Despite the robust anti-fraud measures implemented by these major financial institutions, cybersecurity experts are warning that affected individuals face a "definite" risk of financial loss. This discovery follows recent cyberattacks targeting Australian superannuation funds, where stolen passwords were used in attempts to access pensioners' accounts. The Australian cybersecurity firm Dvuln, which unearthed this extensive breach, has determined that these passwords were not obtained through vulnerabilities in the banks' systems. Instead, they were directly pilfered from users' own devices that had been infected with insidious "infostealer" malware. So, "This is not a vulnerability in the banks. These are customer devices that have been infected." Infostealer malware is a particularly dangerous form of malicious software designed to infiltrate devices, silently harvest a wide range of sensitive data – including passwords, credit card details, cryptocurrency wallet information, local files, and browser data like cookies and autofill information – and transmit it directly to cybercriminals. With Infostealer, the threat extends far beyond just banking credentials, noting that the average infostealer victim has hundreds of other account details stored in their browser, including PayPal and e-commerce accounts with linked credit cards. Figures suggest around 58,000 infected devices in Australia alone with something in the order of 31 million devices worldwide. The biggest risks are in Windows devices around 90% although mobile device numbers are on the increase.
If you suspect a problem, get onto your bank and alert scamwatch. Ep325 Image created by AI
0 Comments
Here's a handy guide to five habits that can help you stay one step ahead of the scammers: 1. Master Your Passwords: If you're still using the same old password across multiple accounts, now's the time for an upgrade. Strong passwords or passkeys should be a complex mix of at least 14 characters, including uppercase and lowercase letters, numbers, and special symbols. Consider using a password manager like Bitwarden, 1Password, or NordPass to generate and securely store strong, unique passwords for all your accounts. And crucially, always enable multi-factor authentication (MFA) whenever it's offered for an extra layer of security. 2. Sharpen Your Scam Radar: Scammers are becoming incredibly skilled at impersonating trusted organizations like banks or government departments. Be extra cautious of unexpected emails or social media messages asking for your information or urging you to download software. Remember the mantra: stop, check, protect. Take a moment to breathe, independently verify the communication by contacting the organization directly through official channels, and then block and delete any suspicious messages. Be particularly careful when sending money to new accounts. Features like CommBank's NameCheck can help by verifying account details before your first payment. 3. Practice Good Banking Hygiene: Your banking app likely has built-in security features – use them! CommBank's Security check up, for example, allows you to manage location-based security, which alerts the bank to unusual account access locations. Review and enable security alerts for suspicious activity notifications. Regularly check and adjust your daily payment limits to match your typical spending habits. Keeping limits higher than necessary increases your potential loss if your account is compromised. 4. Check In With Your Circle: Scammers often thrive on isolation. A simple way to stay safe is to regularly check in with friends and family. As a spokesperson for the National Anti-Scam Centre points out, "Everyone is vulnerable to scams at certain times, such as dating and romance scams after a breakup or a job scam when the cost of living is high. Scammers isolate you from your support networks. They want to create a situation where you rely entirely on them." Talking about potential scams can help you and your loved ones identify red flags. 5. Report Every Scam Encounter: Even if you haven't lost money, reporting scams is crucial. By reporting incidents to the National Anti-Scam Centre via scamwatch.gov.au, you provide valuable information that helps them understand scam tactics, identify vulnerable populations, and work on disrupting and stopping these criminal activities. As their spokesperson says, "Your reports help the National Anti-Scam Centre identify the scams that are causing the most harm to Australians." Ep324 Image created by AI
Here's the simple version of how it works:
This is particularly scary because:
The bad guys behind this seem to be Chinese speakers, and they're even offering support to other criminals who want to use this method. This scam has already been seen in Italy. What Google says: Google says their Play Protect system should help protect you from apps with this kind of malware if you download them from the official Play Store. But be careful about installing apps from anywhere else! The bottom line: Be super careful about messages asking you to call numbers or download apps, especially if they're about your bank. Don't tap your card on your phone if someone you don't trust tells you to! Ep323 Image created by AI
Here are 8 key signs to watch for:
How to Fight Back: While you can't eliminate all spam, here's how to reduce it:
Ep322 - Image by AI
Microsoft Defender for Individuals:
You can run it on all your devices linked to your MS account and have a central administration and notifications at your fingertips. Is it any good? So far, so good… time will tell. Ep321 - Image source: https://www.microsoft.com/
Conducting Your Audit:
By prioritizing strong passwords and MFA, you significantly enhance your digital security. Ep321 - Image by AI
This move comes in response to recent security breaches on the Play Store, including a large-scale ad fraud campaign that saw users unwittingly downloading "vapor apps" disguised as popular, legitimate applications. These apps aggressively displayed recurring ads, generating substantial revenue for fraudsters and proving difficult for users to remove. Google was forced to remove 180 such apps from the platform, highlighting the urgent need for enhanced security measures.
