Oleh Diposting pada

The popular “if it ain’t broke, don’t fix it” principle has reigned supreme in the computing world since the year dot. However, it has become an unaffordable luxury. The proliferation of cyberattacks — including on scientific and medical organizations — presents both IT and infosec services with a real dilemma. To protect critical hardware against attacks, its software must be updated. After all, outdated software means easy-to-exploit vulnerabilities, primitive or non-existent encryption, and rudimentary access control — every cybercriminal’s dream. But updating this software often entails major outlays, plus risks playing havoc with business processes. Is it really that complicated, and, either way, how can the issue be solved?

The risks of updating

Many systems have been running smoothly for years — sometimes decades. They’re not updated because their business owners worry that updates may disrupt the systems irrecoverably. Such fears are not unfounded. The people who installed and initially set systems up may be long retired, and the documentation might be lost or never existed at all. Sometimes this manifests itself in extreme forms; for example, the U.S. Internal Revenue Service still uses 1970s computers and programs in the near-dead COBOL language. Maybe the hardware supplier was sold or taken over, closed the business, or went bust. That, too, is nothing unusual: this year ATM giant Diebold Nixdorf filed for bankruptcy.

In all such cases, there’s no tech support to call should an update go awry.

Moreover, long-serving hardware forms connections with other company systems, and these interconnections can be obscured and/or poorly documented. As a consequence, a system shutdown could cause cascading failures or malfunctions in other systems that are hard to anticipate and prevent. Recovering from such an incident could take days or weeks, and the downtime cost could be huge.

Restrictive upgrade costs

Even if the system isn’t too interconnected and is well documented, updating can still be out of the question due to the exorbitant costs involved. For example, the need to decommission a legacy operating system in an MRI machine may require the purchase of a new device. The cost (around half a million dollars) is very high in itself. But the problem isn’t limited to the price tag of the scanner. Its installation requires a crane, and maybe the dismantlement of part of the wall, and the walls of the room would have to be shielded with a Faraday cage. Thus, that’s no longer an IT upgrade but a major construction project. If the system is deeply entwined with legacy equipment and equally obsolete software, replacing the hardware would require recoding or buying new software, which can be another lengthy and expensive project.

Compensatory measures

Just as expensive vintage cars are kept in a garage, and valuable paintings in a special atmosphere-controlled container, so too do systems that are neither replaceable nor fully upgradeable require a special approach to maintenance. Every possible measure must be taken to reduce the attack surface. Below is a short list of possible compensatory measures to protect legacy IT systems:

Network segmentation. Segregating vulnerable legacy equipment into a separate network segment will help minimize the risk of cyberattacks. You should strive for a high degree of isolation — up to and including physical separation of the network and switching equipment. If this isn’t realistic, be sure to regularly check that firewalls and routers are configured to maintain proper isolation from the “normal” network. It’s also important to track commonplace violations of regulations by employees — such as accessing both an isolated and shared network through different network interfaces from one computer.

Encryption. For systems that exchange information with other computers using outdated protocols, it’s recommended to create VPN-tunnels based on the latest encryption and authentication algorithms. Data exchange outside the tunnel should be blocked.

Upgrades. Even if an upgrade to a modern system is out of the question, this doesn’t mean you can’t install any updates at all. A step-by-step upgrade to the latest available versions of core software and regular database updates for installed protection systems will be preferable to mothballing.

Micro-segmentation of processes. If a business process on a legacy system allows fragmentation, it’s a good idea to leave on it only those parts of the process that cannot possibly be transferred to newer equipment. Transferring even part of the workload to a modern upgradeable platform will make it easier to protect what’s left. For example, MRI images cannot be taken outside the scanner, but they can be uploaded to the clinic’s server, viewed and analyzed on newer computers.

Closed list of applications. The previous tip keeps the range of work carried out on legacy equipment to a minimum. Applications and processes that are part of such jobs can be added to the allowlist, and all others to the denylist. This will significantly lower the risk of running malware or just third-party software that impacts system stability. Such “default deny” scenario can be implemented using specialized security solutions, that are able to operate on systems with limited resources.

Virtualization. In cases of legacy software running on legacy hardware, the use of virtual machines may solve two problems: it allows at least to upgrade the hardware and to implement a number of compensatory measures (such as modern access control and encryption) at the virtualization system and the host system levels. This tip can work well even for some very old information processing systems.

Minimization of access and privileges. Access to legacy equipment (more specifically, to its computer hardware) should be granted to the minimum necessary number of employees with extremely limited privileges. If the system architecture does not allow the required configuration of rights and users, you can try to implement these restrictions at an earlier access stage (during login to the VPN or virtual machine, etc.), as well as restrict access through purely administrative measures (locks and security).

Of course, this will require careful evaluation of the applicability of each measure and the risks related to the smooth and secure operation of the technology being implemented.

Future-proofing

Applying compensatory measures to legacy equipment is by no means purely an infosec task. Infosec experts need to have a complete list of obsolete equipment in a company and to keep track of when its replacement is initiated for business reasons. This is a good time to upgrade in line with the latest security requirements.

More importantly, you need to ensure that systems being put in place today — which will someday themselves become obsolete — don’t inherit the same problems. For this, all infosec requirements need to be factored in when purchasing hardware and software: regular and easy updating of software components; documentation of bugs and vulnerabilities; and, ideally, a secure-by-design philosophy.

For software developed in-house or open-source forks (which are becoming more popular with companies), it’s vital to set stringent requirements for code documentation. In an ideal scenario, document production should become as much a part of the DevSecOps pipeline as autotests.


#Hardware #upgrade #compensatory #measures

Oleh Diposting pada

You’ve received an email at work asking you to change your email password, confirm your vacation period, or make an urgent money transfer at the request of the CEO. Such unexpected requests could be the start of a cyberattack on your company, so you need to make sure it’s not a scam. So how do you check email addresses or links to websites?

The centerpiece of a fake is usually the domain name; that is, the part of the email after the @, or the beginning of the URL. Its task is to inspire confidence in the victim. Sure, cybercriminals would love to hijack an official domain of the target company, or of one of its suppliers or business partners, but in the early stages of an attack they usually don’t have that option. Instead, before a targeted attack, they register a domain that looks similar to that of the victim organization – and they hope that you won’t spot the difference. Such techniques are called lookalike attacks. The next step is to host a fake website on the domain or fire off spoof emails from mailboxes associated with it.

In this post, we explore some of the tricks used by attackers to prevent you from noticing a domain spoof.

