iM Secure, iM Aware News

Spam, Scams & Hacking You

on Social Media

Security Awareness is an essential part of achieving

WorleyParsons goal of achieving zero harm to our people,
assets and the environment. Please remember to always
practice Security Awareness within the boundaries of the
WorleyParsons Code of Conduct, OneWay Framework
and Documented iM Policies and Procedures.

To report a Security Incident:

http://support.worleyparsons.com

Just One Click

While the interconnection of
technology has made it simple for
us to keep in touch with family and
friends, and promote our personal
and professional brands, it has also
made it simple for criminal hackers
to infiltrate our lives. Think about
all of the information you store
and share with each network you
join.
Due to the control (or lack
thereof) offered to us over our
security settings, criminals know
they have a revolving door to access
our sensitive data. The bigger the
network, the bigger the target and
ultimately the bigger the payoff.
Facebook, the worlds current
largest social network (with over
1.59 billion global users), has been,
and continues to be, the source of
scams and phishing attacks. A post
as simple as share to win! leads to
hundreds of thousands of people
being duped, all because they
didnt bother to check the validity
of the post or the person posting it.
While a sharing scam is
mostly harmless (similar to an
old-fashioned chain email), it
reveals the gullible nature of many
users, which can lead to malware
infection or identity theft. We must
always verify the source and think
before we click.
One of the most common
attacks across all social media
networks comes via imposters. A
scammer creates a profile of YOU,
or of someone you know, and
sends friend requests, with the

From the
Trenches
A real story from one of our colleagues

goal of gaining access to private

information. Impersonators not
only have access to all of your
friends and familys accounts,
they may use that access to send
requests for money or create more
fraudulent accounts. They can also
post links to fake content that,
when clicked, takes your followers
to malware-ridden websites, or
installs a Trojan, giving the criminal
access to your entire computer. (If
you think this has happened to
you, report it to the social network
in question ASAP!)
This is especially true of Chinabased QQ, an instant messaging
service with the third most users
of all social media networks. A
criminal hacker gets access to the
users account via malware and
uses it to send money requests
to all of that users contacts. Even
worse, QQ is a target for scamming
rings that use Trojan viruses to
gain access to an account. These
hacked accounts are then sold on
the black market to other criminals
who use the account to gain access
to sensitive information via the
users chat records and emails. All
it takes is one click for your data to
be compromised.

My grandma joined Facebook a

few years ago like many older folks.
But, like many non-tech-savvy
folks, she didnt know how to use
it and didnt post much content
(rarely changes her profile picture).
One day, I got a friend request from
her. I thought it odd and was pretty
sure we were already friends,
but figured she had accidentally
unfriended me somehow. So
I accepted the friend request
without bothering to look at the
profile (after all, it had her exact
name and current profile picture).
A few days later, I got a message
from my mom saying that it was
an imposter account and had been
reported as such to Facebook. I
felt like an idiot! By allowing this
imposter into my circle, he or she
had unbridled access to all of my
friends and family, including phone
numbers (which should never be
put on a social network), emails
and photos.

#dislike
WANT TO KNOW MORE
ABOUT FACEBOOK SCAMS?
Check out this article: facecrooks.
com/Scam-Watch/Top-TenFacebook-Scams-to-Avoid.html

SCAMS
According to Wikipedia, LinkedIn is a businessoriented social networking service mainly used for
professional networking. Unfortunately, the model by
which users are connectedaccepting requests from
total strangersperpetually breeds spam.
Bogus recruiting accounts attempt to build a network
map by sending requests to business professionals,
which in turn makes the bogus account look legit.
Victims are conned into giving up personal details,
such as email addresses, which the criminals use to
launch phishing campaigns and steer the users to
websites built around malware.
We need to be cautious when accepting invitations
from strangers. And especially cautious when clicking
the LinkedIn invite button in your email. When you
get a notification that Claire, the alleged Director
of Operations for Walmart, wants to add you to
her network, dont just automatically click accept.
Investigate Claire. Why would an executive of a major
corporation want to add YOU to her network? How
many connections does she have? The lower the
number, the more likely the account is fake. Do a
reverse image search. Who is Claire? If the account
is fake, the profile image will be used for multiple
accounts. A simple Google search of the persons name
is always a good starting point before adding someone
you dont know to your network.
And always, always, always add users via the
website. Never click the request directly from your
email. Sending bogus LinkedIn requests is standard
operating procedure for phishing emails.

ransomware case file

The Cause: Ransomware is a form of malware that
encrypts your data and restricts your access to the data
until you pay the requested bounty.
The Case: Hollywood Presbyterian Medical Center
was taken offline when criminal hackers infiltrated the
network and shut down basic operations, such as CT
scans, lab work and pertinent documentation, by using
ransomware. The facility was down for more than a week
and had to divert several patients to other hospitals.

