Login
One of the cybercrime underground’s more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned.
Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. For prices ranging from $8 to $40 and payable via virtual currency, the bot will return detailed consumer background reports automatically in just a few moments.
USiSLookups is the project of a cybercriminal who uses the nicknames JackieChan/USInfoSearch, and the Telegram channel for this service features a small number of sample background reports, including that of President Joe Biden, and podcaster Joe Rogan. The data in those reports includes the subject’s date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver’s license information.
JackieChan’s service abuses the name and trademarks of Columbus, OH based data broker USinfoSearch, whose website says it provides “identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more.”
“We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it,” the company’s website explains. “Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client.”
As luck would have it, my report was also listed in the Telegram channel for this identity fraud service, presumably as a teaser for would-be customers. On October 19, 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data.
USinfoSearch said it would investigate the report, which appears to have been obtained on or before June 30, 2023. On Nov. 9, 2023, Scott Hostettler, general manager of USinfoSearch parent Martin Data LLC shared a written statement about their investigation that suggested the ID theft service was trying to pass off someone else’s consumer data as coming from USinfoSearch:
Regarding the Telegram incident, we understand the importance of protecting sensitive information and upholding the trust of our users is our top priority. Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure. Because Martin Data has a reputation for high-quality data, thieves may steal data from other sources and then disguise it as ours. While we implement appropriate safeguards to guarantee that our data is only accessible by those who are legally permitted, unauthorized parties will continue to try to access our data. Thankfully, the requirements needed to pass our credentialing process is tough even for established honest companies.
USinfoSearch’s statement did not address any questions put to the company, such as whether it requires multi-factor authentication for customer accounts, or whether my report had actually come from USinfoSearch’s systems.
After much badgering, on Nov. 21 Hostettler acknowledged that the USinfoSearch identity fraud service on Telegram was in fact pulling data from an account belonging to a vetted USinfoSearch client.
“I do know 100% that my company did not give access to the group who created the bots, but they did gain access to a client,” Hostettler said of the Telegram-based identity fraud service. “I apologize for any inconvenience this has caused.”
Hostettler said USinfoSearch heavily vets any new potential clients, and that all users are required to undergo a background check and provide certain documents. Even so, he said, several fraudsters each month present themselves as credible business owners or C-level executives during the credentialing process, completing the application and providing the necessary documentation to open a new account.
“The level of skill and craftsmanship demonstrated in the creation of these supporting documents is incredible,” Hostettler said. “The numerous licenses provided appear to be exact replicas of the original document. Fortunately, I’ve discovered several methods of verification that do not rely solely on those documents to catch the fraudsters.”
“These people are unrelenting, and they act without regard for the consequences,” Hostettler continued. “After I deny their access, they will contact us again within the week using the same credentials. In the past, I’ve notified both the individual whose identity is being used fraudulently and the local police. Both are hesitant to act because nothing can be done to the offender if they are not apprehended. That is where most attention is needed.”
JackieChan is most active on Telegram channels focused on “SIM swapping,” which involves bribing or tricking mobile phone company employees into redirecting a target’s phone number to a device the attackers control. SIM swapping allows crooks to temporarily intercept the target’s text messages and phone calls, including any links or one-time codes for authentication that are delivered via SMS.
Reached on Telegram, JackieChan said most of his clients hail from the criminal SIM swapping world, and that the bulk of his customers use his service via an application programming interface (API) that allows customers to integrate the lookup service with other web-based services, databases, or applications.
“Sim channels is where I get most of my customers,” JackieChan told KrebsOnSecurity. “I’m averaging around 100 lookups per day on the [Telegram] bot, and around 400 per day on the API.”
JackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch, and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some time.
This is not the first time USinfoSearch has had trouble with identity thieves masquerading as legitimate customers. In 2013, KrebsOnSecurity broke the news that an identity fraud service in the underground called “SuperGet[.]info” was reselling access to personal and financial data on more than 200 million Americans that was obtained via the big-three credit bureau Experian.
The consumer data resold by Superget was not obtained directly from Experian, but rather via USinfoSearch. At the time, USinfoSearch had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the USinfoSearch data, and vice versa.