Homoglyphs: different letters, same spelling

One trick is using letters that are visually very similar or even indistinguishable. For example, a lowercase “L” (l) in many fonts looks identical to a capital “i” (I), so an email sent from the address JOHN@MlCROSOFT.COM would fool even the more eagle-eyed. Of course, the sender’s actual address is john@mLcrosoft.com!

The number of devilish doubles increased after it became possible to register domains in different languages, including ones that don’t use the Latin alphabet. A Greek “ο”, Russian “о”, and Latin “o” are totally indistinguishable to a human, but in the eyes of a computer they’re three distinct letters. This makes it possible to register lots of domains that all look like microsоft.cοm using different combinations of o’s. Such techniques employing visually similar characters are known as homoglyph or homograph attacks.

Combo-squatting: a little bit extra

Combo-squatting has become popular with cybercriminals in recent years. To imitate an email or website of the target company, they create a domain that combines its name and a relevant auxiliary word, such as Microsoft-login.com or SkypeSupport.com. The subject of the email and the end of the domain name should match up: for example, a warning about unauthorized access to an email account could link to a site with the domain outlook-alert.

The situation is made worse by the fact that some companies do indeed have domains with auxiliary words. For example, login.microsoftonline.com is a perfectly legitimate Microsoft site.

According to Akamai, the most common combo-squatting add-ons are: support, com, login, help, secure, www, account, app, verify, and service. Two of these – www and com – warrant a separate mention. They are often found in the names of websites, and the inattentive user might not spot the missing period: wwwmicrosoft.com, microsoftcom.au.

Top-level domain spoofing

Sometimes cybercriminals manage to register a doppelganger in a different top-level domain (TLD), such as microsoft.co instead of microsoft.com, or office.pro instead of office.com. In this case, the name of the spoofed company can remain the same. This technique is called Tld-squatting.

A substitution like this can be very effective. It was just recently reported that, for over a decade, various contractors and partners of the U.S. Department of Defense have been mistakenly sending emails to the .ML domain belonging to the Republic of Mali instead of the American military’s .MIL domain. In 2023 alone, a Dutch contractor intercepted more than 117,000 misdirected emails bound for Mali instead of the DoD.

Typo-squatting: misspelled domains

The simplest (and earliest) way to produce doppelganger domains is to exploit various typos that are easy to make and hard to spot. There are lots of variations here: adding or removing doubles (ofice.com instead of office.com), adding or removing punctuation (cloud-flare or c.loudflare instead of cloudflare), replacing similar-sounding letters (savebank instead of safebank), and so on.

Typos were first weaponized by spammers and ad fraudsters, but today such tricks are used in conjunction with fake website content to lay the groundwork for spear-phishing and business email compromise (BEC).

How to guard against doppelganger domains and lookalike attacks

Homoglyphs are the hardest to spot and almost never used for legitimate purposes. As a result, browser developers and, in part, domain registrars are trying to defend against such attacks. In some domain zones, for example, it is forbidden to register names with letters from different alphabets. But in many other TLDs there’s no such protection, so you have to rely on security tools. True, many browsers have a special way of displaying domain names containing a mix of alphabets. What happens is that they represent the URL in punycode, so it looks something like this: xn--micrsoft-qbh.xn--cm-fmc (this is the site microsoft.com with two Russian o’s).

The best defense against typo-squatting and combo-squatting is attentiveness. To develop this, we recommend that all employees undergo basic security awareness training to learn how to spot the main phishing techniques.

Unfortunately, the cybercriminal’s arsenal is wide-ranging and by no means limited to lookalike attacks. Against carefully executed attacks tailored to a specific company, mere attentiveness isn’t enough. For example, this year attackers created a fake site that cloned Reddit’s intranet gateway for employees and successfully compromised the company. Therefore, infosec teams need to think about not only employee training, but also vital protection tools:


#Lookalike #attacks #phishing #BEC

Oleh Diposting pada

It’s not all funny limericks, bizarre portraits, and hilarious viral skits. ChatGPT, Bard, DALL-E, Craiyon, Voice.ai, and a whole host of other mainstream artificial intelligence tools are great for whiling away an afternoon or helping you with your latest school or work assignment; however, cybercriminals are bending AI tools like these to aid in their schemes, adding a whole new dimension to phishing, vishing, malware, and social engineering.  

Here are some recent reports of AI’s use in scams plus a few pointers that might tip you off should any of these happen to you. 

1. AI Voice Scams

Vishing – or phishing over the phone – is not a new scheme; however, AI voice mimickers are making these scamming phone calls more believable than ever. In Arizona, a fake kidnapping phone call caused several minutes of panic for one family, as a mother received a demand for ransom to release her alleged kidnapped daughter. On the phone, the mother heard a voice that sounded exactly like her child’s, but it turned out to be an AI-generated facsimile.    

In reality, the daughter was not kidnapped. She was safe and sound. The family didn’t lose any money because they did the right thing: They contacted law enforcement and kept the scammer on the phone while they located the daughter.1 

Imposter scams accounted for a loss of $2.6 billion in the U.S. in 2022. Emerging AI scams could increase that staggering total. Globally, about 25% of people have either experienced an AI voice scam or know someone who has, according to McAfee’s Beware the Artificial Imposter report. Additionally, the study discovered that 77% of voice scam targets lost money as a result.  

How to hear the difference 

No doubt about it, it’s frightening to hear a loved one in distress, but try to stay as calm as possible if you receive a phone call claiming to be someone in trouble. Do your best to really listen to the “voice” of your loved one. AI voice technology is incredible, but there are still some kinks in the technology. For example, does the voice have unnatural hitches? Do words cut off just a little too early? Does the tone of certain words not quite match your loved one’s accent? To pick up on these small details, a level head is necessary. 

What you can do as a family today to avoid falling for an AI vishing scam is to agree on a family password. This can be an obscure word or phrase that is meaningful to you. Keep this password to yourselves and never post about it on social media. This way, if a scammer ever calls you claiming to have or be a family member, this password could determine a fake emergency from a real one. 

2. Deepfake Ransom and Fake Advertisements

Deepfake, or the digital manipulation of an authentic image, video, or audio clip, is an AI capability that unsettles a lot of people. It challenges the long-held axiom that “seeing is believing.” If you can’t quite believe what you see, then what’s real? What’s not? 

The FBI is warning the public against a new scheme where cybercriminals are editing explicit footage and then blackmailing innocent people into sending money or gift cards in exchange for not posting the compromising content.2 

Deepfake technology was also at the center of an incident involving a fake ad. A scammer created a fake ad depicting Martin Lewis, a trusted finance expert, advocating for an investment venture. The Facebook ad attempted to add legitimacy to its nefarious endeavor by including the deepfaked Lewis.3  

How to respond to ransom demands and questionable online ads 

No response is the best response to a ransom demand. You’re dealing with a criminal. Who’s to say they won’t release their fake documents even if you give in to the ransom? Involve law enforcement as soon as a scammer approaches you, and they can help you resolve the issue. 