To further bolster user trust and app authenticity, Google will be introducing more verified badges. Notably, VPN apps will receive a "Verified" badge, providing users with a clear indication of an app's legitimacy. This initiative aims to establish a more reliable and trustworthy Play Store environment. Key Security Enhancements:
Google's commitment to strengthening Play Store security reflects the growing importance of mobile security in an increasingly digital world. These new measures are designed to protect users from evolving cyber threats and ensure a safer Android experience. Ep319 - Image by MITE Radio (screenshot)
What Are Google Play System Updates?
These updates are crucial for delivering features like Android 12’s Privacy Dashboard, the expanded Find My Device network, Theft Detection Lock, and improvements to Play Protect. They allow Google to bypass manufacturer delays and push updates directly to users. The Hidden Update Problem Despite their importance, Google Play system updates are often buried within Android settings. On Pixel devices, they're found under "Settings > Security & privacy > System & updates," separate from the main software update section. Many users are unaware of their existence, leading to significant delays. A recent poll indicated that 21% of users have no idea what these updates are. "On my Pixel 7, my daily driver, where the main software is up to date with the March security patch, the Play system was lagging on a February release. I updated it to the March release and then once more with a more recent March release. And I’m very diligent about this! Imagine if I wasn’t." one user reported. Why the Secrecy? The reason behind Google's lack of transparency remains a mystery. The separation of update menus and the absence of clear notifications contribute to the problem. The very name, "Google Play system updates," is misleading, as many updates have little to do with the Play Store. The core issue is the lack of user notification. Google could easily implement a simple alert when a Play system update is available, but they choose not to. As a result, updates often remain pending until a device restart, which many users perform infrequently. This lag defeats the purpose of Project Mainline, which aimed to deliver updates promptly. How to Check for Updates To check for Google Play system updates:
Regularly checking for these updates is crucial to ensure your device is secure and up-to-date. The Bottom Line Google's failure to adequately inform users about Play system updates is a significant oversight. While the updates are designed to streamline and improve Android, their hidden nature undermines their effectiveness. Until Google addresses this issue, Android users must remain vigilant and proactively seek out these essential updates… every month. Ep319 - Images by MITE Radio (screenshots)
One alarming example involves an email with the subject line "Urgent reminder," containing a PDF attachment with a QR code. The email, purporting to be from the "Tax Services Department," warned recipients of a "mandatory review and update" of their tax records, claiming it needed to be completed by a certain deadline, to avoid penalties. The email instructed recipients to scan the QR code or click a link to access a "secure tax portal."