When Court Ventures was purchased by Experian in 2012, the proprietor of SuperGet — a Vietnamese hacker named Hieu Minh Ngo who had impersonated an American private investigator — was grandfathered in as a client. The U.S. Secret Service agent who oversaw Ngo’s capture, extradition, prosecution and rehabilitation told KrebsOnSecurity he’s unaware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo.
JackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad. Hacked police department emails can come in handy for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch. Hence, Mr. Hostettler’s ongoing battle with fraudsters seeking access to his company’s service.
These police credentials are mainly marketed to criminals seeking fraudulent “Emergency Data Requests,” wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers, ISPs and social media companies.
Normally, these companies will require law enforcement officials to supply a subpoena before turning over customer or user records. But EDRs allow police to bypass that process by attesting that the information sought is related to an urgent matter of life and death, such as an impending suicide or terrorist attack.
In response to an alarming increase in the volume of fraudulent EDRs, many service providers have chosen to require all EDRs be processed through a service called Kodex, which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information, and other attributes of the requestor.
For example, if you want to send an EDR to Coinbase or Twilio, you’ll first need to have valid law enforcement credentials and create an account at the Kodex online portal at these companies. However, Kodex may still throttle or block any requests from any accounts if they set off certain red flags.
Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.
In August, JackieChan was advertising a working Kodex account for sale on the cybercrime channels, including redacted screenshots of the Kodex account dashboard as proof of access.
Kodex co-founder Matt Donahue told KrebsOnSecurity his company immediately detected that the law enforcement email address used to create the Kodex account pictured in JackieChan’s ad was likely stolen from a police officer in India. One big tipoff, Donahue said, was that the person creating the account did so using an Internet address in Brazil.
“There’s a lot of friction we can put in the way for illegitimate actors,” Donahue said. “We don’t let people use VPNs. In this case we let them in to honeypot them, and that’s how they got that screenshot. But nothing was allowed to be transmitted out from that account.”
Massive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell “non-FCRA” data — i.e., consumer data that cannot be used for the purposes of determining one’s eligibility for credit, insurance, or employment.
Anyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers, which often market themselves to police departments and to “skip tracers,” essentially bounty hunters hired to locate others in real life — often on behalf of debt collectors, process servers or a bail bondsman.
There are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone. And the harsh reality is that all it takes for hackers to apply for access to data brokers (and abuse the EDR process) is illicit access to a single police email account.
The trouble is, compromised credentials to law enforcement email accounts show up for sale with alarming frequency on the Telegram channels where JackieChan and their many clients reside. Indeed, Donahue said Kodex so far this year has identified attempted fake EDRs coming from compromised email accounts for police departments in India, Italy, Thailand and Turkey.
One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.
In August 2023, security researcher Randy McEoin blogged about a scam he dubbed ClearFake, which uses hacked WordPress sites to serve visitors with a page that claims you need to update your browser before you can view the content.
The fake browser alerts are specific to the browser you’re using, so if you’re surfing the Web with Chrome, for example, you’ll get a Chrome update prompt. Those who are fooled into clicking the update button will have a malicious file dropped on their system that tries to install an information stealing trojan.
Earlier this month, researchers at the Tel Aviv-based security firm Guardio said they tracked an updated version of the ClearFake scam that included an important evolution. Previously, the group had stored its malicious update files on Cloudflare, Guardio said.
But when Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.
Nati Tal, head of security at Guardio Labs, the research unit at Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.
“These contracts offer innovative ways to build applications and processes,” Tal wrote along with his Guardio colleague Oleg Zaytsev. “Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown.”
Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact.
“So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,” Tal said.
Attacker-controlled BSC addresses — from funding, contract creation, and ongoing code updates. Image: Guardio
In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.
“This model is designed to proactively identify and mitigate potential threats before they can cause harm,” BNB Smart Chain wrote. “The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible.”
Guardio says the crooks behind the BSC malware scheme are using the same malicious code as the attackers that McEoin wrote about in August, and are likely the same group. But a report published today by email security firm Proofpoint says the company is currently tracking at least four distinct threat actor groups that use fake browser updates to distribute malware.
Proofpoint notes that the core group behind the fake browser update scheme has been using this technique to spread malware for the past five years, primarily because the approach still works well.