Just because a reputable social media platform hosts an advertisement doesn’t mean that the advertiser is a legitimate business. Before buying anything or investing your money with a business you found through an advertisement, conduct your own background research on the company. All it takes is five minutes to look up its Better Business Bureau rating and other online reviews to determine if the company is reputable. 

To identify a deepfake video or image, check for inconsistent shadows and lighting, face distortions, and people’s hands. That’s where you’ll most likely spot small details that aren’t quite right. Like AI voices, deepfake technology is often accurate, but it’s not perfect. 

3. AI-generated Malware and Phishing Emails

Content generation tools have some safeguards in place to prevent them from creating text that could be used illegally; however, some cybercriminals have found ways around those rules and are using ChatGPT and Bard to assist in their malware and phishing operations. For example, if a criminal asked ChatGPT to write a key-logging malware, it would refuse. But if they rephrased and asked it to compose code that captures keystrokes, it may comply with that request. One researcher demonstrated that even someone with little knowledge of coding could use ChatGPT, thus making malware creation simpler and more available than ever.4 Similarly, AI text generation tools can create convincing phishing emails and create them quickly. In theory, this could speed up a phisher’s operation and widen their reach. 

How to avoid AI-written malware and phishing attempts 

You can avoid AI-generated malware and phishing correspondences the same way you deal with the human-written variety: Be careful and distrust anything that seems suspicious. To steer clear of malware, stick to websites you know you can trust. A safe browsing tool like McAfee web protection – which is included in McAfee+ – can doublecheck that you stay off of sketchy websites. 

As for phishing, when you see emails or texts that demand a quick response or seem out of the ordinary, be on alert. Traditional phishing correspondences are usually riddled with typos, misspellings, and poor grammar. AI-written lures are often written well and rarely contain errors. This means that you must be diligent in vetting every message in your inbox. 

Slow Down, Keep Calm, and Be Confident 

While the debate about regulating AI heats up, the best thing you can do is to use AI responsibly. Be transparent when you use it. And if you suspect you’re encountering a malicious use of AI, slow down and try your best to evaluate the situation with a clear mind. AI can create some convincing content, but trust your instincts and follow the above best practices to keep your money and personal information out of the hands of cybercriminals. 

1CNN, “‘Mom, these bad men have me’: She believes scammers cloned her daughter’s voice in a fake kidnapping 

2NBC News, “FBI warns about deepfake porn scams 

3BBC, “Martin Lewis felt ‘sick’ seeing deepfake scam ad on Facebook 

4Dark Reading, “Researcher Tricks ChatGPT Into Building Undetectable Steganoraphy Malware 

Introducing McAfee+

Identity theft protection and privacy for your digital life


#Wild #Malicious #Applications #Mainstream #Tools

Oleh Diposting pada

Just because that link comes from [your search engine here] doesn’t mean it’s a legitimate website.

Summer is at its height, and it’s a good time to go sit by the pool with a glass of iced tea, go out and see that hugely promoted film in a nice cool theater, or maybe relax at home in your favorite chair…in front of the air conditioner. 

(lebih…)

Oleh Diposting pada

We’ve published multiple comparisons of secure messaging apps with end-to-end encryption, shared recommended settings, and described the respective flaws of these apps. But what about folks who want secure messengers but who aren’t exactly tech-savvy? This blogpost is just for them – based as it is on an extensive study and published report entitled What Is Secure? by a group of experts from the agencies Tech Policy Press and Convocation Research and Design.

The report contains recommendations for both users and developers. But since not everyone will read through all the 86 pages of text, we summarize the paper’s main conclusions below.

Object of study

The researchers interviewed user groups in Louisiana in the United States, and Delhi, India, to determine the strongest and weakest points of current messaging apps. The following popular apps were examined:

  • Apple iMessage
  • Meta (Facebook) Messenger
  • Messages by Google
  • Signal
  • Telegram
  • WhatsApp

The study focused on the way humans respond to in-app tips, and the way they understand the meaning of each feature. More importantly, the respondents were asked about any specific fears, and in what ways they think secure messaging apps are or could be useful in their lives. Some of the interviewees said they are worried about potential physical violence, such as domestic violence, in connection with messaging, while others fear persecution by the authorities. This had a major effect on their perception of “secure”.

Key finding

End-to-end encryption is only one aspect of security. Encrypted messaging won’t solve every problem a threatened user is having. Therefore, one needs to think through a strategy against motivated adversaries. Is there a risk of your phone being seized? A risk of you being forced to unlock it? Are you afraid that someone may try to obtain your data from the company that owns the app using litigation or a legal order? Or infect your phone with spyware? Would it be easier for the bad guys to try and extract that data from the person you’re chatting with? For many, the answer to each of the above is no, so an encrypted messaging app provides sufficient security in and of itself. And even if your answer is yes, that’s no reason to give up encryption and secure messaging: they just need to be one layer of your defenses.

As further tips, the researchers recommend that the above vulnerable user groups take several technical steps (more on those below) but, most importantly, not to carry their phones in places where they could be physically seized or forcibly unlocked. They suggest getting a second phone for such dangerous places, and keeping the main device with a person they can trust.

General tips on secure messaging

The biggest secrets are best delivered face-to-face. No method of digital communication is completely secure. Therefore, the riskiest information – especially if posing a threat to health or even life – should be discussed in person, not in a chat.

Don’t make decisions blindly. Users make conscious efforts to protect their privacy, but they often rely on popular opinion about security – not verified sources. Few read documents that accompany messaging apps: terms of use, or transparency and government data sharing reports. Research carefully what your messaging service actually stores and where, and with whom it shares data and has shared in the past. That information can be found in transparency reports and in the press.

Carefully review the app settings. Make sense of each setting and turn on all the securest options. Bear in mind that parts of the privacy settings may be spread across the phone’s general settings (especially true for iMessage in iOS, and Messages by Google in Android) or sections of the app settings (typical of Telegram).

Avoid hybrid modes. Several messaging apps support both encrypted and unencrypted messaging. In iMessage and Messages by Google, you can send open texts and encrypted messages in the same chat; however, this is a bad idea since these message types are always confused. Both Messenger and Telegram have separate encrypted and unencrypted chats, with the unencrypted mode used by default. The paper recommends using messaging apps based on full encryption: Signal or WhatsApp.

The more features – the higher the risk. Extra features, such as stories, bots or links to social networking services, provide extra surveillance and data-leak channels. It’s best to turn off these kinds of features or avoid using the app altogether.

