Canary tokens — also known as honey tokens — force attackers to second-guess their potential good fortune when they come across user and application secrets.

With nearly half of all breaches involving external attackers enabled by stolen or fake credentials, security firms are pushing a high-fidelity detection mechanism for such intrusions: canary tokens.

Canary tokens, a subset of honey tokens, are manufactured access credentials, API keys, and software secrets that, when used, trigger an alert that someone is attempting to use the fake secret. Because the credentials are not real, they would never be used by legitimate workers, and so any attempt to access a resource using the canary token is a high-confidence sign of a compromise.

Last week, secrets-management firm GitGuardian released a version of the technology, _ggcanary_, as an open source project on GitHub. The project, tailored to Amazon Web Services (AWS) credentials, is designed to give developers a simple-to-use tool to detect attacks on their software development pipeline, says Henri Hubert, lead developer for GitGuardian's Secrets Team.

"You can put them almost everywhere," he says. "The best place to put them is in the CI/CD pipeline or in your artifacts used in that pipeline, such as Docker images. But you can also put them in your private repositories and your local environment. You can put them almost anywhere that is related to your developers' work."

    

Credentials are a popular target of theft. Source: 2022 Data Breach Investigations Report, Verizon

As the use of cloud services and APIs have taken off, attackers have increasingly targeted such infrastructure with stolen credentials and API tokens. The average company uses more than 15,000 APIs, tripling in the past year, while malicious attacks on those APIs have jumped seven-fold, according to research released in April. In addition, nearly 50% of all breaches not otherwise due to user error or misuse make use of credentials, according to Verizon's "2022 Data Breach Investigations Report" (DBIR). 

**Tripwires Slow Down Attacks**

Unsurprisingly, more companies are using canary tokens to create digital minefields for which attackers need to be wary or otherwise get caught. By seeding file servers, development servers, and personal systems with files that contain credentials or links that can act as tripwires, companies make lateral movement within their systems much more hazardous for attackers, says Haroon Meer, founder and CEO of Thinkst, a cybersecurity consultancy that created its own infrastructure for canary devices and tokens, including servers, sensors, and credentials.

Yet, attackers really have no choice: They cannot ignore potential legitimate credentials during an intrusion, he says.

"If they happen to find AWS credentials or the keys to someone's Kubernetes cluster, attackers have to try it — it's really hard for them to not to use those," Meer says. "And if you get notified the moment that they try it, then you shrink the exposure window so dramatically because you are not finding out months later after they have done everything to you."

Thinkst's Meer likes to point to comments from penetration testers and red teams that highlight the utility of canary tokens. Attackers have to always second guess any cache of credentials, API keys, or software secrets that they find, and that slows them down, tweeted Shubham Shah, a bug hunter, penetration tester, and chief technology officer at attack-surface management startup Assetnote.

"The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal," Shah said. "If the aim is to increase the time taken for attackers, canary tokens work well."

GitGuardian's _ggcanary_ focuses on Amazon Web Services because of the popularity of the platform and of the infrastructure-as-code management platform, Terraform. In its best-practices document, Amazon highlights that control of AWS access keys equals control of all AWS resources.

"Anyone who has your access keys has the same level of access to your AWS resources that you do," Amazon stated in its "Best practices for managing AWS access keys" document. "Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our shared-responsibility model, you should as well."

**Everyone Likes Canaries**

Companies such as Thinkst, GitGuardian and Microsoft are aiming to make canary tokens much easier to deploy — often in minutes.

Yet defenders are not the only ones to find uses for canaries. Attackers have also started using canary tokens as a way to detect when defenders analyze their malware.

In a recent report of an attack by the Iran-linked group MuddyWater, Cisco's Talos Intelligence group noted the simple usage of canary tokens. The initial malware — a Visual Basic script — sends two requests for the same canary token to validate a compromise. If only a single request is detected, which would likely happen during sandboxed execution or during analysis, then the malware does not run.