“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,” Proofpoint’s Dusty Miller wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”
More than a decade ago, this site published Krebs’s Three Rules for Online Safety, of which Rule #1 was, “If you didn’t go looking for it, don’t install it.” It’s nice to know that this technology-agnostic approach to online safety remains just as relevant today.
Your phone buzzes. You hope it’s a reply from last night’s date, but instead you get an entirely different swooping feeling: It’s an alarming SMS text alerting you about suspicious activity on your bank account and that immediate action is necessary.
Take a deep breath and make sure to read the message carefully. Luckily, your assets could be completely safe. It could just be a smisher.
Smishing, or phishing over SMS, is a tactic where cybercriminals impersonate reputable organizations or people and trick people into handing over their PII or financial details. Sometimes they can seem very credible with the information they have, and you may have even been expecting a correspondence of a similar nature.
So how can you tell when an SMS text is real and requires your attention? And how should you deal with a smisher to keep your identity safe?
Like email phishing and social media phishing,
SMS text phishing often tries to use a strong emotion – like fear, anger, guilt, or excitement – to get you to respond immediately and without thinking through the request completely.
In the case of one coordinated smishing attack, cybercriminals not only impersonated financial institutions but collected PII on their targets ahead of time. The criminals then used these personal details – like old addresses and Social Security Numbers – to convince people that they were legitimate bank employees.1 But since when does a bank try to prove itself to the customer? Usually, it’s the other way around, where they’ll ask you to confirm your identity. Be wary of anyone who texts or calls you and has your PII. If you’re ever suspicious of a caller or texter claiming they’re a financial official, contact your bank through verified channels (chat, email, or phone) you find on the bank’s website to make sure.
Smishers often keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. This adds false legitimacy to their message. For example, in the summer of 2022, Rogers Communications, a Canadian telecommunications provider, experienced an extended loss of service and told customers they could expect a reimbursement. Smishers jumped on the opportunity and sent a barrage of fake texts requesting banking details in order to carry out the reimbursement.2 However, Rogers credited customers directly to their Rogers accounts.
If you receive a suspicious text, go through these three steps to determine if you should follow up with the organization in question or simply delete and report the text.
Do you have text alerts enabled for your bank and utility accounts? If not, disregard any text claiming to be from those organizations. Companies will only contact you through the channels you have approved. Also, in the case of the Rogers smishing scheme, be aware of how a company plans to follow up with customers regarding reimbursements. You can find information like this on their official website and verified social channels.
If the tone of the text urges you to act quickly or proposes a dire consequence of ignoring the message, be on alert. While suspicious activity on your credit card is serious, your bank will likely reimburse you for charges you didn’t make, so you have time to check your bank account and see recent activities. Official correspondence from financial institutions will always be professional, typo-free, and will try to put you at ease, not make you panic.
Whenever you get a text from someone you don’t know, it’s a good practice to do an internet search for the number to see with whom it’s associated. If it’s a legitimate number, it should appear on the first page of the search results and direct to an official bank webpage.
Once you’ve identified a fake SMS alert, do not engage with it. Never click on any links in the message, as they can redirect you to risky sites or download malware to your device. If you have McAfee Safe Browsing on your mobile, it can be your backup if you accidentally open a malicious link.
Also, don’t reply to the text. A reply lets the criminal on the other end know that they reached a valid phone number, which may cause them to redouble their efforts. Finally, block the number and report it as spam.
A great absolute rule to always follow is to never give out your Social Security Number, banking information, usernames, or passwords over text.
To give you peace of mind in cases where you think a malicious actor has access to your PII, you can count on McAfee+. McAfee+ offers a comprehensive suite of identity and privacy protection services to help you feel more confident in your digital life.
1PC Mag, “Scammers Are Using Fake SMS Bank Fraud Alerts to Phish Victims, FBI Says”
2Daily Hive, “Rogers scam alert: Texts offering credit after outage are fake”
The post What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe appeared first on McAfee Blog.
It’s hard to imagine a world without cellphones. Whether it be a smartphone or a flip phone, these devices have truly shaped the late 20th century and will continue to do so for the foreseeable future. But while users have become accustomed to having almost everything they could ever want at fingertips length, cybercriminals were busy setting up shop. To trick unsuspecting users, cybercriminals have set up crafty mobile threats – some that users may not even be fully aware of. These sneaky cyberthreats include SMSishing, fake networks, malicious apps, and grayware, which have all grown in sophistication over time. This means users need to be equipped with the know-how to navigate the choppy waters that come with these smartphone-related cyberthreats. Let’s get started.