Disable link previews, geolocation sharing, and GIFs. These features do come in handy sometimes, but they can be used to track you down by various parties, including linked websites. Another potential leak channel is finding and sharing GIFs in chats.

Messaging apps that work without a phone number are helpful. These include, to a certain extent, Telegram, Messenger and iMessage, although it does take some effort to configure each of them to use your internal username or e-mail as your identifier when chatting. According to the report, WhatsApp and Signal are planning to add a feature like this too.

Use disappearing messages. The most squeamish among us can enable chats to be deleted automatically after a short period of time, such as one minute. Unfortunately, not every messaging app has options like these, and in some of them, the shortest visibility period is 24 hours. Disappearing messages do little to protect you from screenshots or other ways that chats can be saved. Auto-deleting messages is helpful if you expect that strangers will be poking around in your phone shortly.

Encrypt chat backups. Default cloud backups are a frequent leak channel, so it’s imperative that they’re encrypted (something that needs to be enabled manually in both WhatsApp and iMessage), saved locally (for example, on an SD card if using an Android phone), or turned off altogether. Any local backups should be encrypted as well.

Compare encryption keys with the people you chat with. This procedure is called Сontact Key Verification (in iMessage), Safety Numbers (in Signal), Security Code (in WhatsApp), and Encryption key (in Telegram), and it helps make sure that you’re chatting with the right person – using the right device. Encryption keys can be verified for each chat by comparing codes or meeting face-to-face.

Protect yourself against account hijacking by turning on two-factor authentication. This feature comes under a variety of names, such as Two-Step Verification, Registration PIN, or something else, but the essence remains the same: logging in to the same account on a new device requires an extra verification step.

Train the people you chat with. This is critical for groups that chat about sensitive subjects. This requires that the members all share and observe the following ethics and security rules:

  • No forwarding of confidential information
  • No screenshots or other copies of the information in the chat
  • Supporting a culture of privacy within the community
  • Using the app settings wisely
  • Disabling potentially risky chat features

What’s the securest messaging app?

Signal is the clear leader in the study, but the requirement to expose your phone number makes the situation somewhat complicated. The table below contains a comparison of the key messaging-app security features, with the safest option in each row highlighted in green.

Apple iMessage Meta (FB) Messenger* Google Messages Signal Telegram WhatsApp
End-to-end encryption in one-to-one chats In certain cases* Special type of chat In certain cases* Always Secret chats only Always
End-to-end encryption in group chats In certain cases* Special type of group In certain cases* Always Never Always
Verified encryption protocol No Yes Yes Yes No Yes
Encrypted backups Yes, optional No backups No Yes, on by default No backups Yes, optional
Manual comparison of encryption keys Yes Yes No Yes Yes Yes
Phone number-free registration Yes Yes (complicated) No No No No
Hiding phone number from contacts Yes Yes No No Yes No
Links with other services or accounts in these Yes Yes No No No Yes
Hiding metadata** Partial Partial Partial Yes Partial Partial
Storing metadata** Yes Yes Yes No Yes Yes
Self-destructing messages No Five seconds or longer No One second or longer One second or longer 24 hours or longer and one-time viewing
Disabling link previews No No No Yes Secret chats only No
Blocking screenshots No No No Yes Secret chats only No
Screenshot alert No Yes No No No No
* Available as long as all parties are using the same platform (iOS or Android) and the appropriate app settings.
** Confidentiality settings to avoid showing to other users the following metadata partially or in full: the user’s photo, the user’s other contacts, chat and group memberships, IP address, and chat times.
The table is based on the data of the report What Is Secure?


#encrypted #messaging #apps #properly #chats #confidential

Oleh Diposting pada

Authored by: Vallabh Chole and Yerko Grbic

On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms. 

Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding. 

Figure 1. Twitter-X-themed YouTube Live Stream by scammer 

 

Figure 2. Twitter X Crypto Scam 

 

This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencers session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems. 

Figure 3. Malware Flow Chart  

 

After the influencers account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.

Protection with McAfee+: 

 McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.

Figure 4. McAfee WebAdvisor detection 

 

Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams  

Figure 5. Scam URL Detection Heatmap 

 

Figure 6. Password stealer Heatmap 

 

Indicators of Compromise: 

Scam Site  Crypto Type  Wallet   
twitter-x[.]org  ETH   0xB1706fc3671115432eC9a997F802aC79CD7f378a   
twitter-x[.]org  BTC   1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug   
twitter-x[.]org  USDT   0xB1706fc3671115432eC9a997F802aC79CD7f378a   
twitter-x[.]org  DOGE   DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J   

 

Introducing McAfee+

Identity theft protection and privacy for your digital life


#Scammers #Follow #Rebranding #Twitter #Distribute #Malware

Oleh Diposting pada

Syarat bisnis pikeun tim IT sareng infosec rupa-rupa sareng sering konflik. Tugasna kalebet pangurangan biaya, pamakean data anu efisien, otomatisasi, migrasi awan sareng timbangan sadaya résiko kaamanan inpormasi. Kumaha tren konci sareng parobihan dina IT mangaruhan profil infosec perusahaan, sareng naon anu kedah dipertimbangkeun réspon anjeun kana kabutuhan bisnis? Kami nganalisis tren IT anu paling penting sareng praktis (nurutkeun sababaraha kelompok ahli bebas sareng analis pasar cybersecurity), fokus kana aspék masing-masing infosec.

optimasi IT

Usaha di sakumna dunya ngagaduhan alesan anu hadé pikeun ngencangkeun sabukna – naha éta kusabab parobahan geopolitik, inflasi atanapi resesi ékonomi. Pikeun tim IT, ieu hartosna tinjauan utama biaya operasional. Departemen keuangan dinten ieu ngagaduhan biaya awan dina mikroskop, sabab 60% data perusahaan ayeuna disimpen dina méga. Pikeun seueur perusahaan, migrasi ka awan ngadadak sareng teu sistematis, nyababkeun tunggakan langganan SaaS anu teu dianggo, ogé mesin virtual anu dikonpigurasi sacara suboptimal sareng lingkungan awan anu sanés. Biasana aya seueur poténsi pikeun optimasi di dieu, tapi éta henteu kedah janten prosés sakali. Perusahaan kedah nyiptakeun budaya dimana biaya awan mangrupikeun perhatian sanés ngan ukur jalma IT, tapi ogé para pangguna awan sorangan.

sudut Infosec. Salila optimasi sareng konsolidasi, jasa awan dikonfigurasi deui sareng data dipindahkeun antara lingkungan awan anu béda. Penting pikeun ngalokasikeun waktos sareng sumber pikeun audit sistem pasca migrasi pikeun mastikeun, antara séjén, yén setélan kaamanan leres sareng sadaya akun jasa anu diperyogikeun pikeun migrasi palabuhan parantos ditutup. Salila migrasi, éta mangrupakeun ide nu sae pikeun ngamutahirkeun rusiah (token aksés, konci API, jsb) jeung ngalaksanakeun enkripsi prakték pangalusna sarta kawijakan cipher.