"A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis," stated Cisco's threat intelligence team in an advisory. "Automated sandboxed systems would typically execute the malicious macro generating the token requests."

Credential Canaries Create Minefield for Attackers

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Something peculiar seems to be happening high up in the treetops. Any ideas what it could be? Send us your caption ideas for the above cartoon, and the winner of The Edge's August contest will receive a $25 Amazon gift card. 

We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, August 24, 2022.

**Last Month's Winner**

And .... he does it again! AgCredit IT director Allen Campbell, who won our May "Flower Power" contest, captured the most votes for his caption for last month's contest, "On Guard." A $25 gift card is on the way for his clever caption, below. Thank you to everyone who participated.

    

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Up a Tree

Identity and access management was front and center at AWS re:inforce this week.

Amazon emphasized identity and access management during its AWS re:Inforce Security conference in Boston this week. Among announcements for GuardDuty Malware Detection and Amazon Detective for Elastic Kubernetes Service (EKS), Amazon Web Services executives highlighted the launch of IAM Roles Anywhere from earlier this month, which enables AWS Identity and Access Management (IAM) to run on resources outside of AWS. With IAM Roles Anywhere, security teams can provide temporary credentials for on-premises resources.

IAM Roles Anywhere enables on-premises servers, container workloads, and applications to use X.509 certificates for the temporary AWS credentials, which can use the same AWS IAM roles and policies. "IAM Roles provides a secure way for your on-premises servers, containers, applications, to obtain temporary AWS credentials," AWS VP of Platforms Kurt Kufeld said.

Creating temporary credentials is an ideal alternative when they are only needed for short-term purposes, Karen Haberkorn, AWS director of product management for identity, said during a technical session.

"This extends IAM Roles so you can use them and workloads running outside of AWS that lets you tap into all the power of AWS services wherever your applications are running," Haberkorn said. "It lets you manage access to AWS services in the exact same way you are doing today for applications that run in AWS, for applications that run on premises, at the edge — really anywhere."

Because IAM Roles Anywhere enables organizations to configure access the same way, it reduces training and provides a more consistent deployment process, Haberkorn added. "And yes, it means a more secure environment," she said. "It's more secure because you no longer having to manage the rotation and the security of any long-term credential that you might have used for on-premises applications in the past."

**New IAM Identity Center**

Amazon also announced that it has renamed its AWS Single Sign-On offering "AWS Identity Center." Principal product manager Ron Cully explained in a blog post this week that the name change is to better reflect its full set of capabilities and to support customers who in recent years have shifted to a multi-account strategy. AWS is also looking to "reinforce its recommended role as the central place to manage access across AWS accounts and applications," Cully wrote.

While AWS hasn't announced any technical changes to AWS Identity Center, Cully said that it has emerged as the "front door into AWS." AWS Identity Center handles all authentication and authorization requests, and now processes half a billion API calls per second.

Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, noted that AWS underscored IAM throughout the 2-day conference. "AWS gave signs that it considers identity the frontline to security and privacy in the cloud," he said. "I think they are going to continue to bring in partners so that AWS is the single source of truth about who authorized users are and what privileges they can have."

AWS Focuses on Identity Access Management at re:Inforce

The new GuardDuty Malware Protection and Amazon Detective were among 10 products and services unveiled at AWS re:Inforce in Boston this week.

Amazon Web Services (AWS) has added malware protection to its GuardDuty threat detection service for EC2 compute instances and container workloads backed by Elastic Block Storage (EBS) volumes. The new GuardDuty Malware Protection option is designed to detect suspicious files that could be malware and then alert administrators through the AWS Security Hub.

The release of GuardDuty Malware Protection was among 10 new products and services that the cloud provider revealed during its AWS re:Inforce security conference in Boston this week. Amazon hosted thousands of security professionals at the event, which included a broad agenda of technical sessions, training and certification workshops, and panel discussions.

