YubiKey anti-phishing device saw 'huge spike' in orders this year

The 2016 holiday season truly began when notoriously nosy Santa Claus brought us a rash of hacking attempts against the Gmail accounts of prominent journalists and academics.

Since then, security experts pointed over and over again to maybe the best cybersecurity stocking-stuffer of the year: YubiKey, a tiny authentication key that provides phishing-proof defense in an age where phishing continues to be the biggest attack vector against the powerful and ordinary alike.

Launched in 2004 by the Swedish-American security firm Yubico, the product has exploded over the last year with a “huge spike” in orders, Jerrod Chong, the company’s Vice President of Solutions, told CyberScoop.

“We’ve been traditionally getting individual orders in the hundreds for agencies, divisions, small groups over the past years,” Chong said. “This year we are seeing orders in the tens of thousands. It’s a sizable magnitude.”

YubiKeys are a small keychain-sized device widely lauded (along with competitors) as “the most effective” protection against phishing attacks. Just plug the YubiKey into your computer, touch it, and gain access to your account. The key holds your identity and generates one-time passwords so that no one else can login without that extra authentication.

Devices like YubiKeys are significant steps up from other forms of 2 Factor Authentication (2FA) like text messages and authenticator apps that can be spoofed, phished, and surveilled.

It’s also a device to store encryption keys (how exactly they do that recently generated a bit of controversy) and a handful of other important security functionalities. But it’s the 2FA that got people’s attention first.

As any security expert will shout from the rooftops you should have 2FA of some sort turned on for all your accounts at a bare minimum. YubiKey is the most secure way to do it, followed by an authentication app and then SMS.

In just the past few days, Christopher Soghoian at the American Civil Liberities Union has sung YubiKey’s praises. Zeynep Tufekci from the New York Times told her followers to buy it, use it and gift it. Martin Shelton, a privacy user researcher who works with the Times and OpenNews, endorses YubiKey as well.

2016 has been a perfect storm for Yubico. A growing tide of high-profile data breaches, new legislative mandates, and popular demand is pushing potential customers to pull the trigger on purchases big and small.

On the government side, it’s been a “milestone year.” Numerous civilian federal agencies in the U.S. made large purchases from the company in 2016 — it declined to specify which agencies or how big the purchases were — based largely on the YubiKey’s expanding ability to replace the federal smart card. Governments in Sweden, the United Kingdom, and Germany are big and growing YubiKey customers as well.

Through partnerships with the Electronic Frontier Foundation and the Freedom of the Press Foundation, Yubico is also working to equip highly targeted but often low-tech communities like journalists and LGBT activist groups with security knowledge and tools that might be otherwise out of their reach.

Building the buzz further, there’s been attention-grabbing work with Google and several industry awards. The company also won a $2.27 million grant that Yubico wants to lead to strong authentication for “all citizens of the U.S.,” Chong explained. The pilot program is currently going on with students and residents in Wisconsin and Colorado.

“The goal is that this could be a model for a larger-scale deployment,” he said.

On the regulation front, the company is dedicating resources toward aggressively moving forward. The newest YubiKeys are in the National Institute of Standards and Technology (NIST) validation process for compliance with the Federal Information Processing Standard (FIPS) Publication 140-2. Moves like that are not just immediate big-deal green lights within the kind of enterprise customers that YubiKey thrives on and makes 70 percent of its revenue from — they also make big purchases easier and more streamlined for the future.

(If you’re putting a little cybersecurity in your family and friends’ stockings this December, remember to add some chocolate after that.)

Nine simple security steps to stay safe online during the holidays

The holidays are a heightened time when cybercriminals are using clever phishing emails scams that look like special offers or shipping notices for gifts. When in reality, these are designed to snare clicks and make you hand over information.

James Lyne, Global head of security research at Sophos shares nine simple security steps to stay safe online during the holidays:

If an online deal or email offer with price discounts looks too good to be true, it probably is. Hit delete.  

Be aware of untrusted wireless networks when you’re out shopping with your mobile phone. Consider waiting to enter your credit card information when you get home.