Upami aya alat atanapi jasa awan anu ditumpurkeun saatos migrasi, ieu kedah dipiceun tina sadaya data rahasia sareng inpormasi jasa (debugging sareng file samentawis, data uji, jsb.).

Open source

Mangpaat ékonomi tina aplikasi open source rupa-rupa: contona, pausahaan ngembangkeun software ngurangan waragad sarta waktu ka pasar ngaliwatan pamakéan kode siap-dijieun, sedengkeun nu sejenna acquire sistem nu maranéhna bisa ngaropéa tur ngajaga internal, lamun diperlukeun.

sudut Infosec. Résiko utama open source nyaéta aya kerentanan sareng backdoors dina kode pihak katilu – utamina kusabab éta henteu salawasna jelas saha anu kedah ngalereskeun kodeu sareng kumaha carana. Seringna perusahaan bakal ngagunakeun sababaraha perpustakaan atanapi parangkat lunak tanpa terang. Ngaleungitkeun resiko open source merlukeun inventaris kode jeung sistem scanning. Pikeun tampilan anu langkung jero ngeunaan résiko sareng ukuran mitigasi, tingali tulisan kami anu misah.

Manajemén data

Pausahaan badag di ampir unggal industri geus ngumpulkeun jumlah badag data operasional salila kira dua dekade ayeuna. Dina tiori, éta mantuan ngaoptimalkeun jeung ngajadikeun otomatis prosés bisnis jeung ngamekarkeun produk fundamentally anyar (kadangkala data sorangan jadi komoditi ditéang-sanggeus). Dina prakna, kumaha oge, hal anu leuwih pajeulit: loba data dikumpulkeun, tapi mindeng struktur na, recency, sarta formulir gudang sapertos nu hese atawa malah teu mungkin pikeun manggihan informasi sarta ngagunakeun éta.

Pikeun pertumbuhan anu didorong ku data nyata, usaha peryogi prosedur anu jelas pikeun ngumpulkeun, ngakatalogkeun, nyimpen, sareng ngagunakeunana. Strategi anu kapaké di dieu nyaéta manajemén data sareng pamaréntahan data. Strategi ieu ngajelaskeun struktur sareng sifat inpormasi anu disimpen sareng siklus kahirupan data lengkep, sareng ngamungkinkeun anjeun pikeun ngatur panyimpenan sareng pamakeanna.

sudut Infosec. Tata kelola data dilaksanakeun pikeun alesan ékonomi, tapi mangpaat jaminan pikeun kaamanan informasi téh loba pisan. Barina ogé, ku terang dimana sareng naon data anu disimpen, perusahaan langkung saé pikeun meunteun résiko, nyayogikeun panyalindungan anu nyukupan pikeun sadaya set data, sareng patuh kana hukum data pribadi. Tim infosec kedah maénkeun peran anu aktip dina ngamekarkeun sareng ngalaksanakeun strategi manajemén data, kalebet: kabijakan aksés sareng enkripsi, kontrol patuh, ukuran pelindung pikeun data nalika istirahat sareng transit, sareng prosedur pikeun kéngingkeun aksés. Strategi ogé kedah nutupan jinis data “tambahan” sapertos inpormasi téknis cadangan sareng proprietary dina méga (utamana SaaS).

Kode low & euweuh kode

Pendekatan low-code ngamungkinkeun sistem bisnis dirobih sareng diperpanjang tanpa programer. Modifikasi umum kaasup ngarobah interfaces aplikasi jeung ramatloka, nyieun analisis data anyar jeung skenario kontrol, sarta robotic prosés automation (RPA). Éta ngabantosan ngembangkeun solusi CRM, manajemén e-dokumen, nyiptakeun halaman wéb pamasaran, jsb. Usaha kauntungan tina pendekatan ieu kusabab biaya pangropéa IT anu aub sacara signifikan langkung handap tina mitra anu peryogi programer “nyata”. Sababaraha sistem no-code/low-code populér nyaéta Microsoft Power Apps, Salesforce, Uipath, komo WordPress.

sudut Infosec. Sistem kode rendah nyababkeun résiko anu signifikan, sabab ku harti aranjeunna gaduh aksés lega kana data sareng sistem IT perusahaan anu sanés. Éta ogé ngonpigurasi sarta dipaké ku jalma tanpa IT / latihan infosec jero. Sadaya ieu tiasa nyababkeun kabocoran data, sagala rupa bentuk eskalasi hak husus, logging teu cekap, sareng aksés anu henteu sah kana inpormasi.

Sajaba ti éta, pamaké sistem sapertos rutin ninggalkeun rusiah, kayaning konci API, langsung dina kode. Sareng anu paling penting, ampir sadaya sistem tanpa kode aktip ngagunakeun arsitektur plug-in sareng gaduh gudang komponén khusus sorangan pikeun proyék-proyék pangguna. Kerentanan dina komponén ieu sering pisan serius sareng sesah pisan dilacak sareng gancang ngalereskeun nganggo alat infosec standar.

Tim infosec kudu ngamekarkeun kawijakan jeung prosedur husus pikeun tiap aplikasi low-kode dipaké di pausahaan. Administrator sareng pamilik aplikasi kedah nampi pelatihan anu jero dina prosedur infosec ieu, sedengkeun pangguna biasa aplikasi kode-rendah peryogi pelatihan khusus dasar. Salaku bagian tina palatihan pamaké ieu, hal anu penting pikeun ngajarkeun prakték programming aman tur kumaha carana make sistem. Sahenteuna, latihan kedah ngawengku syarat teu nyimpen kecap akses dina kode software, pariksa data input, sarta ngaleutikan operasi modifikasi data.

Administrator IT kedah nengetan caket kana ngaminimalkeun hak istimewa sareng ngadalikeun aksés ka data ngaliwatan aplikasi kode-rendah. Tim infosec kedah ngaevaluasi solusi khusus pikeun ngajagi aplikasi kode low tangtu; contona, aya hiji mini-industri cukup thriving sabudeureun WordPress. Langkung seueur ngeunaan topik anu cukup lega ieu tiasa dipendakan dina tulisan kami anu misah.

