12 hacks of xmas
Digital code concept. Artificial intelligence. Design element

1. Smishing

You’ve probably received enough emails trying to get you to click a link or provide your credentials to be familiar with phishing, but you may not be up to speed on SMS/text-based attacks. Smishing messages are usually designed to get a user to click a malicious link that either downloads malware or captures account credentials by sending you to a cloned version of a real website.

Smishing texts are harder to recognize than phishing emails because they are shorter and thus show fewer of the telltale signs of a scam. 

Takeaways: Don’t click on any incoming links sent to your mobile device from senders you don’t recognize–and bear in mind senders can be spoofed. 

2. Pig butchering

Have you ever received a LinkedIn request from a former colleague that you don’t remember working with? Or a Facebook friend request from a completely unfamiliar classmate despite who is friends with people you know?

In a pig butchering scam, someone pretending to be a long-lost acquaintance, friend, or relative, earns a target’s trust and then offers “investment opportunities” or sob stories attached to requests for money. Cryptocurrency is often the preferred medium of payment because it’s harder to trace and recoup.

The information used to target people posts on social media accounts and other open source resources.

Takeaways: Conduct personal privacy audits by checking to see what information is publicly available about you online. There’s probably a lot more than you think. Don’t assume you know someone just because they seem to know a lot about you. 

3. Double spear phishing

It should come as no surprise that cybercriminals tend to be greedy. Often when a threat actor has stolen your financial information, they will drill down into other account and information that can be used to make money. 

In a double spear attack, an individual is targeted. Once a victim is “speared” the phisher will attempt to get their financial information. They can then either transfer funds from the victim’s account to their own, or expand their attack to include their account credentials.

Takeaways: Put a freeze on your credit with the three major agencies (Equifax, TransUnion and Experian). If you do get compromised, the scammer won’t be able to open new lines of credit in your name. Enable transaction alerts on your accounts to warn you of suspicious activity. Check and double-check any invoices or incoming emails before clicking links or providing any information.

Be on the lookout for telltale signs of phishing emails including misspelled domain names, grammatical errors, or unfamiliar sender email addresses. If an email claims to be from PayPal customer support, but the sender email address is sddffsgsgdg.32@fassfd.kz, it’s a scam.

4. Triple extortion ransomware 

Cybercriminals tend to be greedy. If there’s an extra opportunity to squeeze more money from a victim they’ll go for it. Case in point: triple extortion ransomware.

Ransomware is straightforward; cybercriminals encrypt the files on your device or on multiple devices across a network and you have to pay in order to regain access.

With double-extortion ransomware, you pay extra to protect information compromised or exfiltrated during the attack. 

With triple extortion ransomware, you not only have to pay to not have your data leaked– your clients and other contacts also get hit up for money to protect any data that can compromise them.

Takeaways: Report ransomware attacks to the authorities. It may not help you in the short term, but it could be used to help track down the cybercrime syndicate responsible for the attacks. Follow the 3-2-1 method of data backups: Keep at least three copies of your data in at least two different media with at least one of them in a different location.

5. Credential stealing apps 

While both Google and Apple put a lot of time and energy into policing their respective app stores, malicious apps can and do slip by filters. 

With an estimated 3,700 Android apps added daily to Google Play alone, cybercriminals are keenly aware of the opportunity to hide malware capable of stealing account credentials, financial information and cryptocurrency addresses under the guise of seemingly innocuous apps.

Among the more infamous is the Joker malware, which has appeared multiple times on Google Play in dozens of forms and made its way onto hundreds of thousands of devices.

Takeaways: Practice extreme caution when installing any new app to a mobile device, especially for Android, which has historically had a worse track record of preventing malicious apps from appearing on Google Play. Check reviews, version histories and the development teams responsible for apps before installing them. Be on the lookout for unusual behavior on your mobile device. Unexpectedly slow performance and overheating are often indicators of malware activity.

6. Wiper malware 

Wiper malware’s destroys data. It’s been around since at least 2012, but has become more common in since Russia invaded Ukraine. Several strains are designed to resemble ransomware attacks (and some even demand payment in return for a non-existent decryption key), but the goal of most wiper malware attacks is sabotage rather than financial gain.

A tool of state-sponsored threat actors targeting high value targets, they propagate across network-connected devices, which may result in collateral damage to personal computers.

Takeaway: Backup your files regularly and keep anti-malware and other security software installed and up to date on any of your devices, especially if you have one you use both for personal and work-related purposes. But seriously, hire a professional to keep you safe if you think you’re a potential target.

7. Browser-in-the-Browser Attacks 

You’ve done your homework. You know to check the URL before entering in your credentials. You look for the lock to make sure your information is being sent in an encrypted format. There’s just one problem: You’re not actually entering your information into a “real” browser window.