However, this was a carefully crafted phishing attempt. Scanning the QR code led to a malicious website, cleverly concealed through doubleclick.net redirects. Fortunately, cybersecurity software like Malwarebytes detected and blocked the real destination. Upon bypassing bot protection, the phishing site presented a Microsoft login page, pre-filled with an email address, prompting users to enter their password. Entering credentials would send them directly to a Russian receiver, who could then sell the information on the dark web or use it to access the victim's Microsoft accounts. This is just one example of the numerous tax scams circulating during this period. The IRS's annual "Dirty Dozen" list highlights common schemes that threaten taxpayers' financial information. One prevalent tactic involves spreading misinformation on social media, such as promoting non-existent tax credits like the "self-employment tax credit," which led the IRS to issue a warning last year. Phishing emails, like the one described, remain a significant threat. While AI-generated emails can appear convincing, certain red flags can help identify them:
Protecting Yourself from Scams: In an increasingly digital world, online scams are becoming more sophisticated. To protect yourself, consider these tips:
The rise in sophisticated scams emphasizes the need for vigilance during tax season. By staying informed and taking precautions, individuals can protect themselves from becoming victims of these fraudulent schemes. Ep 318 - Image by AI CommBank has issued a stark warning to its customers regarding a surge in fraudulent SMS messages designed to steal sensitive personal and financial information. These phishing attempts are becoming increasingly sophisticated, posing a significant risk to unsuspecting individuals. The fraudulent SMS messages are designed to trick customers into clicking on malicious links or calling fake phone numbers. These actions then prompt victims to disclose crucial information, including:
Alarmingly, these messages may appear legitimate, even appearing within the same message threads as genuine CommBank communications. However, CommBank has explicitly stated that they will never request transaction verification through links in emails or SMS messages.  Protecting Yourself from These Phishing Scams:
CommBank strongly advises customers to adhere to the following safety precautions:
By remaining vigilant and following these guidelines, CommBank customers can significantly reduce their risk of falling victim to these pervasive phishing scams. Ep317 - Image screenshots by MITE Radio
A particularly alarming trend is the targeting of business customers, with criminals impersonating NAB personnel and fabricating stories about new chat bots, updated versions of NAB Connect, or urgent technical issues. These fabricated scenarios are designed to deceive victims into downloading malicious software, granting criminals remote access to their computers and sensitive online banking information.
"We anticipate criminals will continue to target Australian consumers and businesses with remote access scams in 2025," warns Chris Sheehan, Executive of Group Investigations at NAB. He further emphasized the severity of these scams, noting that losses can escalate into tens of thousands of dollars within minutes, significantly exceeding the financial impact of other common scams. Older Australians are also disproportionately targeted, due to criminals believing they are more susceptible to these tactics. Safeguarding Your Business and Personal Information: To protect yourself and your business from these insidious scams, adhere to the following crucial guidelines:
The speed and scale of financial losses associated with remote access scams underscore the urgent need for heightened vigilance. By adopting these preventative measures, individuals and businesses can significantly reduce their risk of becoming victims. Ep316 - Image by AI
The Problem:
What Could Happen:
Why This Matters:
The Good News:
What You Can Do:
Basically, just like your computer or phone, your solar panels need to be protected from hackers. By keeping them updated and secure, you can help keep your home and the power grid safe. Ep315 - Image created by AI
The core tactic involves enticing victims with the promise of sold-out tickets to coveted events or expedited visa processing. In many cases, buyers pay for items that either don't exist or receive random or counterfeit goods. Other variations include inflated prices for legitimate products or services, leaving victims significantly out of pocket. "We anticipate ticket scams when Oasis and Metallica tour, similar to those seen with Taylor Swift and Coldplay in 2024," warns Chris Sheehan, Executive of Group Investigations at NAB. This predictive statement underscores the recurring nature of these scams, with criminals consistently capitalizing on high-demand events. Protecting Your Bucket List from Scammers: To avoid falling victim to these heartless scams, consider these preventative measures:
By exercising vigilance and adhering to these safety guidelines, individuals can better protect their hard-earned money and ensure their bucket list dreams don't turn into financial nightmares. Ep314 Image created by AI