Kateguhan & ketahanan

Insiden IT utama dina dasawarsa katukang (henteu kedah serangan cyber) parantos ngajarkeun usaha yén investasi dina résiliensi IT boh biaya-éféktif sareng ganjaran. Investasi di dieu utamina ditujukeun pikeun ngaleungitkeun karugian bencana sareng mastikeun kasinambungan bisnis. Tapi sanajan kajadian utama teu diitung, daya tahan mayar kaluar ku ngaronjatkeun pangalaman pamaké pikeun konsumén jeung karyawan, ningkatkeun reputasi hiji parusahaan, sarta nyetir kasatiaan.

Aya sababaraha cara pikeun ngembangkeun ketahanan:

  • Uji jero sistem IT salami pamekaran (devops, devsecops);
  • Ngarancang sistem anu tiasa neruskeun fungsina upami aya kagagalan parsial (redundansi, duplikasi);
  • Nerapkeun sistem ngawaskeun pikeun ngalacak anomali IT / infosec sareng nyegah kajadian dina tahap awal (gagalna database, teu saimbangna beban, palaksanaan malware, jsb.);
  • Nerapkeun sistem infosec multi-layered di pausahaan;
  • Ngembangkeun skenario automation pikeun ngahemat waktos sareng ngaminimalkeun kasalahan manusa, kalebet skenario pikeun ngajadikeun otomatis masalah infrastruktur IT;
  • Diajar ranté suplai pikeun ngaleungitkeun kajadian anu aya hubunganana sareng kode supplier sareng kontraktor perusahaan, infrastruktur atanapi prosedur internal;
  • Laksanakeun réspon kajadian sareng prosedur pamulihan saatos kajadian sareng uji dina prakna.

sudut Infosec. Nalika usaha nungtut “daya tahan umum” tina sistem IT na, syarat IT sareng infosec di dieu dikaitkeun raket, janten ngalaksanakeun salah sahiji set di luhur bakal meryogikeun kolaborasi anu jero diantara departemén relevan. Anggaran terbatas, janten penting pikeun netepkeun prioritas sareng pembuat kaputusan bisnis sareng ngadistribusikaeun tugas sareng proyék antara “IT umum” sareng infosec, ngidentipikasi kasempetan pikeun optimasi sareng sinergi. Ideally, hiji solusi (sebutkeun, sistem cadangan) kedah ngadamel tugas IT / infosec concurrently, sarta nangtukeun syarat maranéhanana, latihan pamakéan maranéhanana, jsb, kudu dipigawé babarengan. Hasilna pikeun perusahaan bakal janten strategi ketahanan cyber holistik. Léngkah-léngkah munggaran pikeun katahan cyber dibahas sacara rinci di dieu.

Tulisan ieu henteu acan nyarios kecap ngeunaan AI generatif atanapi rupa-rupa tren IT perusahaan sanés anu masih aya dina fase “kami ékspérimén kumaha nerapkeun ieu”. Ngeunaan tren anu ngajangjikeun tapi tetep atah, kami ngarencanakeun ngaleupaskeun ulasan anu misah.


#Tren #konci #dina #sareng #résiko #cyber #anu #aya #hubunganana

Oleh Diposting pada

Anjeun skeptis ngeunaan kecerdasan jieunan mainstream? Atanapi anjeun resep AI sareng dianggo sadinten, unggal dinten?

Penampilan AI dina kahirupan sapopoe nyaéta streamlining nu workday, assignments PR, jeung sababaraha, susuratan pribadi. Ieu hak husus pikeun hirup dina waktu dimana urang bisa ngakses téhnologi endah ieu tina smartphone dina saku urang; kumaha oge, pamakéan kaleuleuwihan AI atawa pamakéan teu tanggung jawab na bisa ngabalukarkeun réaksi ranté nu mangaruhan teu ukur anjeun tapi ogé bunderan nutup anjeun sarta jalma di sabudeureun anjeun.

Ieu opat tip pikeun ngabantosan anjeun napigasi sareng ngagunakeun AI sacara tanggung jawab.

1. Salawasna Double Cék AI Jobs

Kecerdasan jieunan pasti meunang bagian “intelijen” tina ngaranna, tapi éta henteu hartosna éta henteu pernah ngalakukeun kasalahan. Pastikeun pikeun proofread atanapi marios naon waé anu diciptakeun ku AI, naha éta tulisan, eusi visual atanapi audio.

Contona, upami anjeun milarian gambar atanapi pidéo anu réalistis, AI sering nambihan ramo tambahan sareng ngarobih rupa. Sababaraha kreasi na bisa jadi ngimpina a! Ogé, aya fenomena anu katelah halusinasi AI. Ieu nalika AI henteu ngaku yén éta henteu terang jawaban kana patarosan anjeun. Gantina, éta concocts informasi bohong komo falsifies sumber palsu pikeun ngarojong klaim na.

Hiji halusinasi AI nyababkeun pengacara dina masalah ageung di New York. Pengacara ngagunakeun ChatGPT pikeun nyerat ringkesan, tapi anjeunna henteu mariksa deui padamelan AI. Tétéla yén mayoritas ringkes salah.1

Naha anjeun blogger anu gaduh rébuan pamiarsa atanapi anjeun naroskeun AI nyerat blurb pondok pikeun dibagikeun ka réréncangan atanapi rekan kerja anjeun, penting pisan pikeun ngédit sadayana anu dihasilkeun ku alat AI. Henteu ngalakukeun kitu tiasa ngamimitian rumor dumasar kana klaim palsu.

2. Janten Transparan

Upami anjeun nganggo AI pikeun ngalakukeun langkung seueur tibatan ngumpulkeun sababaraha ide anu kasar, anjeun kedah nyebatkeun alat anu anjeun pake salaku sumber. Ngarobih padamelan AI salaku milik anjeun tiasa katingali salaku selingkuh dina panon guru, bos atanapi kritik.

Aya seueur perdebatan ngeunaan naha AI ngagaduhan tempat di dunya seni. Artis ngalebetkeun gambar kana kontes fotografi anu anjeunna ciptakeun sacara rahasia sareng AI. Nalika kirimanna meunang kontes, fotografer ngungkabkeun peran AI dina gambar sareng nyerahkeun hadiah. Fotografer ngahaja ngajaga AI kaluar tina paguneman pikeun ngabuktikeun hiji titik, tapi bayangkeun upami anjeunna ngajaga asal-usul gambar pikeun dirina.2 Éta adil? Nalika fotografer sanés kedah ngantosan sudut sinar panonpoé anu sampurna atanapi néwak momen anu sakedap, naha gambar anu dibangkitkeun AI kalayan cahaya jieunan sareng subjek statik kedah ditilik ku cara anu sami?