Browser-in-the-browser (BitB) attacks are an update on an old scam. Rather than creating cloned pages with domain names similar to legitimate websites, hackers clone your web browser with a popup window made to look like a “login via Google/Facebook/Microsoft” prompt.

It doesn’t matter what browser or operating system you’re using; a script detects both before loading the page, making it a near-perfect facsimile of whatever you’re using to browse the web.The one thing a BitB window can’t do is move outside of its parent browser window. In other words, if you try dragging the login window to the outer edge of your web browser, the illusion falls apart.

Takeaway: BitB attacks may look convincing, but they still require that first step of any phishing attack, clicking a link. Take your time when reading any email or browsing the web. Always double-check URLs, and if something doesn’t look quite right, don’t enter your information.

8. PHishing-as-a-Service (PHaaS) 

Cybercrime gangs are making higher profits with less risk by renting out their phishing software packages, something known as Phishing as a Service software. These phishing toolkits have everything a hacker needs, including lists of viable targets, email templates, cloned websites and more for anywhere between $50 and $80 a month. Most are even able to bypass multi-factor authentication account protections, which we discussed in a recent episode of What the Hack.

It’s a repeat of what ransomware syndicates have been doing for some time now, lowering the bar for entry into cybercrime.

Takeaways: PHaaS-based attacks are harder to recognize than standard phishing attacks, but the overall strategies to protect yourself remain the same: Be careful when opening emails even if they are from known contacts, double-check URLs before clicking on links and be extremely careful when providing credentials or financial information online

9. SIM Jacking 

We all know it is possible to transfers your phone number to another device, otherwise you would have to get a new phone number every time you get a new phone. When criminals transfer your number to a device in their possession, it’s called SIM swapping. 

While it may sound more irritating than threatening, the criminal now has access to your 2-factor authentication protections as well as communications from financial institutions, friends and family–it’s all going to someone else. 

Mobile devices contain sensitive information and are a key to secure non-mobile accounts via 2-factor authentication and all that stands between your phone and a cybercriminal is a low-level employee at a wireless carrier willing to accept a bribe in exchange for the keys to your digital life.

While some wireless providers have added extra protections to prevent SIM jacking, it’s still a threat and a relatively straightforward route to stealing your identity.

Takeaways: Consider using app-based authentication rather than SMS-based messages to protect your accounts. If your phone number is compromised, act quickly; a few minutes spent updating the credentials for any accounts connected to it may save you hours (and quite a few headaches) further down the line.

10. E-skimming 

It might not look like it, but every website you visit is a composite of several files and programs loaded from multiple sources. All it takes is for one outdated or compromised script to place a rogue piece of code capable of intercepting your payment information in transit.

The issue isn’t hypothetical. Hundreds, if not thousands, of e-commerce sites ranging from Ticketmaster to smaller mom-and-pop businesses have had fraudulent charges on customer accounts. Industry standard cybersecurity measures such as SSL encryption offer little to no protection; there is no way to be 100% sure your information is not being captured. (Cheers.)

Takeaways: You can’t prevent an e-skimming attack, but you can mitigate the risks by using a credit card instead of a debit card. The protections are stronger and it’s a lot easier to get your money back in the event of any kind of online skullduggery. 

11. Instabans / Ban-as-a-Service

When it comes to protecting the security of its users, Instagram’s history is checkered at best. We’ve covered how the platform fails to protect its highest-profile users on What the Hack, including the way cybercriminals monetize account takeovers as well as the banning of user accounts. 

Why would anyone want to pay to ban an Instagram account? Many creative professionals use the social network as a digital portfolio and a crucial line of communication with both clients and fans. The banning is followed quickly by a request for a “restoration fee.” Unfortunately, the ransom doesn’t get the victim’s account unlocked.

Takeaways: Enable two-factor authentication for your account and, if you use Instagram for professional reasons, try to get your account verified

12. Google Ad Scams 

Google dominates the online advertising world. Its search engine processes over 8.5 billion queries per day, and it reserves the top several spots for paid listings. The problem is that anyone can launch an ad campaign targeting their desired results, including cybercriminals.

Many online scams direct victims to destinations or operatives ready to extract sensitive information or transfer funds. With very little up-front cost (often paid with stolen payment card data), a cybercriminal can create a seemingly legitimate and highly visible advertisement. This is made even harder to identify on the victim’s end as Google Ads create aliases for phone numbers and addresses for tracking purposes.  

Takeaways: Take it slow and scroll down past paid search results to natural, or “organic” listings. It’s a lot harder for a scam website to fool Google’s algorithms used to index sites, which tend to favor more popular, long-standing brands.