Its a Spammers World...

and were just living in it.

The biggest security hole in social media is its

connection to your personal email. Just like with
the LinkedIn example, where bogus accounts are
sending out network requests, every social media
app sends email notifications of posts, likes, friend
requests, etc. If were not careful, those email
notifications could lead to phishing and malware.
For that reason, its important to verify the validity
of the link by doing a mouseover, hovering the
cursor over the link before actually clicking on
it. Otherwise, login to your social media account
instead. Its all too easy for a criminal hacker to
send spam email posing as a link from a popular
social network.

Macros still pose a threat!

If you receive an Office document,
and are notified that it contains a
macro, be sure to verify the sender
before enabling it. Know and follow
company policy concerning macros
and if you want more info, visit
http://bit.ly/1MyH9b0 and check
your specific software version for
assistance.

The Cost: In the end, HPMC determined the best way

to restore operations was to pay the ransom and obtain
the decryption key. The bounty was approximately
$17,000 in the form of Bitcoins.
What to do if this happens to you: At work, take no
further actions, and immediately notify your incident
response team, or appropriate management.

Text Message Scams

The rise of unsolicited text
messages is bringing on
another form of scamming
that puts your personally
identifiable information (PII)
at risk. Usually, its a bogus
message, such as your bank
claiming your account is
locked and you need to call
a certain number and give
certain credentials. Or its a
link to claim a prize youve
supposedly wonclicking
the link installs malware
on your phone that gives
criminal hackers access to
your PII. To avoid being
scammed, simply think
before you click, and check
out the Federal Trade
Commissions list of how
to protect your personal
information.

Keeping Kids Safe

on Social Media + 10 Tips for Parents
Smart, secure networking starts

at home and it starts early. At some

point, our children will reach the

age where theyre old enough to

develop an online presence. Its

up to us as parents to educate

them about the dangers associated

with these networks, and how

important it is to protect that

1.

Dont assume your child

knows more than you about
navigating technology.

2.

Make sure your kids know what

is and is not appropriate to
post.

3.

Dont post personal financial

information such as credit
and debit card numbers, bank
statements and pay checks
on social media.

4.

Dont post other personal, nonfinancial information on social

media, such as a new drivers
license.

5.

Dont post information about

the place you work.

6.

Dont post your social plans

and vacation details.

7.

Dont let your kids check-in

everywhere they go.

8.

Know with whom your kids are

connecting.

9.

Monitor your kids credit

reports.

online presence.

In order to do that, we need to

educate ourselves on every social

media network our children are

joining. That means joining the

network and boning up on how

information is shared, so that we

can teach them how to protect their

email spoofers

are getting smarter

accounts in addition to teaching

them why what they share matters.

We dont necessarily want to

Even the most security aware

folks can get spoofed when
scammers are good at what they
do. The email was surprisingly
well written without the spelling
and grammar errors I have come
to expect from fake emails. That
says it all; scammers are getting
better at getting clicks. Which
means we need to get better at
vetting. Think before you click,
and when in doubt delete! Read
the whole story by visting the link
below.

scare our children, but making

blog.thesecurityawarenesscompany.
com/scam-alert-help-i-had-aneaster-disaster-in-the-philippines/

blog.thesecurityawarenesscompany.
com/conversation-starters-for-kidsreceiving-tech-gifts/

them aware of the dangers ahead

is part of our jobs as parents.
For that reason, showing them

examples of how their shared

information can be used against
them, and introducing them to

concepts like cyber bullying and

stalking, can be a fantastic way to

educate them. If they are aware of

the consequences, they will make
smarter choices.