AWS Platform VP Kurt Kufeld outlined the cloud provider's latest security announcements during the event's opening keynote session. Explaining how the new GuardDuty Malware Protection feature works, Kufeld said when it detects suspicious files, it takes a snapshot of the associated EBS volume as the workload is processing.

GuardDuty then sends its findings to the AWS Security Hub via Amazon EventBridge, the same way it handles other threat activities. Amazon Detective, a tool AWS added in 2020 that uses machine learning to investigate events by analyzing log data, detects if any malware is present. 

"Use the integration to gain visibility into your overall security state for your organization, as well as easily search, filter, triage, investigate, or take action on any of the security findings that you do have," Kufeld said.

GuardDuty then analyzes what it finds with compute that runs in the AWS service account, "not your account, so as not to disturb the workload or require any agents or security software to be deployed inside your workload," Kufeld added. "When malware is detected, GuardDuty malware protection automatically sends additional and contextualized malware findings to GuardDuty console."

Curtis Franklin, a senior analyst who covers enterprise security management and security operations at Omdia, said AWS is taking an aggressive step with the addition of GuardDuty Malware Protection. 

"Calling it malware protection is a stretch; it's malware detection, and that's a critical difference," Franklin said. "It is not a fully featured offering, but it does plant a stake in the market for them."

AWS identified nine partners whose threat protection can integrate with its new malware offering: Bitdefender, CloudHesive, CrowdStrike, Fortinet, Palo Alto Networks, Rapid7, Sophos, Sysdig, and Trellix.

**Kubernetes Support for Amazon Detective**

Among other new offerings, AWS has added support for Kubernetes workloads with the addition of Amazon Detective for EKS, which builds on the managed threat analytics service. Amazon Detective ingests a wide variety of events, such as login attempts, API calls, and traffic, from various AWS services, including GuardDuty, AWS CloudTrail, and Amazon VPC. Since launching Amazon Detective two years ago, AWS has added support for identity and access management (IAM) roles, IP address analytics, integration with Splunk, Amazon S3, and AWS Organizations.

Amazon Detective for EKS was created in response to organizations moving to containers, which has resulted in growth of AWS' Elastic Kubernetes Service (EKS).

"Amazon Detective for EKS analyzes, investigates, and identifies the root cause of security findings for suspicious control-plane activity on EKS clusters," Kufeld said. "With a single-click setting and no agent requirements, it is much easier to start analyzing Amazon EKS specific activity. It uses advanced correlation and graph-based analytics to investigate security findings from suspicious container images or container misconfigurations that may allow access to the underlying EC2 nodes."

Amazon Adds Malware Detection to GuardDuty TDR Service

Why was PII belonging to nearly 1 billion people housed in a single, open database? Why didn't anyone notice it was downloaded?

Questions continue to swirl around a June 30 incident where an unknown individual put up for sale on a popular underground forum a staggering 23TB of personally identifiable information (PII), belonging to some 1 billion people in China. 

And, in the meantime, the database is continuing to cause ripples across the Dark Web.

The dataset was reportedly accessed from an unsecured Shanghai police database hosted on Alibaba's cloud hosting platform. It included names, addresses, birthplaces, phone numbers, national IDs, and criminal records associated with Chinese citizens and even foreign nationals who might have visited Shanghai during the past few years. The database is still available for sale for 20 bitcoins, or roughly $240,000 currently.

The leak is believed to have happened because a dashboard for managing the database was apparently left open to the Internet, without a password, for more than one year. Though the incident represents one of the largest ever compromises of PII to date, news of it has reportedly been largely blacked out in China. 

However, that has not stopped members of the country's prolific hacking community from flocking to the underground forum where the data is available, according to researchers at Cybersixgill who have been tracking the aftermath of the massive breach. There also has been a notable increase in data leaks of Chinese entities that have been shared on the forum since June 30, they noted.

