#CyberFLASH: Uber should investigate own databases after more claims of bogus fares, privacy experts say


A string of complaints by customers charged for Uber trips they say they never took has security experts calling on the ride-hailing company to launch a formal investigation to make sure its databases haven’t been breached.

After CBC News reported on the story of Laura Hesp, who lives in Toronto but was billed for an Uber ride taken on her account by someone in Poland, several others came forward to report similar experiences. Uber has warned customers incidents like this may be the result of phishing scams, but experts CBC News spoke to think the company should investigate to rule out the possibility that its own databases have been hacked.

The stories begin the same way. A person receives an unexpected email confirming an Uber cab is minutes away — except the customer hasn’t ordered one and the trip is thousands of kilometres away in another country.

George Sfeir, a 49-year-old Toronto man, says he was in his car on the way to his cottage in rural Ontario in July when he got a bill for an Uber ride he never ordered.

It was one of six bills he would receive over the span of two days for trips taken in Las Vegas, Des Plaines, Ill., and other American cities that Sfeir says he never visited.

Most of the trips ranged in price from $10 to $100. But when he received a bill for a whopping $982 rung up for an Uber trip in Chicago, Sfeir says he began to panic.

“That was really scary,” he says, adding that at first, even his credit card company didn’t believe his story.

Read more here

#CyberFLASH: VANCOUVER – From spam to phishing scams and ransomware, Canadians face a number of cyber security threats.

Apple Hosts Event At Company's Town HallVANCOUVER – From spam to phishing scams and ransomware, Canadians face a number of cyber security threats.

And it turns out we rank quite high when it comes to a number different types of attacks, according to Symantec’s annual Internet Security Threat Report.

“Certainly, one of the biggest threats facing Canadians right now is something called ransomware. Globally, Canada is number four. They’re seeing over 16,000 attacks per day,” says Kevin Haley with Symantec Security Response.

“Ransomware is a type of threat that will encrypt the files on your machine and it will charge you a ransom in order to get access to your files back. We in fact saw a 35 per cent increase from 2014 in this type of attack.”

But that’s not the only threat you face by powering on your laptop or tablet.

“In social media, Canada is actually number five. They are the fifth-most attacked country for social media scams,” says Haley.

Read more here

#CyberFLASH: New reports warn of extent of phishing

FEATURE-Phishing-SHUTTERSTOCK-620x250Phishing is one of the easiest ways an attacker can infiltrate malware into an organization or trick victims into going to a fake Website, with one vendor saying it found one million confirmed malicious phishing sites in 2015. Unfortunately, the strategy also gives truth to the old adage that people are the weakest link in security.

Two reports released by vendors on Thursday hope to give CISOs a little more insight into phishing attacks.

One, from PhishLabs, says it is currently tracking more than 90 threat actor groups that use spear phishing, with experience ranging from novice cybercriminals to advanced nation-state cyber operations. The number of organizations targeted with the co-called Business Email Compromise (BEC) spear phishing attacks– aimed narrowly at senior officials, with the phishing mail impersonating an executive — grew tremendously in 2015, it adds.

“Phishing attacks are cheap, easy to execute and difficult to stop,” it says. “People will continue to fall for phishing attacks. No security tool or training regimen will prevent that from happening. But by detecting phishing attacks early, when they are launched and as soon as they reach inboxes, it is possible to stop the attack and prevent the consequences even if someone does initially fall victim.”

Other significant findings include:

  • 90 per cent of consumer-focused phishing attacks targeted financial institutions, cloud storage/file hosting sites, webmail and online services, e-commerce sites, and payment services’
  • Gmail is used for more than half of all data drop email accounts, making it the top webmail service used by attackers to receive credentials stolen in phishing;
  • Social media is a primary promotion and distribution channel for consumer-focused phishing kits and related goods or services.
  • Techniques to evade your automated detection of phishing attacks and to prevent analysis of attack components are becoming more commonplace, even among less sophisticated threat actors.

Read more here

#CyberFLASH: CIO advice on cybersecurity – from education to investment


Security remains top of mind for organizations across Canada from IT leaders all the way up to the executive boardroom. Here in British Columbia, there is annual event called the BC Aware Campaign which is meant to educate the broader community on today’s modern cybersecurity challenges.

Oliver Grüter-Andrew is the CIO of the Provincial Health Services Authority (PHSA), Vancouver Coastal Health (VCH) and Providence Health Care (PHC) in British Columbia. He will be participating in a panel discussion put on by the Vancouver chapter of the CIO Association of Canada. The three health organizations for which Oliver has IM/IT responsibility have a combined workforce of over 95,000 staff, physicians, nurses and volunteers.

PHSA’s primary role is to ensure that British Columbia residents have access to a coordinated network of high-quality specialized health care services and also operates provincial agencies including BC Children’s Hospital, BC Transplant, and BC Cancer Agency. VCH and PHC provide hospital and community care services in BC’s Lower Mainland, as well as a series of specialized tertiary services for all BC residents. All three organizations have an extensive research and teaching focus.

I spoke with Oliver to get his unique leadership perspective and insight across of variety of topics related to cybersecurity – from education to investment.

