Get the latest cyber resilience news.

This week we look at a few instances of a growing threat to cybersecurity: voice phishing, or “vishing.” Scams by phone have been going on for years, but attackers are taking a new approach today.

Elsewhere, Facebook could be in significant financial hot water with the European Union over its data breach, there’s a possible vulnerability associated with Android’s password manager and we have details on several new and impactful cyberattacks.

Read more below.

  1. Gmail's third-party app policy: Security experts explain the risks, via Mashable
    • The terms of service we hurriedly agreed to keep coming back to haunt us. Last Thursday, the Wall Street Journal reported that Google confirmed previous reports about the far-reaching access third-party apps can have to Gmail users' accounts and personal emails.
  2. Phishing campaign targets developers of Chrome extensions, via ZDNet
    • Developers of Chrome extensions have been targeted by a massive phishing campaign last week. The campaign attempted to trick developers into accessing a phishing site where crooks tried to obtain the login credentials for their Google accounts. Malicious actors could log into Chrome Web Store dashboards and push malicious versions of legitimate Chrome extensions.
  3. Facebook faces potential $1.63 billion fine in Europe over data breach, via WSJ
    • A European Union privacy watchdog could fine Facebook Inc. as much as $1.63 billion for a data breach announced Friday in which hackers compromised the accounts of more than 50 million users, if regulators find the company violated the bloc’s strict new privacy law.
  4. Voice phishing scams are getting more clever, via Krebs on Security
    • Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams.
  5. Vulnerable Android password managers make phishing attacks easier, via Help Net Security
    • Android password managers can be tricked into entering valid login credentials into phishing apps, a group of researchers has discovered. They have also found that Instant Apps, a Google technology that allows users to “try” Android apps without the need to fully install them, can make phishing attacks more practical.
  6. 100K routers hijacked for phishing in GhostDNS campaign, via Security Boulevard
    • Security researchers warn about a massive attack campaign in which more than 100,000 routers had their DNS settings hijacked to redirect users to phishing websites. The campaign has been dubbed GhostDNS and has been documented before, including by researchers from Radware in August.
  7. Breaking bank security: Record theft rises to new heights, via ZDNet
    • Banks, investment firms, and financial services all handle sensitive data, if these records end up in the wrong hands, this can result in social engineering, account hijacking, and potentially ID theft or the batch sale of records in the Dark Web. According to new research released by Bitglass, from January to August this year, there were close to three times as many reported data breaches in the sector in comparison to the same period of time in 2016.
  8. A convincing, new phone phishing scam wants your banking secrets. Here’s how to stay secure, via Fortune
    • Security writer Brian Krebs has documented a trend in attacks that rely on phishers having obtained personal or private details from a victim. This may include part or all of a Social Security number, a credit card, and a home address. Voice-based scamming isn’t new, and senior citizens lose tens of billions of dollars a year in the U.S. to fraud, a good portion by phone.
  9. Sequoia says someone tried to impersonate the venture firm in effort to get money wired to Mexico, via CNBC
    • Sequoia Capital said someone sent a phishing email to an investor to steal money. In an email this week to its limited partners, Sequoia said the scheme involved the impersonation of official Sequoia communications and requested a "capital call be sent to a bank account in Mexico." A capital call occurs when an investment firm requests money that's been promised.
  10. Canadian restaurant chain suffers country-wide outage after malware outbreak, via ZDNet
    • A Canadian restaurant chain that operates over 20 restaurant brands has suffered a country-wide outage of its IT systems over the weekend in an incident it described as a "malware outbreak." The company is Recipe Unlimited—formerly Cara Operations—which operates restaurant brands in North American, but mostly in Canada.
  11. Phishing gets more complex as decoy PDF pops up with Microsoft-issued SSL certificate, via TechRepublic
    • A recent PDF decoy linked to an Microsoft Office 365™ phishing page was impersonating a law firm in Denver, according to a Netskope Threat Protection press release on Wednesday. The phishing page was hosted in Azure blob storage, and the PDF decoy was hosted in Google Drive.
  12. Northwest fast food chain hack exposed customer credit cards, via Tech Crunch
    • Burgerville, headquartered in Vancouver, Wash., disclosed today that any customers who used a credit or debit card from September 2017 to September 2018 at any of its locations may have had their card details stolen. The company operates 42 locations in the region.
  13. Google activates G Suite email security alerts for state-sponsored attacks, via VentureBeat
    • Google will soon activate security alerts for G Suite admins by default if it believes the company’s systems are being subjected to a government-backed attack. Up until now, these alerts have been opt-in only, but starting Oct. 10, Google will turn the alerts on by default, apparently because the feature wasn’t widely known.
  14. This dark web market is dedicated to compromising your emails, via ZDNet
    • According to research by security company Digital Shadows, for as little as $150, dark web sellers are offering to hack into whichever corporate email account the user wants to gain access to – with many promising access within a week. By acquiring access to email addresses by employing the skills of another dark web users, attackers can conduct phishing and social engineering schemes in an effort to trick corporate account departments into transferring them large sums of money.
  15. The top 10 cyberthreats IT security teams are facing right now, via Tech Republic
    • Despite increased security spending, cyber incidents continue to plague organizations, as 70% of companies report being a victim of a successful attack or breach in the past year, according to a Thursday report from Cyren and Osterman Research provided exclusively to TechRepublic.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

No One Wants to Deal with Data Leaks…No One

With Cybersecurity Awareness Month here,…

With Cybersecurity Awareness Month here, we’re ready to help… Read More >

Michael Madon

by Michael Madon

SVP & GM of Mimecast Security Awareness

Posted Oct 02, 2018

'PhishPoint': How to Tackle the Latest Office 365 Threat

There’s a new phishing attack targeting …

There’s a new phishing attack targeting Office 365/SharePoin… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Product Marketing

Posted Sep 19, 2018

Azure/Office 365 Outages: The IT Admin's Guide to Continuity

A major outage in the US takes down a ke…

A major outage in the US takes down a key Microsoft datacent… Read More >

J.Peter Bruzzese

by J.Peter Bruzzese

Office 365 MVP

Posted Sep 06, 2018