"We anticipate that we will be seeing the reverberations of this breach on the underground for quite some time," predicts Naomi Yusupov, Chinese intelligence analyst at Cybersixgill. She expects that threat actors will try and use the leaked data in social engineering campaigns, in attacks to try and access more data, and in a variety of other malicious ways.

Yusupov also expects the breach to encourage other threat actors to share more data from breaches in China, as has already begun happening. Chinese threat actors appear to be viewing the high asking price for the Shanghai data as an indication that Chinese databases overall are highly valuable. This could encourage more Chinese data leaks, she says.

"The massive uptick in Chinese users active on the forum could increase the communication and knowledge transfer between the Chinese and the English underground," she notes.

**More Than Just Another Cloud Misconfig**

There have been countless instances where organizations have similarly exposed sensitive data by leaving it in poorly secured, Internet-accessible cloud storage buckets like Amazon's S3 and ElasticSearch buckets. The most recent incident involved 3TB of sensitive data belonging to airport employees in Columbia and Peru that was exposed via a misconfigured Amazon S3 bucket. 

Vendors such as Upguard have reported detecting thousands of such instances in recent years. UpGuard's most notable discoveries on S3 buckets include some 540 million records from multiple Facebook third-party apps, trade secrets belonging to GoDaddy, and 73GB of data belonging to Pocket Inet employees.

What makes the Shanghai breach notable is its sheer scale. By most accounts, it is one of the largest ever known compromises of PII.

"We see breaches like this quite often," says Ray Kelly, fellow at the Synopsys Software Integrity Group. "\[But\] the staggering volume and breadth of PII that was contained about Chinese citizens and non-citizens alike will certainly raise red flags."

And it's not just the seeming lapse in securing the database alone that's at issue here: "Was it smart to store 1 billion users' PII in one location to begin with?" he asks rhetorically.

John Bambenek, principal threat hunter at Netenrich, says another big question is why nobody noticed 23TB worth of data being downloaded from the cloud database. 

"Aside from backups, I can’t think of any legitimate use case that involves moving an entire dataset like that," he says. 

Often, database administrators set databases to give people read access and rarely have controls to detect when someone might be abusing that access. Even so, "basic network anomaly detection likely could have caught this," Bambenek says.  

**A Rare Peek**

The Shanghai police data compromise is also notable because there have been few instances where a major cybersecurity incident in China has become public knowledge. 

"While China has historically been home to one of the world's largest communities of cybercriminals, domestic Chinese breaches are rarely disclosed because the Chinese government censors media coverage," Cybersixgill's Yusupov says. For instance, major Chinese social media platforms such as Weibo and WeChat both censored news of the Shanghai police database breach.

Even so, there have been other instances where details of breaches within China have trickled to the outside world, Yusupov notes. One example is a 2016 incident in which an anonymous hacker took to Twitter to expose sensitive information related to dozens of Chinese Communist Party officials and Chinese business magnates, such as Alibaba Group founder Jack Ma and real estate tycoon Wang Jianlin of the Dalian Wanda Group.

Other examples include a 2020 incident where a malicious actor stole the data of more than 538 million users and one in May where tens of thousands of apparently hacked files from China's northern Xinjiang region were released, exposing the persecution of the Uyghur ethnic minority there, she says.

Big Questions Remain Around Massive Shanghai Police Data Breach

Ubuntu Security Notice 5540-1 - Liu Jian discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the USB gadget subsystem in the Linux kernel did not properly validate interface descriptor requests. An attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5540-1  
July 28, 2022

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

Liu Jian discovered that the IGMP protocol implementation in the Linux  
kernel contained a race condition, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-20141)

It was discovered that the USB gadget subsystem in the Linux kernel did not  
properly validate interface descriptor requests. An attacker could possibly  
use this to cause a denial of service (system crash). (CVE-2022-25258)