3. Bagikeun Wijaksana

Sanaos anjeun henteu nganggo AI sacara pribadi, anjeun sigana bakal mendakanana unggal dinten, naha anjeun sadar atanapi henteu. Eusi anu dibangkitkeun AI populer di média sosial, sapertos perang video game palsu antara politikus.3 (A deepfake nyaéta manipulasi poto, pidéo, atanapi klip audio pikeun ngagambarkeun hiji hal anu henteu kantos kajantenan.) Absurditas séri pidéo ieu sigana bakal nyababkeun pamirsa kana tujuan anu pikaresepeun, sanaos prakték anu pangsaéna nyaéta nambihan bantahan kana naon waé deepfake.

Sababaraha deepfakes gaduh niat jahat salian ningali sareng disada luar biasa realistis. Utamana dina waktu pemilu, laporan warta palsu condong swirl jeung discredit calon. Aturan jempol anu saé nyaéta: Upami sigana teuing fantastis janten leres, sigana mah henteu. Kadang-kadang ngan ukur butuh lima menit pikeun ngajamin kaaslian tulisan média sosial, poto, pidéo atanapi laporan warta. Pikir kritis ngeunaan kaaslian laporan saméméh babagi. Laporan warta palsu nyebarkeun gancang, sareng seueur anu radang.

4. Pilih Kaaslian

Dumasarkeun kana “Laporan Panalungtikan Cinta Modern McAfee, “26% réspondén nyarios yén aranjeunna bakal ngagunakeun AI pikeun nyerat surat cinta; kumaha oge, 49% jalma ceuk maranéhna bakal ngarasa menyakiti lamun pasangan maranéhanana commissioned mesin nulis surat cinta tinimbang nulis surat kalawan haté jeung jiwa manusa sorangan.

AI ayeuna teu hirup. Ieu ngandung harti yén sanajan hasil ahirna ngajadikeun anjeun ceurik atanapi seuri nyaring, AI sorangan henteu ngartos émosi di balik naon anu diciptakeunana. Éta ngan ukur nganggo pola pikeun nyiptakeun balesan kana ajakan anjeun. Nyumputkeun atanapi nyalurkeun parasaan anjeun anu leres kana program komputer tiasa nyababkeun hubungan anu goyah sareng rahasia.

Tambih Deui, lamun dulur relied on AI parabot kreasi eusi kawas ChatGPT, Bard, sareng Copy.ai, teras kumaha urang tiasa percanten kana émosi anu asli? Naon masa depan pikeun novél, puisi, bahkan Hollywood?

Siaga Tapi Yakin

AI tanggung jawab mangrupikeun istilah anu ngatur tanggung jawab programer ka masarakat pikeun mastikeun yén aranjeunna ngeusian sistem AI kalayan data anu bébas tina bias sareng akurat. OpenAI (organisasi tukangeun ChatGPT sareng DALL-E) sumpah pikeun ngalaksanakeun “kapentingan umat manusa”.4 Ti dinya, saha waé anu berinteraksi sareng AI ogé kedah ngalakukeun pikeun kapentingan dirina sareng jalma-jalma di sabudeureunana pikeun nyingkahan bahaya AI leuwih masarakat.

Kamampuh AI anu lega, sareng téknologina janten langkung canggih unggal dinten. Pikeun mastikeun yén sora manusa sareng sumanget kréatif henteu janten robot permanén, langkung saé ngagunakeun AI dina moderation sareng kabuka sareng batur ngeunaan kumaha anjeun ngagunakeunana.

Pikeun masihan anjeun katenangan pikiran, McAfee+ tiasa mulangkeun privasi online sareng idéntitas anjeun upami anjeun nampi scam anu dibantuan AI. Kalayan ahli pamulihan identitas sareng sinyalna maling identitas dugi ka $2 juta, anjeun tiasa langkung saé pikeun nganapigasi diménsi anyar ieu di dunya online.

1The New York Times, “Ieu Anu Kajadian Nalika Pengacara Anjeun Nganggo ChatGPT

2ARTnews, “Artis Unggul Kontes Fotografi Saatos Ngirimkeun Gambar Anu Dihasilkeun AI, Teras Kaleungitan Hadiah

3Business Insider,”Audio anu dibangkitkeun AI Joe Biden sareng Donald Trump ngobrolkeun sampah nalika kaulinan ngarebut TikTok

4OpenAI, “Piagam OpenAI

Nepangkeun McAfee+

Maling identitas sareng panyalindungan privasi pikeun kahirupan digital anjeun


#Opat #Cara #Ngagunakeun #Tanggung #Jawab

Oleh Diposting pada

Di Discord Family Center, kolot ayeuna tiasa ngawas kagiatan online barudakna dugi ka sababaraha tingkat, nyaluyukeun pangawasan pikeun nyocogkeun ka kabutuhanna.

Upami murangkalih anjeun nganggo platform olahtalatah populér Discord pikeun nyambung sareng réréncangan nalika maén kaulinan, aranjeunna henteu nyalira. Discord ayeuna gaduh sakitar 154 juta pangguna aktip yuswa 13 sareng langkung. Komunitas online ieu pasti ningkatkeun sambungan sosial, tapi naha budak anjeun nyambung aman?
(lebih…)

Oleh Diposting pada

Salaku tétéla, scammers bener resep Barbie.

Nalika Barbie debut dina layar badag, scammers Tujuan kauntungan tina blockbuster usum panas. Runtuyan scams geus surfaced online, kaasup undeuran pilem palsu nu install malware, virus patali Barbie, jeung video palsu nu ngakibatkeun jalma pikeun tiket bébas-tapi malah ngakibatkeun Tumbu nu maok informasi pribadi kalawan spyware. Cybercriminals sok néangan kasempetan sangkan phishing jeung scams séjén leuwih pikaresepeun tur dipercaya, “ceuk Steve Grobman, CTO of McAfee, “Aranjeunna mindeng ngamangpaatkeun acara populér tur well-publicized kayaning premiere pilem, konser atawa acara olahraga pikeun nipu pamaké kana ngaklik link jahat.

Fans antrian ningali “Barbie” bisa nyingkahan onslaught ieu lamun maranéhna terang naon néangan. Ieu sababaraha conto naon anu kapanggih ku panalungtik urang.

Conto Barbies download palsu trik

Di India, Kami gaduh tingali sababaraha conto kampanye jahat éta nguji pikeun nipu korban pikeun ngaunduh “Barbie” dina basa béda:

Potret layar kampanye jahat anu ditujukeun pikeun pangguna anu nyarios basa Hindi

Ku ngaklik tautan, korban dipenta pikeun ngaunduh file .zip, anu dipak ku malware.

