New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide

A new piece of JavaScript malware has been observed attempting to steal users' online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world. The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan.

Online Banking – The Safe Way

If you’ve got teens, then no doubt you’ve received the SOS texts. ‘Mum, I need a haircut, can you just spot me $30?’ or ‘I’ve just finished footy and I’m starving, can you transfer me some money?’. Where would the modern parent be without online banking? How did our non-digital forefathers ever cope??

Online banking is just so convenient and basically a necessity of modern life. If you’ve recently tried to conduct a transaction at a branch, then you’ll know exactly what I mean. One of my boys recently tried to set up a new account at a local banking branch and they were told to come back the following day. Instead, we went home and did it online in less than 20 minutes!

Aussie banks are world class at implementing a range of security measures to keep our banking safe however there are still things we can do to avoid our banking details getting into the hands of hackers. But many of us just assume that ‘all is well’ – our banking apps work seamlessly, so why do we need to worry? And that’s where many come unstuck. If it doesn’t appear to be broken, why do we need to fix it? Well, being ahead of the risks is how you keep yourself safe, my friends. So, here are my top tips to ensure all your family members are banking online in the securest way possible.

1. Ensure You Are Using Legit Banking Apps

If you’re changing banks or helping your child set up their online banking, it’s essential that you download your bank’s official app. Imitations do exist! Ideally, download the app from the bank’s website however if this isn’t an option use a genuine app store like Apple’s AppStore or Google Play for Android devices. And always verify the app is legitimate by checking the developer details and reading the reviews.

Budgeting or financial management apps are an incredibly popular way to help manage finances, but you need to be cautious here too as many will require you to share your banking logins. Always check the app’s reviews, its history of data breaches and its security policies before you download.

2. Ensure your Passwords are Long, Strong and Unique

Using the name of your puppy, your kids or worse still, your birthday, is one of the fastest ways of getting your banking details into the hands of hackers. Passwords need to have no connection to any part of your life, should never be stored in your banking app or anywhere on your phone and NEVER, EVER written on the back of your debit card!! Here are my top tips:

Make them long – choose a phrase instead of just 1 word. I love a nonsensical sentence with at least 10 characters.

Always include lower and uppercase letters, a number or 2 and a few symbols.

Every online account needs its own unique password – no exceptions.

Put a reminder in your calendar to update your passwords regularly – at least every 3-6 months.

All sounds too hard? Try a password manager that will not only create complex passwords that no human could ever think of, but it will also remember then for you. Check out McAfee +,  complete no brainer!

3. Say No to Public Wi-Fi

Geez, public Wi-Fi is convenient, particularly if you are travelling. But, using it to undertake any banking or financial dealings is just too risky in, my opinion. Why? I hear you ask. Well, there are many ways hackers can hack public Wi-Fi, let me share a few:

‘Evil twin’ attack. This is when hackers set up malicious hotspots with seemingly logical and trustworthy names eg ‘Free Café Wi-Fi’. But as soon as you connect, they can easily get their hands on your data.

Man-in-the-middle attack (MitM). This is when hackers break into a network and eavesdrop on data as it travels between connected devices and the Wi-Fi router. For example, your online banking password!

Password cracking attack. Scammers use software that automatically tries a huge volume of usernames and passwords so they can control the router. And once they’ve gained control, they can dupe you into downloading malicious software (that could steal your identity) or redirects you to a webpage that phishes for your personal information.

If you don’t think you can possibly survive without public Wi-fi then you need to invest in a VPN that will ensure everything you share is protected.

4. Activate Two Factor Authentication

If your bank offers two-factor authentication to its customers, then your answer needs to be ‘yes please’! Two-factor authentication or multi factor authentication adds another layer of verification to your banking which minimises the chances of hacker causing you harm. If you’ve activated it, you’ll be asked to provide another piece of information after you’ve entered your login details. Usually a special code, this may be delivered to you via an app, text message or even an automated phone call.

5. Request Alerts From Your Bank

It will take just a few minutes to ring your bank and request to be notified when an activity occurs on your account. Every bank will manage this differently, however most banks can alert you on request via email or text if the following occur:

• Low or high balances
• New credit and debit transactions
• New linked external accounts
• Failed login attempts
• Password changes
• Personal information updates

And if anything at all seems a little fishy, contact your bank immediately!

Unfortunately, few things are guaranteed in life and that includes your online safety. And whether you’re an online banking fan or not, opting out isn’t really an option. So, take some time to tighten up your online banking. Only use legit apps; change your passwords so they are long, strong and complex; invest in a VPN so you can use public Wi-Fi and say yes to two-factor authentication. You’ve got this!

Happy banking!!

Alex

The post Online Banking – The Safe Way appeared first on McAfee Blog.

Steer Clear of the “Pay Yourself Scam” That’s Targeting Online Bank Accounts

An old banking scam has a new look. And it’s making the rounds again. 

Recently Bank of America alerted its customers of the “Pay Yourself Scam,” where scammers use phony fraud alerts and trick their victims into giving them access to their online banking accounts. It’s a form of phishing attack, and according to Bank of America it goes something like this: 

• You receive a text message that looks like a fraud alert from your bank about unusual activity. The text may look something like: “Did you make a purchase of $100.00 at ABC merchant?” 
• If you respond to the text, you have now engaged the scammer and will receive a call from a number that appears to be from a bank. 
• They’ll appear to be a representative from a bank and will offer to help stop the alleged fraud by asking you to send money to yourself with an online payment app. 
• The scammer will ask you for a one-time code you just received from a bank. 
• If you give them the code, they will use it to enroll their bank account details with an online payment service using your email address or phone number. 
• The scammer can now receive your money into their account. 