It was discovered that the Remote NDIS (RNDIS) USB gadget implementation in  
the Linux kernel did not properly validate the size of the RNDIS_MSG_SET  
command. An attacker could possibly use this to expose sensitive  
information (kernel memory). (CVE-2022-25375)

Arthur Mongodin discovered that the netfilter subsystem in the Linux kernel  
did not properly perform data validation. A local attacker could use this  
to escalate privileges in certain situations. (CVE-2022-34918)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  linux-image-4.4.0-1111-kvm      4.4.0-1111.121  
  linux-image-4.4.0-1146-aws      4.4.0-1146.161  
  linux-image-4.4.0-230-generic   4.4.0-230.264  
  linux-image-4.4.0-230-lowlatency  4.4.0-230.264  
  linux-image-aws                 4.4.0.1146.150  
  linux-image-generic             4.4.0.230.236  
  linux-image-kvm                 4.4.0.1111.108  
  linux-image-lowlatency          4.4.0.230.236  
  linux-image-virtual             4.4.0.230.236

Ubuntu 14.04 ESM:  
  linux-image-4.4.0-1110-aws      4.4.0-1110.116  
  linux-image-4.4.0-230-generic   4.4.0-230.264~14.04.1  
  linux-image-4.4.0-230-lowlatency  4.4.0-230.264~14.04.1  
  linux-image-aws                 4.4.0.1110.107  
  linux-image-generic-lts-xenial  4.4.0.230.200  
  linux-image-lowlatency-lts-xenial  4.4.0.230.200  
  linux-image-virtual-lts-xenial  4.4.0.230.200

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5540-1  
  CVE-2022-20141, CVE-2022-25258, CVE-2022-25375, CVE-2022-34918

Ubuntu Security Notice USN-5540-1

In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

CVE-2016-4426: Version History — Zulip 2.1.7 documentation

When connecting to Amazon Workspaces, the SHA256 presented by AWS connection provisioner is not fully verified by Zero Clients. The issue could be exploited by an adversary that places a MITM (Man in the Middle) between a zero client and AWS session provisioner in the network. This issue is only applicable when connecting to an Amazon Workspace from a PCoIP Zero Client.

HP has provided updated versions of Tera2 Zero Client firmware that remediate vulnerabilities found in firmware version 22.04 and earlier.

Severity

High

HP Reference

HPSBHF03794 Rev. 1

Release date

July 12, 2022

Last updated

July 12, 2022

Category

Teradici

Potential Security Impact

When connecting to Amazon Workspaces, the SHA256 presented by AWS connection provisioner is not fully verified by Zero Clients. The issue could be exploited by an adversary that places a MITM (Man in the Middle) between a zero client and AWS session provisioner in the network. This issue is only applicable when connecting to an Amazon Workspace from a PCoIP Zero Client.

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by: HP Teradici

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2022-1805

7.5

High

CVSS3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Learn more about CVSS 3.1 base metrics, which range from 0 to 10.

PSR-2022-0059

**Resolution**

Products can be updated or replaced with the latest release by downloading from the Teradici website and following standard installation or update instructions:

**Downloads**

*   Zero Client Firmware 22.04.1
    
    *   https://docs.teradici.com/find/product/zero-clients/2022.04/zero-client-firmware
        
    
*   Zero Client Firmware 22.01.5
    
    *   https://docs.teradici.com/find/product/zero-clients/2022.01/zero-client-firmware
        
    

**Update or installation instructions**

*   Zero Client Firmware 22.04.1
    
    *   https://teradici.com/web-help/pcoip\_zero\_client/tera2/22.04/uploading\_firmware
        
    
*   Zero Client Firmware 22.01.5
    
    *   https://teradici.com/web-help/pcoip\_zero\_client/tera2/22.01/uploading\_firmware
        
    

**Affected products**

Identify the affected products.

Affected products    

Product Name

Updated version

Status

Zero Client Firmware

22.01.5

Released May 19, 2022

Zero Client Firmware

22.04.1 and later

Released May 19, 2022

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

July 7, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-1805: AWS Connection Session Provisioner’s SHA256 hash is not fully verified by PCoIP Zero Clients

A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended.

