com” rather than the legitimate fedex.com. Or they might use a scam URL followed by text that tries to make it look legit, like “scamsite.com/fedex-delivery.” (For more on how to spot phishing attacks, check out our full article on the topic.)
3. Think twice about following shortened links. Shortened links can be a shortcut to a malicious website. This can particularly be the case with unsolicited communications. And it can still be the case with a friend or family member if their device or account has been hacked.
4. Watch out for tampering. In physical spaces, like parking lot signs, scammers have been known to stick their own QR codes over legitimate ones. If you see any sign of altering or a placement that looks slapdash, don’t give that code a scan.
5. Stick with your phone’s native QR code reader. Steer clear of QR code reading apps. They can be a security risk.
6. Don’t pay bills with QR codes. Once again, you can’t always be sure that the code will send you to a legit site. Use another trusted form of payment instead.
7. Use scam protection on your phone. Using the power of AI, our new McAfee Scam Protection can alert you when scam texts pop up on your phone. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more. You’ll find it in our McAfee+ products — along with up to $2 million in identity theft coverage and restoration support if the unfortunate happens to you.
QR codes have made transactions smoother and accessing helpful content on our phones much quicker. As such, we’re seeing them in plenty of places. And useful as they are like other means of paying or browsing online, keep an eye open when using them. With this advice as a guide, if something doesn’t feel right, keep your smartphone in your pocket and away from that QR code.
The post How to Protect Yourself from QR Code Scams appeared first on McAfee Blog.
