At a glance.
- Spoofing Test and Trace to collect personal information.
- Third-party apps in the G Suite Marketplace request extensive permissions.
Test and Trace spoofed to gather personal information.
The pandemic continues to provide the bait for phishing campaigns. In the UK the NHS’s Test and Trace system will soon be contacting people who may have been exposed to COVID-19 in an effort to forestall a second wave of infection. The National Health Service says that if you’re called, you “will not be asked to provide any passwords, bank account details or PIN numbers.” Nor will you be asked to download anything. But, Infosecurity Magazine points out, the Test and Trace callers may ask for “full name, date of birth, sex, NHS Number, home postcode and house number, telephone number and email address,” and that’s a nice beginning for subsequent spearphishing and identity fraud. So people should expect the scams to begin.
Since junk phone calls now seem to constitute about the same fraction of calls that junk mail does in your mailbox, it’s not surprising to read in the Register that such attempts are already in progress. It’s easy to spoof SMS and caller line identification, and you can’t rely on those as indications that call is genuine. And follow links in an SMS message purporting to lead to official COVID-19 alerts only at your peril.
Third-party apps in the G Suite Marketplace want a lot of permission...
ZDNet reports that researchers at Two Six Labs have taken a look at the permissions third-party Google apps listed on the G Suite Marketplace requested, and they've found that those permissions amount to an incipient "privacy scandal." Their report outlines their approach. At the beginning of January they used an automated script to install all the 1392 applications listed in the G Suite Marketplace. 405 of them failed to install (for various reasons), and of the 987 apps they were able to install, 889 of these required access to user data that initiated a request for permission. 481 of those applications asked for permission to communicate with some external service. This of course would connect the user's Drive and Gmail to that external service. And the G Suite Marketplace review process seemed not to be keeping intrusive apps out. It takes between four and eight weeks to review apps that make "restricted" API calls and interact with Drive or Gmail data. Until an app is verified, only 100 installations are supposed to be allowed, but the researchers found that many more than 100 users were in fact able to install unverified apps.
The researchers suggest one bit of human engineering that might improve user security awareness: have the apps ask for permission on first use as opposed to on installation. It's been found that this helps users recognize over-intrusive applications they might otherwise allow in.