CVE-2021-46830: GoAnywhere MFT Release Notes

By Owais Sultan
The advent of the digital age is a source of blessing in a way that makes life easier…
This is a post from HackRead.com Read the original post: Ways Hackers Can Steal Information from Your Device

****The advent of the digital age is a source of blessing in a way that makes life easier yet, it comes with some challenges including malicious hackers and cyber attacks.****

The threats posed by hackers to organizations and individuals have become a major concern as those fraudulent elements keep on increasing and devising new methods of perpetrating their sinister acts.

According to research by a software testing firm, not less than 30,000 websites are hacked daily worldwide and every 39 seconds there is a new cyber-attack launched at someone on the web. 

Let’s dig deeper into how hackers operate and how you can protect yourself from cyber attacks and scams.

Social engineering is a tricky one! Hackers can manipulate you by posing as someone you know and compel you to take action if they want to steal your information. For example, they may send you a link from a hacked social media profile, and create urgency by asking you to take some action.

After you click the link, you will be taken to a page that will require you to sign in to your Google or Apple, or similar account. But the form does not login to your account, it will instead be a fake login page created by crooks to steal your login credentials.

A recent example of a successful social engineering attack includes the Singaporean identity fraud scammer Ho Jun Jia (a/k/a Matthew Ho, a/k/a, Prefinity a/k/a Ethereum Vendor) who is now in prison for scamming in the name of the co-founder and co-chairman of Riot Games Mr. Marc Merrill.

Ho also used social engineering skills to trick Google and Amazon Web Services (AWS) into providing $5.4 million worth of cloud computing services by using personal details of Merrill.

**Keylogger**

Keylogger is designed to secretly spy on victims and can capture everything you type on your keyboard and every command you execute. It captures your passwords, credit card numbers, keystrokes, and browsing history.

It is worth noting that a keylogger can be software or a hardware device such as a malicious USB.

Software Keyloggers sneak into your computer system via harmful links or attachments. A hardware-based keylogger can be installed on your device if attackers have physical access to your computer.

**Public Wi-Fi Eavesdropping**

Wi-Fi eavesdropping can be defined as the act whereby your vital data is stolen by a hacker after exploiting an unsecured public Wi-Fi network. Because some public Wi-Fi allow unsecured transmission of data, your vital information, and files that are unencrypted are at the risk of hackers.

One of the gimmicks used by hackers is that they would name their hotspot after the name of the business premises or shopping mall etc. The Wi-Fi will probably be free and without a password so you are tempted to go for freebies. 

Once you connect to the hacker’s Wi-Fi, the hacker can see everything you do and steal your personal information including passwords. You can avoid this by not using public Wi-Fi, using your own hotspot device plus enabling your VPN at all times.

**SIM Swap Fraud**

A SIM swap attack is when a cybercriminal(s) calls your network provider and impersonates you. They claim that your SIM card is lost and they want to port your number to a new hacker-controlled SIM card.

Of course, your network provider will ask some questions to identify the person requesting the swap. These questions can be easily answered based on the Infomation you have provided about yourself on your social media accounts. (Don’t share your personal information on social media).

In this age of two-factor authentication (2FA) and USSD banking, your SIM card is coveted by hackers. This is because when they get your SIM card, they can bypass 2FA and intercept OTP (one-time password) as the verification code is sent to your swapped phone number.

Equity and forex trading brokerages also offer online trading apps that use 2FA to verify and authenticate users. When your SIM has been swapped, this verification code goes straight to the hacker who now controls your phone number.

Once the attacker has the verification code, they can link a new account to your investment, crypto wallet, or trading app and wire funds out. They can also use the funds in your account to buy worthless shares from other scammers thus enriching them and impoverishing you.