The sophisticated nature of these scams is alarming. With just a few seconds of audio or a single image gleaned from social media profiles, voicemails, or publicly available videos, scammers can generate convincing deepfakes. These AI-generated impersonations are becoming increasingly difficult to distinguish from genuine content, making it easier for criminals to manipulate their targets. Chris Sheehan, Executive of Group Investigations at NAB, highlighted the evolving tactics of these criminals. "AI allows criminals to 'nudify' and manipulate photos from social media instead of relying on images people have shared with them," he warned. While NAB has not yet reported widespread cases of AI-generated sextortion impacting their customers, the bank is closely monitoring the situation overseas, recognizing the devastating consequences such scams can inflict. Protecting Yourself from AI-Driven Scams: In light of this growing threat, experts are urging Australians to exercise extreme caution and adopt proactive measures to safeguard themselves. Here are some key tips:
The rise of AI-driven scams underscores the importance of heightened vigilance in the digital age. By staying informed and adopting proactive safety measures, individuals can better protect themselves from these increasingly sophisticated threats. Ep312 Image created by AI
Research consistently shows a disconnect between awareness and action in Australia. Reports highlight a persistent problem: users prioritize convenience over security. 84% of respondents admitted to "unsafe password practices," including incorporating easily guessable personal information like favorite numbers, pet names, birthdays, or names of loved ones into their passwords. In an age of rampant social media sharing, this practice makes accounts incredibly vulnerable to social engineering attacks. Password Reuse: A Cybercriminal's Dream: However, the most alarming statistic is the 50% of users who reuse passwords across at least two accounts. This practice creates a domino effect: if one account is compromised, all accounts sharing the same password are at risk. Even seemingly insignificant websites can become the weak link in a chain of security breaches. "Sharing login information with friends and family members has become increasingly common in an era where things like streaming services, collaborative social media accounts, and more are popular," the All About Cookies analysts said. While sharing logins itself is risky, the widespread reuse of passwords across unrelated accounts is a far more dangerous trend. A Slight Improvement, But Still Cause for Concern: While the analysis did reveal a slight improvement from the previous year, when 65% of users reused passwords, the current figure remains alarmingly high. This minor decrease offers little comfort when considering the potential consequences of a single compromised password. Solutions and Recommendations: To mitigate the risks associated with password reuse, experts strongly recommend the following:
The persistent issue of password reuse underscores the need for a fundamental shift in user behavior. While technological solutions exist, the ultimate responsibility lies with individuals to adopt secure password management practices. Failure to do so leaves them vulnerable to a wide range of cyber threats. Ep311 Image created by AI
These scams often begin with seemingly legitimate investment opportunities, designed to build trust. Victims may even see small profits or be able to withdraw a small amount of money, reinforcing the illusion of a successful investment. However, when larger withdrawals are attempted, victims are met with a barrage of fabricated obstacles, including unexpected fees, tax issues, or complete account lockouts. Chris Sheehan, Executive of Group Investigations at NAB, highlighted the concerning trend: "Older Australians may not be as familiar with the digital currency and terms like digital wallets and tokens, while under 50s are the fastest growing age group to lose money nationally to crypto investment scams." This demonstrates the broad reach of these scams, targeting individuals across all age demographics. Adding to the financial strain, criminals are also capitalizing on the current cost-of-living pressures by promoting term deposit investment scams, further exploiting the desire for secure financial growth. Protecting Yourself from Cryptocurrency Investment Scams: To combat this rising tide of financial fraud, experts are urging Australians to adopt a cautious approach and implement the following protective measures:
By staying vigilant and adhering to these safety guidelines, Australians can significantly reduce their risk of falling victim to the increasingly prevalent cryptocurrency investment scams. Ep313 Image created by AI