The good news is that you can avoid this attack rather easily. If you receive a text or call about a possible fraud alert, don’t respond. (Scammers can easily “spoof” or fake caller ID information nowadays. So even if it appears that the number looks legitimate, it may not be after all.) Instead, contact your bank directly using the contact information on your debit or credit card. This way, you’ll know you’re speaking with the proper representatives about the matter. 

Other ways you can avoid online banking scams 

Of course, this scam isn’t the only scam making the rounds these days. Whether it’s with some form of phishing attack, stealing passwords on public Wi-Fi, or malware that spies on your keystrokes, scammers use plenty of tricks to crack into online bank accounts. Yet with a few precautions and a sharp eye, you have several ways you can protect yourself. 

Use comprehensive online protection software 

Online protection software today goes far beyond antivirus. It can protect your privacy, identity, and your online accounts as well. McAfee+ Ultimate provides our most comprehensive coverage with features that monitor the dark web and sketchy data broker sites for your personal information, identity theft and ransomware protection, and identity restoration services should the unexpected happen—all along with our award-winning antivirus protection. In all, it protects you, not just your devices. Together, it offers your strongest line of defense in the face of hackers, scammers, and thieves. 

Scrutinize any messages claiming to be your bank 

Legitimate banks will never pressure, harass, or cajole you into action. If you get a message that strikes an aggressive tone, assume it’s fraudulent. Other things legitimate banks will never do include:  

• Banks or other financial institutions don’t call for your PIN or checking account number. Never provide this over the phone. Call your bank directly using the phone number on your debit or credit card or bank statement if you want to confirm.  
• Your bank has no reason to email you for account information it already has. If you receive an email asking you to click a link or provide account information, assume it’s fraudulent. Don’t click any links and mark the email as spam.  
• If a message appears to be from your bank asking you to sign in or enter your PIN, it’s a scam. Banks never ask customers for this information by text.  
• A common theme in phishing emails is the urgent call to action. Cybercriminals want to scare you into acting immediately without thinking. The email says there was suspicious activity on your account, and you should log in immediately to avoid having it frozen or closed. No legitimate business would close a customer’s account without giving reasonable notice. Contact your bank through your normal channels to check your balance and account activity if you aren’t sure.  
• Misspelled words and grammatical errors are another red flag. Major corporations have professional editors to make sure the content is correct.  

Use your bank’s official website or app 

Earlier, I mentioned contacting your bank directly to ensure you’re speaking to a proper representative. Another way you can go directly to the source is to use your bank’s website or app to check up on your accounts. Once again, don’t click any links in a text or email. Just go to your bank’s website or app to check your account. You can make sure you have your bank’s official app by visiting the Google Play or Apple’s App Store and looking at the information section to ensure that it was indeed developed by your bank—not a copycat. 

Use strong, passwords and a password manager to stay on top of them all 

Strong and unique passwords for each of your online accounts can help keep hackers at bay. With data breaches occurring so often, updating them regularly is important too. Yet with all the accounts we keep, that can mean a lot of work. However, a password manager can create those passwords for you and safely store them as well. Comprehensive security software will include one. 

Use two-factor authentication on your accounts  

Two-factor authentication is an extra layer of defense on top of your username and password. It adds in the use of a special one-time-use code to access your account, usually sent to you via email or to your phone by text or a phone call. In all, it combines something you know, like your password, with something you have, like your smartphone. Together, that makes it tougher for a crook to hack your account. If any of your accounts support two-factor authentication, the few extra seconds it takes to set up is more than worth the big boost in protection you’ll get.  

Don’t access your online banking account via public Wi-Fi 

When you log onto public Wi-Fi, potentially anyone can see your internet activity—and that includes things like entering your username and password. For that reason, only log into your bank account with public Wi-Fi if you’re using a virtual private network (VPN).  McAfee Secure VPN protects your privacy by turning on automatically for unsecured networks. Your data is encrypted so it can’t be read by prying eyes. The VPN also keeps your online activity and physical location private and secure from advertisers.  

Check your bank statements regularly 

Keeping an eye on your bills and statements as they come in can help you spot unusual activity on your accounts. A credit monitoring service can do that one better by keeping daily tabs on changes to your credit report. While you can do this manually, there are limitations. First, it involves logging into each bureau and doing some digging of your own. Second, there are limitations as to how many free credit reports you can pull each year. A service does that for you and without impacting your credit score. 

Depending on your location and plan, McAfee’s credit monitoring allows you to look after your credit score and the accounts within it to see fluctuations and help you identify unusual activity, all in one place, checking daily for signs of identity theft. 

Prevention and vigilance are your best defense from online banking scams  

When a fraud notification pops up on your phone, you can almost feel your stomach drop. Hackers and scammers play off that fear. They use it to get you to act—and to act quickly. Taking a moment to scrutinize these messages and following up directly with your bank can help you steer clear of their tricks. Likewise, putting up a strong defense with comprehensive online protection software can make you safer still. In the meantime, keep your eyes open for this “Pay Yourself Scam” and other scams like it. It’s certainly not the first of its kind, and it won’t be the last. 

The post Steer Clear of the “Pay Yourself Scam” That’s Targeting Online Bank Accounts appeared first on McAfee Blog.