Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen Cybersecurity Bulletin (July 31st, 2024)

Posted on 31 Jul 2024 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Overview:

  • Phish Tale of the Week
  • Meta Faces EU Scrutiny Over “Pay or Consent” Model
  • Federal Recovery Underway After CrowdStrike Outage; Congress Demands Accountability
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Amazon. The message tells us that our membership has expired, and that our monthly payment has failed, so we have to take action in order to update our payment details. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this link:

  1. The first warning sign for this email is the formatting. Immediately, it’s apparent that different text boxes in the email have different alignments and different sizes, as well as strange spacing. The “confirm” button is a great example of this strange lettering: the text varies between sizes, switches between all-capital and regular format, and just overall looks unprofessional. It’s important to be wary of small inconsistencies such as this as they can be key indicators that the sender of the email may not be who they seem.
  2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “Available ONLY TODAY” and “Your membership has expired!” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through email.
  3. The final warning sign for this email is the fact that it informs us that we’re going to insert our credit card details for the validation of our account once we click the link. The email informs us that they “will not” withdraw any amount, which is very curious for a number of reasons. Firstly, it contradicts their earlier statement that they need to charge us for renewing the prime membership, and additionally a Fortune 500 company should have to need to insist upon their customers that they “won’t” withdraw any money from their credit cards. All of these factors point to the above being a phishing email, and a very unsophisticated one at that.


General Recommendations:

phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

Meta Faces EU Scrutiny Over “Pay or Consent” Model

Meta, the parent company of Facebook and Instagram, is under scrutiny from the European Commission over its advertising model dubbed “pay or consent.” This model gives users a choice between paying for an ad-free experience or consenting to their personal data being used for targeted advertising.

The European Commission, through its Consumer Protection Cooperation Network, has raised concerns that this approach may violate consumer protection laws. Authorities argue that users might feel pressured into making a quick decision under the impression that refusing consent could result in losing access to their accounts or network connections.

Under the EU Digital Markets Act (DMA), companies designated as gatekeepers must obtain users’ explicit consent before utilizing their data for targeted ads. The Commission alleges that Meta’s model does not adequately inform users of their options and misleads them with unclear terms, including describing services as “free” despite the requirement for data consent.

Meta defends its model, citing a previous ruling from the Court of Justice of the European Union that allows companies to offer a paid, ad-free alternative. However, critics argue that Meta’s implementation lacks transparency and fails to provide a genuine choice to users.

This regulatory challenge adds to Meta’s ongoing global scrutiny over data privacy practices. Recently, the company faced fines in Nigeria for data sharing violations and penalties in Turkey over data practices across its platforms.

As the deadline approaches for Meta to address the EU concerns by September 1, 2024, the outcome will likely shape future regulatory standards for tech giants operating within the European Union.

To read more about this article, click here.

Federal Recovery Underway After CrowdStrike Outage; Congress Demands Accountability

The U.S. federal government and various sectors are recuperating from a significant outage caused by a flawed update to CrowdStrike’s Falcon security software, impacting Microsoft Windows systems globally. The incident led to disruptions in essential services including federal agencies, airlines, banks, and hospitals.

Social Security Administration (SSA) offices, which closed on Friday due to the outage, resumed public services on July 22nd. The Federal Communications Commission (FCC) reported disruptions to 911 services in some states.

CrowdStrike and Microsoft are actively addressing the issue. Microsoft estimates that 8.5 million Windows devices were affected and has provided remediation solutions. CrowdStrike is testing new methods to expedite system recovery and has promised updates through their Tech Alerts.

In response to the outage, lawmakers are demanding transparency and preventive measures from both CrowdStrike and federal agencies. Rep. Ritchie Torres (D-N.Y.) called for a Department of Homeland Security investigation into the incident, emphasizing the critical impact on national infrastructure.

The House Committee on Homeland Security and Sen. Eric Schmitt (R-Mo.) have also voiced concerns over national security implications and the need for robust cybersecurity measures.

As recovery efforts continue, stakeholders await comprehensive explanations and assurances to prevent future disruptions of such magnitude.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub
    YouTube

Copyright © Netizen Corporation. All Rights Reserved.