An investigation by The Observer revealed that over 150 UK gambling websites were using a hidden tracking tool, the Meta Pixel, to extract and transmit visitor data to Meta. This data, which includes details of webpages visited and buttons clicked, is then used to profile individuals as gamblers, paving the way for targeted Facebook advertising from casinos and betting sites. The sheer scale of this practice is alarming. Popular gambling platforms like Hollywoodbets, Sporting Index, Lottoland, and Bwin were among those implicated in the data sharing. Of the tested websites, 52 were found to be directly sharing data via Meta Pixel without obtaining explicit user consent. Crucially, this data transfer often occurred automatically upon webpage loading, before users even had the opportunity to accept or decline data usage. The consequences of this covert data collection are significant. One reporter, who explicitly stated they had never consented to marketing data usage, found themselves bombarded with gambling advertisements. In a single browsing session, they encountered ads from 49 different brands, including those from companies not directly involved in the illicit data sharing, but who were utilizing Meta Pixel within accepted rules. Data privacy expert Wolfie Christl condemned the practice, stating, "Sharing data with Meta is highly problematic, even with consent, but doing so without explicit informed consent shows a blatant disregard for the law. Meta is complicit and must be held accountable." This is not the first instance of gambling sites being accused of unlawfully selling user data, fueling ongoing calls for a comprehensive investigation into the targeting of gamblers and the implementation of stronger protective measures. I guess we’ll expect to hear about the upcoming legal action. If you’re using these sites (i.e. online and not an app) consider using privacy focussed browsers like Brave and maybe don’t say yes to all the cookies. Ep310 Image created by AI
IDCARE is a not for profit service in Australia and New Zealand, providing crucial support to individuals and organisations affected by identity theft and cybercrime. Here's a summary of what they do: 
In essence, IDCARE is a crucial resource for Australians and New Zealanders seeking assistance with identity theft and cybercrime. Ep309 Image Source: https://www.idcare.org/contact/get-help
Why Ditch SMS? The Security Flaws Exposed The convenience of receiving a text message code has masked its inherent security weaknesses. As highlighted by many, the ease with which scammers can intercept SMS codes is alarming. Whether through SIM swapping – tricking mobile carriers into transferring your phone number – or sophisticated phishing techniques, hackers can gain access to your 2FA codes remotely. This vulnerability leaves users exposed to fraud and account takeovers, particularly when sensitive information like bank accounts are protected by SMS-based 2FA. Furthermore, the rise of "traffic pumping" scams, where fraudsters manipulate SMS delivery for profit, contributes to the growing problem of SMS spam. Google's Solution: QR Codes for Enhanced Authentication Recognizing the limitations of SMS, Google is opting for QR codes as the default verification method for phone numbers. This transition promises a more secure and user-friendly experience. Here's how it works:
Beyond QR Codes: Embracing Authenticator Apps and Passkeys While QR codes offer a significant improvement, Google also champions other robust authentication methods. Authenticator apps, which generate time-based one-time passwords (TOTPs) on secure, user-controlled services, provide an additional layer of security. These apps often feature biometric authentication and password protection. For those seeking the ultimate in security, Google advocates for passkeys. These cryptographically generated keys, unique to each login and device, eliminate the need for traditional passwords. Passkeys remain securely encrypted on the user's device, making them virtually impervious to hacking. The Future of Secure Logins Google's shift away from SMS 2FA marks a pivotal moment in online security. While a precise timeline for the QR code rollout remains undisclosed, this move underscores the importance of adopting stronger authentication methods. In an increasingly digital world, prioritizing security is paramount. By embracing QR codes, authenticator apps, and passkeys, users can significantly reduce their risk of falling victim to cyberattacks. Google's initiative serves as a reminder that staying ahead of evolving threats requires continuous innovation and a commitment to user protection. Ep308 Image created by AI
Yes, you can absolutely upload a webpage link and ask me if it appears to be a scam. I will do my best to analyze it based on:
However, please keep in mind:
So, please provide the link, and I'll do my best to help you determine if it's a scam. Might not be 100% but it’s better than nothing right? Ep307 Image created by AI
Now, this is where things get concerning. Not only were they asking for direct access to the bank account, but they also stated that a separate, unidentified third-party company would also be given access to this sensitive information. Experts warn that sharing your bank login details with anyone is incredibly risky. It opens you up to potential fraud, identity theft, and financial losses. Most reputable financial institutions advise against this practice. Consumer advocates are urging people to be very cautious about this very thing. They say that while "interest-free" offers can be tempting, they shouldn't come at the cost of your financial security. There are legitimate ways for companies to assess financial risk without needing your login credentials. This situation also raises privacy concerns. The fact that an unknown third party would also have access to the data is troubling. So, what should you do if you encounter a similar offer?
