Notes on the pandemic's opportunities for bad actors, common sense about shopping securely during the holidays, and some CISA internship opportunities. (And to summarize what the social engineers are going to do, it's like this: they'll take you to a high place, show you all the kingdoms of earth, and so on. That kind of FOMO's been tried before.)
Expect more COVID-19 vaccine scams, and more criminal collaboration.
Check Point finds that malign activity keyed to the pandemic is assuming three general forms: cyberespionage directed at researchers and pharmaceutical companies engaged in vaccine development, phishing and waterholing domains with a COVID-19 theme, and, finally, barefaced scams hawking bogus treatments.
Proofpoint, for its part, foresees more ransomware hitting cloud repositories, the continuing threat of social engineering, a relative abatement (but not disappearance) of business email compromise, and growing collaboration among criminal groups.
Common-sense security for holiday shopping.
The winter holidays are upon us. Hanukkah began yesterday evening and will end next Friday evening; Christmas is just two weeks away. Thus last-minute shoppers are finding time closing in on them, and Unisys has some common-sense advice that's nonetheless worth reviewing. Mathew Newfield, CISO at Unisys, summarized that advice in an email:
- "Patch your home IoT devices. Be sure to protect your Wi-Fi network and any device around the house connected to it by patching and updating to the latest firmware and checking the brand and model for security risks. It is also important to change default passwords and use passwords of significant strength. Do not use words or deviations of words as passwords.
- "Multi-factor authentication is not just for businesses. Consumers have the option of setting up voice or facial recognition-based access, or to receive push notifications if a new or unauthorized login is detected.
- "Make sure you’re using secure sites. It’s important to use secure resources when shopping, especially for any site that asks you to input credit card or bank account data to complete a purchase. Make sure you only use trusted, verified sites that you are familiar with, and be sure to type the URL into your browser rather than risk inadvertently clicking a malicious link."
RiskIQ has published its holiday E-Commerce Blacklist Threat Report for 2020. The size of the opportunity would seem to explain why the threat is so active at this time of year. RiskIQ says that "30% of all retail sales occur between Black Friday and Christmas," that there's a "35% rise predicted in U.S. e-commerce sales compared to last year" (probably reinforced by pandemic-driven social isolation), and that "83% of shoppers will spend 50% of their budget online."
CISA's hiring interns.
It's neither a trend story nor a holiday security story, but since applications close in early January, it is a seasonal story. Students interested in an internship at the US Cybersecurity and Infrastructure Security Agency may wish to explore some recently announced opportunities. The agency is offering Student Trainee (IT Management) positions in three pay ranges: GS 1-2, GS 3-4, and GS 5-7. The jobs are open to high school students, undergraduates, and grad students.
(And a wave of acknowledgement to Katzcy, who tipped us off to the opportunity.)