**Browser Hijacking**

An attacker can install malware right into your internet browser without you even knowing. This can happen when you click on an unknown link or download an app from a 3rd-party store. Most of the apps available in such stores are Trojans meaning they are not what they claim to be. By installing them, you could install a virus into your browser as well.

The virus in your browser then begins to redirect you to hacker-controlled sites that resemble legitimate sites. From there, your passwords are collected and used to access your accounts. 

**IP Spoofing**

This is the act whereby a hacker hijacks your browsing connection through the usage of a fake Internet Protocol (IP) address. A publication by Dell Technologies shows that there are over 30,000 spoofing attacks every day around the world.

IP spoofing scams mostly occur at a location where internal systems trust one another in a way that users can have access without any username or password, provided they are connected with the network.

It involves the act of masquerading as a fake computer IP address in a way that would look like a legitimate one. In the course of IP spoofing, attackers convey a message to a computer system with a fake IP address which shows that the message is coming from a different IP address. 

**Domain Name System (DNS) Spoofing/ Poisoning**

The term ‘spoofing’ has to do with impersonation. In this case, a hacker’s computer is impersonating a legitimate computer on a network. A domain name is simply a website name like ‘www.google.com’

DNS spoofing, let’s assume you want to visit Twitter and you type the domain name ‘www.twitter.com’ into your browser’s URL bar. This domain name is sent to a DNS server which converts the domain name of Twitter into an IP address example 172.28.213.15 which is supposed to be the IP address of Twitter’s official computer server.

The hacker spoofs it by deceiving the DNS server to convert Twitter’s domain name into a **different** hacker-controlled IP address which takes you to the hacker’s server instead of Twitter’s server.

The attackers could have designed a fake Twitter page and hosted it on his spoofed server. Once you attempt to log in, they can steal your password and use it to access your account. 

The result of DNS poisoning is that any information you send is routed through the hacker before it gets to the web. This allows them to steal your passwords and access your accounts. 

**Domain Spoofing**

This online fraud, also known as a homograph attack occurs when a hacker makes use of a domain name that greatly resembles the website you are trying to visit.  Perpetrating this act, the hacker replaces the characters in the fake domain name with other non-ASCII characters that look much alike in appearance.

It will be designed in such a way that you may not notice the difference, as you would be assured about the secure connection of the browser. To begin the process of HTTP spoofing, the cyber attacker’s first step is to register a domain name that resembles yours.

The scammer would then proceed to send a link to you, and you may likely not notice that you are visiting a fake version of the site you planned to go to because the majority of browsers display puny code host names in their address bar. One such example is:

It’s Google.com not ɢoogle.com

This scamming system is designed to even prove to you that the website’s SSL certificate is real, thereby preventing you from detecting the fraud.

**Session Hijacking**

When you visit a website, you might notice a popup prompting you to allow cookies. Cookies refer to your personal information stored temporarily in your computer’s cache memory and are deleted after you leave the site. _(Here’s how to disable Cookies notice for good)_.

Cookies contain a unique ‘session ID’ number which if gotten by a hacker, will enable them to take over your session. An attacker can steal your cookies using different means such as phishing scams where they send you an email containing a malicious link. When you click on the link, it will install malware for session hijacking.

The point here is, that once an attacker steals your cookie or gets your session ID, they can take over your browsing session and if you were visiting a bank website, they can steal your funds. You may notice the page freeze, or some technical difficulty while this is going on and when it’s over, your money is gone. 

**Don’t Be Caught Off Guard**

*   Never download files from suspicious emails, messages, or contacts. Also, never click a link shared by an unknown source, or enter your account details and password on websites that you don’t trust.
*   Ensure that your two-factor authentication is enabled. Or you can also use token-based logins.
*   Don’t send PINs, passwords, and your financial details via text or email.
*   To guard against IP Spoofing, ensure you use a Virtual Private Network (VPN). Or use anti-malware software with web protection, that blocks unknown websites.

Tag

#amazon