How Hackers Steal Christmas
On Christmas Day 2014, a hacking group called Lizard Squad spoiled the holiday for many kids and parents by using a distributed denial-of-service (DDoS) attack to knock PlayStation and Xbox systems offline. Two years later, a group called R.I.U. Star Patrol threatened to spoil another Christmas in similar fashion. Unfortunately, these are just two of many examples of how grinches of the internet have preyed on innocents during the so-called season of joy. It’s impossible to stop every attack. But there are things we all can do to minimize the threat. Since I work for the security firm Sophos, I’ll use examples below from the company’s Naked Security site, to which I contribute. ( Editor’s note: This article originally appeared in the Nov/Dec ’17 issue of mvm. )
Watch out for these threats
The Xbox/PlayStation attacks were particularly cruel because children were brought to tears. But most of the holiday season’s online threats are quieter and designed to hit you in the wallet.
In one attack around the same time as the gaming hacks, the bad guys targeted people who received iTunes gift cards for Christmas, sending phishing messages that tricked them into giving up a lot of personal information.
In one attack that happened during the Christmas shopping period, Amazon customers saw their accounts hacked. One woman reported last year that a hacker got into her account and spent nearly $1,700, even though she changed her password multiple times. Once in her account, the digital miscreant changed her phone number and then ran up a bill for merchandise delivered to multiple states.
Last year, voice-activated, internet-connected personal assistants such as Amazon Echo and Google Home were popular Christmas gifts. It turns out these devices come with security risks — particularly the ability of hackers to eavesdrop on your conversations.
Last December, my Naked Security colleague Paul Ducklin compiled an excellent list of actions users can take to protect themselves from holiday scams. It’s worth repeating some of them here:
Clean up your passwords
Don’t use the same password on more than one website. If the crooks get one password, they’ll immediately try it on your other accounts. Make your passwords as long and complex as you can; in fact, consider using a password manager, which will come up with a unique password for each website automatically.
Update your devices
When patches come out, most of them fix security holes that the crooks either know about or will soon discover. Don’t put off security updates because “later will be fine.” Follow our advice: patch early, patch often.
Back up your files
Whether you’re taking your laptop with you or staying at home with your faithful desktop this festive season, don’t forget to back up precious documents on all of your devices. That way, if your files are lost, stolen, “reconfigured” by a teenage “expert” or, worst of all, held for extortion by ransomware, you can still get your data back.
Watch out for booby-trapped ATMs when out shopping
Beware of modified ATMs when you withdraw money. Crooks have been known to attach hidden cameras and other devices onto or around ATMs in the hope of covertly reading your card data and your PIN. If you see an ATM with any components that look like they don’t belong, report them to the bank and the police. That way, you protect yourself and everyone else.
Beware of login links in email
When an email urges you to click on a link to log in to your account and change your password, it’s probably crooks trying to phish you onto a fake site that will look exactly like the real thing, except the crooks get your password. If you want to check a transaction on one of your accounts, open your browser and connect to the website yourself.
Don’t email your credit card details
Sometimes your credit card won’t go through when you’re trying to buy a special gift. In perfectly good faith, the seller may ask you to email your credit card details. But that email could end up in the hands of cybercriminals, even if the seller handles it with care. Remember: If in doubt, don’t give it out!
Change default passwords before using new home video devices
Whether it’s a new baby monitor, home surveillance system or any other internet-enabled camera, it probably has a default password. If you don’t change the password, you are making it easy for a cybercriminal to hack in and watch whatever you’re filming. That could be you, your house, your baby or something else that you’d prefer to keep away from prying eyes.
In many cases, common sense will save you from holiday-timed attacks. Have a merry — and secure — Christmas!