Only use trusted merchants to make online payments. Use PayPal or your credit card, not bank debit cards to purchase gifts online.

Be on the lookout for Typosquatting. Cybercriminals take a popular online brand and change one letter or two to trick you into clicking and sharing personal information.

READ MORE

IoT devices are sure to be on everyone’s list this year, but they are vulnerable to cybercriminals. Before you start using your newfangled device, reset the password. Some, as we’ve recently see with Dyn DDoS attack, are vulnerable to criminal-hacker hijacking. 

Be sensible about password security. Make account passwords different and difficult to guess. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos How to Pick a Proper Password video for creating stronger passwords.

Cybercriminals intercept data with spyware more than usual during the holidays. Protect against all malware, including spyware, which logs your financial data while you type it into your keyboard, with security software like Sophos.

Of 1,250 consumers polled in the U.S., U.K., Germany, Switzerland and Austria in a recent Sophos survey, 54 percent perceive spyware as an extremely large cyber security threat. Thirty-one percent of those surveyed consider themselves unprotected, are not familiar with spyware or unsure if they’re protected.

Run up to date security software and check out the Sophos Home toolkit videos for tips on blocking spyware and all other malware, detecting and blocking malicious URLs and apps, which could contain ransomware, securing wifi, and ruling out phishy emails. 

At a time of higher than normal e-commerce, criminals have a piqued interest in exploiting online activity. Consumers need to be extra vigilant to protect against cybercriminals who amp up their nefarious ways during the holidays. Be cyber aware and use best security practices.”

New phishing attack uses fake Kayne West iTunes bill to lure victims

A new phishing attack has been discovered, and branded “especially greedy” by experts for its attempts to steal both personal data and credit card information.

Email security firm Mimecast analysed the attack after it was discovered by V3.

The attack begins with an email claiming that the user has purchased a Kanye West song on Apple iTunes (below – email address partly obscured to protect intended victim’s privacy).

fake-receipt

The email goes on to say to cancel the payment the target needs to click on a link purporting to be a payment cancellation form, which instead leads to a sequence of fake login pages designed to harvest their iTunes credentials.

fake-redirect

The attack starts by taking the target to a fake Outlook webmail login page, then to a fake Apple ID login page that asks for lots of personal data, including date of birth and address. The likely purpose of collecting this data is that it can be used for password recovery mechanisms for other websites as well as to make fraudulent payments more likely to be accepted by fraud detection engines.

fake-apple-id

Finally – under the header of why not keep bilking the victim while you are at it, they are taken to a fake bank verification page designed to steal credit card numbers.

fake-refund

fake-payment-form

Mimecast researchers highlighted that the phishing campaign is using two different domains to host the backend of their attack:

  • conundrumsolutions.ca – looks legitimate and has no history of malicious activity. It is using a WordPress CMS that is highly likely to have been compromised.
  • tech5support.update84acc.co.uk – appears to have been registered recently (November 13). The domain has no history, which itself is highly suspicious and indicates it’s directly controlled by the cybercriminals. The site was running from Germany.

Matthew Gardiner, cybersecurity strategist at Mimecast, said: “Crafty email social engineering and well-spoofed login pages are at the heart of this greedy phishing campaign. As part of the campaign, the cybercriminal has likely hijacked a legitimate website to help ensure their phishing emails get through traditional email defenses, which often rely too heavily on blacklists.

“A key way to defeat this type of attack is to ensure all links in emails are rewritten to point to a cloud security service which acts as a security proxy. This insures that there is a real-time check on every click. This approach can defeat most attacks irrespective of the user’s device, which depend on taking the target from an email to a poisoned website.”

This scam was initially seen on the intended victim’s iPhone. It was verified as a phishing attempt by checking the email on a Windows-based computer, by holding the mouse over the ‘Payment Cancellation Form’ URL in the original mail. That revealed the compromised ‘tech5support’ address, rather than the expected Apple domain, showing the mail to be a scam.

It was then sent on to Mimecast for analysis. The email security firm analysed a previous scam found by V3, which also attempted to steal financial information.