Remember, protecting your financial information is crucial. If an offer seems too good to be true, it probably is. Stay vigilant and informed. This incident serves as a stark reminder of the importance of protecting personal financial information and exercising caution when considering financing offers that seem too good to be true. Authorities are urging individuals to remain vigilant and report any suspicious activity. Ep306 Image created by AI
This type of attack bypasses two-factor authentication through session hijacking and real-time credential interception. Traditional phishing attacks typically capture only primary credentials, leaving 2FA intact. However, Astaroth intercepts all authentication data in real-time, rendering 2FA ineffective. How the Attack Works:
What You Can Do:
This phishing kit is readily available for purchase on cybercrime marketplaces for $2,000, making it a serious threat to users. It is crucial to remain vigilant and follow best practices to avoid falling victim to this attack. Ep305 Image created by AI
Take the 2 minute quiz on the scamwatch website and test your understanding. (multiple choice) 1. What are some common signs that you are dealing with a scammer? 2. Phishing scams are attempts by scammers to deceive you into sharing your personal information. Which of the following can you rely on, to be sure you aren't dealing with a phishing scam? 3. You receive a call or message from an organisation you think you know, claiming your device or accounts aren't secure. What do you do? 4. Which of the following is a common tactic used by scammers to get you to give them money quickly? 5. What’s the first thing you should you do if you think you've had money or information stolen by a scammer? 6. Scammers may intercept and modify invoices or call you to change bank account details on a bill you’re expecting. What can you do to stay safe from these scams? 7. Which of the following is the best way to protect yourself from online shopping scams? 8. What does Scamwatch recommend people do to stay safe from scams?  Ep304 Image Source: https://www.scamwatch.gov.au/
Thousands Targeted in Ongoing Phishing Scheme This campaign, since it was detected, has reached over 12,000 individual email addresses and numerous organizations. Primarily targeting users in the U.S. and Europe, with some Australian victims, the attack poses a significant threat due to Facebook's massive user base. Deceptive Tactics Employed Cybercriminals are using a clever tactic to appear legitimate. The phishing emails are sent via an automated mailing service, leveraging Salesforce's marketing tools, and use a "[email protected]" return address. This adds a layer of authenticity, making the emails harder to distinguish from legitimate communications. The emails themselves are designed to instill fear and urgency. They claim a copyright infringement violation, prompting recipients to click a link to a fake Facebook support page. This page then requests account credentials under the guise of an "account review," rather than a direct account disablement threat, which is a subtle, but effective, psychological manipulation. The Danger of Phishing Kits Adding another layer of severity to this attack, new reports indicate the use of phishing kits. These kits make it easier for cybercriminals to launch these attacks, even those with limited technical skills. This means the number of attacks could drastically increase. What You Need to Do Immediately: cue the broken record…
The Importance of Vigilance This Facebook phishing campaign serves as a stark reminder of the constant threat posed by cybercriminals. Staying vigilant and practicing safe online habits are crucial for protecting your personal information and avoiding becoming a victim. Ep303 Image created by AI
Why Updates Matter: A Security Power-Up Browser developers are constantly working to improve security features and patch vulnerabilities that cybercriminals exploit. These updates are not just about adding new features; they're vital for safeguarding your digital experience. Here's how:
Beyond Updates: Smart Browsing Habits While keeping your browser updated is essential, it's also crucial to practice safe browsing habits:
The Bottom Line: Proactive Protection In the ongoing battle against online threats, staying proactive is key. By keeping your browser updated and practicing safe browsing habits, you can significantly reduce your risk of falling victim to malware, scareware, and other browser-based attacks. Take control of your online security and make browser updates a regular part of your digital routine. Ep302 Image created by AI
|
AuthorDelve into the world of MITE Radio through our captivating blogs. From music and tech to community news, our articles offer fresh perspectives and behind-the-scenes glimpses. Stay informed, connect with our community, and explore MITE Radio in a new way today! Archives
June 2025
Categories
All
|
RSS Feed