Brian: What current threats are driving investments in security?

Oliver: “In healthcare, we are concerned about many of the same security threats that also affect other sectors: there is a significant rise in phishing attacks that aim to take over an identity to access confidential files. The

Read more here

#CyberFLASH: Canadian data breaches in 2015: Big firms weren’t the only targets


Of all the publicly-disclosed data or privacy breaches in this country in 2015, one topped them all by a wide margin: Ashley Madison.

With over 30 million records exposed from the dating site, a $578 million class action suit filed against parent Avid Life Media, the CEO resigning after his emails were published, the attack is easily one of the largest reported in Canadian history.

But it’s easy for infosec pros to sit back and think, ‘Thank Gawd my company isn’t such a big fat target.’ Instead, they should remember all of the smaller breaches that happened this year as a lesson that corporations and government departments aren’t the only targets. Here’s just three of them:

— A successful phishing attack in September against the Association of Professional Engineers and Geoscientists of Alberta (APEGA) yielded members’ names, email addresses and association ID numbers. The vehicle was an email supposedly from CEO Mark Flint. The association has 75,000 members, but it didn’t say how many names were exposed;

–This month a Calgary wine store had to pay $500 in Bitcoin to meet a ransomware demand or lose access to its database. According to the CBC, after paying the company an unofficial receipt thanking it for the involuntary “purchase;”

–Worried about insider threats? Here’s one you weren’t thinking about: Senior bureaucrats at British Columbia’s District of Saanich approved the installation of monitoring software on certain computers — including the mayor’s. Somehow he didn’t get told. Among other things, staff were afraid he might discover IT security shortcomings.

These are some of incidents involving better-known organizations:

–A Rogers Communications staffer was the victim of a phishing attack that led to the loss of a “small number” of business agreements, which included business name, address, phone number and pricing details of the corporate customers, but not personal or financial information;

Read more here

#CyberFLASH: Insurance Institute of Canada report encourages p&c organizations to build cyber resiliency; cites business opportunity in expanding coverage

aCanadian property and casualty insurance organizations should bolster the defences of their organizations and those of their clients against cyber threats by developing a culture of cyber security, recommends a new research report issued Tuesday by the Insurance Institute of Canada (IIC).

“Insurance organizations are encouraged to build a corporate culture of cyber security that includes actions to address technological threats and security training for employees,” notes an IIC statement announcing the release of Cyber Risks: Implications for the Insurance Industry in Canada, which assesses cyber risk from the perspective of the Canadian p&c insurance industry.

The research report cites a study by Intel’s McAfee and the Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime, which estimates the global cost of cyber crime in 2013 at US$375 billion to US$575 billion. “The global impact of cyber crime is similar to estimates by the United Nations of the international production, trafficking and sales of illicit drugs (US$400 billion) and the worldwide damage resulting from vehicle collisions (US$518 billion),” states the report.

According to the report, the most common forms of cyber attacks were theft and other data attacks, malware (phishing and pharming) and mechanisms to infect computers (viruses, worms, Trojan horses). The report notes that in 2013, the 3,700 clients of IBM’s Managed Security Services experienced seven or eight cyber incidents each month, on average. About half of those attacks – including scams to steal credit card information, website vandalism, corporate espionage and denial-of-service attacks – were directed at the manufacturing (27%) and financial services (21%) industries.

Read more here

#CyberFLASH: McAfee’s twelve scams of the holidays

12Scams_PR_FINAL_Orig3-620x250With electronic and online shopping predicted to be at an all-time high this holiday season, Canadian consumers should be extra weary of cyber-attacks, according to Brenda Moretto, Canadian consumer manager at McAfee, now part of Intel Security.

Citing figures that place Canada’s web hosts at the number three spot in harbouring phishing domains, Moretto said that Canadians are “no less vulnerable” to threats such as cyber scams and malware.

In response, the security software company outlined the “12 Scams of the Holidays” that Canadians should be aware of:

  1. Phishing scams through email top the list with emails disguised as shipping notifications and invoices to fit the season. According to Moretto, hackers are trying to capitalize on the increased flow of money to score banking information and other personal details. Consumers are also more likely to click on fraudulent links during periods of high shopping activity.
  2. Fraudulent deals can also make an appearance online or in your inbox, offering unbeatable prices at the cost of your (information). These extend beyond dangerous links to “phony contests on social media and bogus gift cards,” according to an official McAfee statement.

Read more here

#CyberFLASH: Mock email scam at Justice Canada snares hundreds of bureaucrats


OTTAWA—Many of the Justice Department’s finest legal minds are falling prey to a garden-variety Internet scam.

An internal survey shows almost 2,000 staff were conned into clicking on a phoney “phishing” link in their email, raising questions about the security of sensitive information.

The department launched the mock scam in December as a security exercise, sending emails to 5,000 employees to test their ability to recognize cyber fraud.

The emails looked like genuine communications from government or financial institutions, and contained a link to a fake website that was also made to look like the real thing.

The Justice Department’s mock exercise caught 1,850 people clicking on the phoney embedded links, or 37 per cent of everyone who received the emails.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.