Malware nu patali Barbie naek

Dina 3 minggu ka tukang, urang ningali 100 malware anyar sareng nami file anu aya hubunganana sareng Barbie. Sakali deui, éta nunjukkeun kumaha panyerang ngamangpaatkeun hype pilem éta, ngaharepkeun jalma bakal ngaklik file jahat sabab nami Barbie nuju trending.

Jinis file rupa-rupa tapi kalebet jinis umum sapertos .html sareng .exe. Sacara umum, panyerang museurkeun kana AS, tapi nagara-nagara sanés ogé ditargetkeun. Di handap ieu anjeun tiasa ningali statistik nagara-demi-nagara dimana conto Barbie malware ieu muncul:

Distribusi malware dumasar nagara, ti 20 Juli 2023

Video palsu ngakibatkeun serangan branded Barbie

Video bakal alihan calon korban ka server Discord atanapi situs wéb. Di dinya, panyerang naroskeun ka sémah pikeun ngaunduh file .exe anu ageung. Sapertos sateuacana, filena dimuat ku malware, sapertos jinis anu katelah “Redline Stealer” anu nyéépkeun inpormasi pribadi, inpormasi login sareng seueur deui tina alat.

Conto pidéo tikét Barbie palsu dina YouTube

Ngabagikeun inpormasi pribadi sareng kauangan sareng situs-situs curang ieu nyababkeun maling identitas sareng panipuan. Penipu tiasa ngalaksanakeun kajahatan anu nuturkeun ieu nyalira, sareng aranjeunna ogé tiasa ngirimkeun inpormasi anu dipaling pikeun dijual deui dina pasar wéb anu poék-sadayana bahaya pikeun peminat pilem.

Sanaos pilem Barbie sareng Oppenheimer ngahasilkeun sensasi anyar anu panas, panipuan online anu aya hubunganana sareng aranjeunna mangrupikeun kabiasaan anu lami. Dina sajarahna, acara média utama naon waé anu nyababkeun seueur panipuan online. Urang tiasa nunjuk ka situs scam nu numbu ka Super Bowl di AS, scams cryptocurrency leveraging acara populér kawas Squid Games, sarta merchandising jeung streaming scams nu pop up salila Piala Dunya FIFA Lalaki jeung Awewe.

Cybercriminals sok néangan kasempetan sangkan phishing jeung scams séjén leuwih pikaresepeun tur dipercaya, “ceuk Steve Grobman, CTO of McAfee, “Aranjeunna mindeng ngamangpaatkeun acara populér tur well-publicized kayaning premiere pilem, konser atawa acara olahraga pikeun nipu pamaké kana ngaklik link jahat.

Kitu cenah, éta warta alus pikeun fans pilem. Anjeun tiasa nyingkahan panipuan “Barbie” sareng “Oppenheimer” ieu ku ningali sababaraha tanda sareng ngalaksanakeun sababaraha ukuran kaamanan anu sederhana.

Ngajaga diri tina scams pilem online

  1. Tetep sareng pangecér sareng streamer anu dipercaya. Ngajaga balanja anjeun sareng ningali luhureun pikiran, merek top tetep janten taruhan paling aman anjeun online. Pangecér anu dipercaya mawa barang anu sah. Sareng upami palsu sareng imitasi nyusup kana pasarna, kabijakan ngabalikeun duit masihan anjeun cara pikeun pulih karugian anjeun. Naon deui, streamer anu dipercaya ngan ukur bakal nampilkeun acara sareng acara anu aranjeunna dijudulan. Upami anjeun mendakan tawaran pikeun ngalirkeun data anu diskon ageung, gratis, atanapi henteu sayogi dina toko média anu terkenal, éta sigana scam. Sahenteuna, éta meureun eusi bajakan, nu bisa mawa ancaman malware kalawan eta.
  2. Mésér tikét ti ranté téater anu terhormat atanapi aplikasi anu ngajual tikét. Cara anu sanés scammers resep kas dina tiket panas nyaéta muka kotak kantor online palsu anu ngecas tikét. Tangtu, aranjeunna moal nganteurkeun. Éta ngan ukur nyandak artos sareng nomer kartu anjeun pikeun boot. Anjeun tiasa ngahindarkeun ieu ku cara ngagaleuh tikét anjeun sacara online langsung ti téater atanapi nganggo aplikasi tikét pilem online anu tiasa dipendakan dina Apple App Store atanapi Google Play.
  3. Waspada situs anu katingalina awon. Penipu online gaduh tingkat kecanggihan anu béda-béda nalika ngawangun sareng ngarancang situs anu curang. Sababaraha bisa kasampak geulis sah, tapi batur kasampak bit ditampar babarengan. Dina hal naon waé, perhatikeun desain wéb anu goréng, typos, sareng kasalahan gramatikal, sanaos sakedik. Ieu sering nunjukkeun situs scam, sabab pausahaan reputable nyieun unggal usaha pikeun nyadiakeun pangalaman beresih jeung profésional-pilari.
  4. Ningali tawaran, promosi sareng hadiah kalayan panon kritis. Kalawan acara média badag datangna usaha pamasaran badag, sarta scammers bakal ngalakukeun pangalusna maranéhna pikeun mingle sareng maranehna. Cara anu gancang pikeun ngahirupkeun panipuan nyaéta pikeun nengetan promosi. Upami anjeun naroskeun anjeun nyayogikeun inpormasi bank atanapi kartu anjeun pikeun cocog, cacah éta salaku panipuan. Kantun nempatkeun, ulah promosi nu menta hal di balik, utamana lamun éta duit atawa informasi pribadi Anjeun.
  5. Meunang panyalindungan online. software panyalindungan online komprehensif bakal salamet tina serangan virus, malware, spyware, sareng ransomware panganyarna. Tambih Deui, éta langkung saé ngajaga privasi sareng identitas anjeun. Utamana pikeun “Barbie” jeung “Oppenheimer” scams sirkulasi, panyalindungan online bisa mantuan nyegah anjeun ti ngaklik tumbu ka dipikawanoh atawa disangka situs jahat. Salaku tambahan, éta nawiskeun panyalindungan sandi anu kuat ku ngahasilkeun sareng nyimpen kecap konci anu kompleks sacara otomatis pikeun ngajaga kapercayaan anjeun langkung aman tina peretas sareng penjahat anu tiasa nyobian maksakeun jalan kana akun anjeun.


#Scammers #Cinta #Barbie #Video #Palsu #Ngamajukeun #Tawaran #Tikét #Palsu #Anu #Maok #Inpormasi #Pribadi