No idea where to begin? Try

these conversation starters:

10.

Be actively involved in your

childs online life.

PHISHING IN ACTION
An information security professional shared this example of a real phishing
email that came through her inbox. It made her pause because it looked so
legitimate. Read through her notes about the thought process she used to
figure out if it was real or not.
Inconsistencies in the links! Service@paypal.com was just the
display name. Service@pp.com was the actual email URL.

They used my actual name, not something generic like

customer so I had to really think about this.

Link inconsistencies!
When I hovered over Click here to login, this
very long URL appeared. Clearly, this is not a real
PayPal address. (And it had my email address
in the url, so it probably contained a script to
capture the associated login information!)

The day before receiving this message, I had

just set up a new bank account on my PayPal
account and sent money to a friend, so its not
unreasonable to believe that some recent account
activity may have triggered their security alarms.

While this email looks really good no obvious

spelling or grammar issues, it includes the PayPal
logo, it used my actual name theres still some
odd formatting that I know the PayPal design
team would never let go out to a customer.

I opened a browser and logged in the way I usually do WITHOUT clicking on any of the links in the email and upon entering
my account, lo and behold, there were NO account notifications, nothing indicating that my account was limited. That confirmed
my suspicions that this was a phishing email. As you can see, they can be very convincing!

HEADLINE NEWS
Massive Government Data Breach
Exposes Every Filipino Voters PII

Y!

Yahoo Security @YahooSecurity Mar18

Yahoo kills password authentication with
their new account key http://bit.ly/265SiGA

GSO

Get Safe Online @GetSafeOnline Mar 21

Incidents of online ticket fraud rose by 55%,
costs UK public 5.2m http://bit.ly/1XHesZy

Microsoft MMPC @msftmmpc Mar 22

Microsoft releases new Office feature to
combat macro malware http://bit.ly/1SjUkLK

The personally identifiable information (PII) of 55 million

Filipino voters could have been exposed in a March 27th

data breach of the Philippine Commission on Elections

(COMELEC). This could be the worst government data breach

anywhere, ever. Supposedly, its purpose was to convince the

commission to implement stronger voting security for their

upcoming elections.

COMELEC seems to be brushing off the incident, but

according to Trend Micro, the amount of PII that was exposed

is alarming: 15.8 million fingerprint records, 1.3 million

overseas Filipino voter passport numbers, a list of officials

that have admin accounts, and more.

Trend Micro warns Filipinos that they could now be targeted

by criminals. For more information on the breach, visit their

blog: http://bit.ly/1VCIBup.

Many of Worlds Most Powerful People

Exposed by Panama Papers Leak

E
IBT

The Panama Papers leak has been dubbed the biggest

ESET @ESET Mar 23

Self-protecting USB steals data via
undetectable trojan http://bit.ly/1Ry3tgF

Intl. Business Times @IBTimes Mar 23

Hackers breached water treatment plant &
successfully changed levels of chemicals in
water http://bit.ly/1SfJp5Y

ever of its kind, overshadowing the Wikileaks and Edward

Snowden scandals with 2.6 terabytes of incriminating data
made public. Law firm Mossak Fonesca was exposed as

helping several power players worldwide protect and hide

their millions, and a cascade of resignations has followed. To

Cloudmark @Cloudmark Mar 31

55+ companies have fallen victim to W-2
spear phishing attacks http://bit.ly/22AlalS

read the details of this unfolding story and to stay up-to-date,

visit the ICIJ: https://panamapapers.icij.org/.

From a security standpoint, this leak more than likely arose

from an insider threat (though still unconfirmed). This is a

WP

common cause of breaches and, in this case, very difficult to

Washington Post @washingtonpost Apr 12

FBI paid hackers to crack into iPhone; will
they tell Apple how? http://wapo.st/1VkMpl7

confirm. Its unclear where to draw the line between legitimate

whistleblowing and criminal theft of information. And who

should be prosecuted: the law firm for failing to protect its

clienteles confidential data, the whistleblower who has access

to that data, or the heads of state who were engaging in illegal

and seedy business? Only time will tell!

IBM

IBM @IBM Apr 14

Hybrid malware GozNym used in attacks
against 24 US & Canadian banks to steal
millions http://ibm.co/1qU7JSg