If you use email, then you are probably familiar with what phishing is. And while phishing is commonly executed through email and malicious links, there is a form of phishing that specifically targets mobile devices called SMSishing. This growing threat allows cybercriminals to utilize messaging apps to send unsuspecting users a SMSishing message. These messages serve one purpose – to obtain personal information, such as logins and financial information. With that information, cybercriminals could impersonate the user to access banking records or steal their identity.
While this threat was once a rarity, it’s rise in popularity is two-fold. The first aspect being that users have been educated to distrust email messages and the second being the rise in mobile phone usage throughout the world. Although this threat shows no sign of slowing down, there are ways to avoid a cybercriminal’s SMSishing hooks. Get started with these tips:
Public and free Wi-Fi is practically everywhere nowadays, with some destinations even having city-wide Wi-Fi set up. But that Wi-Fi users are connecting their mobile device to may not be the most secure, given cybercriminals can exploit weaknesses in these networks to intercept messages, login credentials, or other personal information. Beyond exploiting weaknesses, some cybercriminals take it a step further and create fake networks with generic names that trick unsuspecting users into connecting their devices. These networks are called “evil-twin” networks. For help in spotting these imposters, there are few tricks the savvy user can deploy to prevent an evil twin network from wreaking havoc on their mobile device:
Fake apps have become a rampant problem for Android and iPhone users alike. This is mainly in part due to malicious apps hiding in plain sight on legitimate sources, such as the Google Play Store and Apple’s App Store. After users download a faulty app, cybercriminals deploy malware that operates in the background of mobile devices which makes it difficult for users to realize anything is wrong. And while users think they’ve just downloaded another run-of-the-mill app, the malware is hard at work obtaining personal data.
In order to keep sensitive information out of the hands of cybercriminals, here are a few things users can look for when they need to determine whether an app is fact or fiction:
With so many types of malware out in the world, it’s hard to keep track of them all. But there is one in particular that mobile device users need to be keenly aware of called grayware. As a coverall term for software or code that sits between normal and malicious, grayware comes in many forms, such as adware, spyware or madware. While adware and spyware can sometimes operate simultaneously on infected computers, madware — or adware on mobile devices — infiltrates smartphones by hiding within rogue apps. Once a mobile device is infected with madware from a malicious app, ads can infiltrate almost every aspect on a user’s phone. Madware isn’t just annoying; it also is a security and privacy risk, as some threats will try to obtain users’ data. To avoid the annoyance, as well as the cybersecurity risks of grayware, users can prepare their devices with these cautionary steps:
The post Cybercrime’s Most Wanted: Four Mobile Threats that Might Surprise You appeared first on McAfee Blog.
Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.
If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.
The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron.
Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).
Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.
Maryann’s profile says she’s from Tupelo, Miss., and includes this detail about how she became a self-described “old-school geek.”
“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.
However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.
Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:
The fake CISO for ExxOnMobil was indexed in Cybercrime Magazine’s CISO 500.
Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.
“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures.”
Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.
Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
None of the profiles listed here responded to requests for comment (or to become a connection).
In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.
“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”
LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.
“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.
Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.
“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”
“Congratulations, you’re a winner!”
“Did you know this public figure is trying to make your life worse? Click here for what they don’t want you to know.”
“Save thousands today with just one click!”
Spam and bot accounts on social media are everywhere. You’ve likely encountered messages like these that attempt to get you to click on links or to stir your emotions in a frenzy. While bot accounts are usually more of an annoyance than anything, when they’re allowed to run rampant, they can quickly become dangerous to your personally identifiable information (PII) and create an emotionally charged mob mentality.
Here’s what you should know about bot accounts, including how to steer clear of menacing ones, plus a reminder to watch what you share on (and with) social media sites.
Bot accounts are software-automated accounts that try to blend in and act like a real user. They post updates and follow other users, though there isn’t a real person behind the account. A spam account is a type of bot account that attempts to gain financially from its automated posts. Everyday people should be wary of social media bot accounts because they can be used to disseminate false information or phishing scams.
One whistleblower of a social media giant recently divulged that the platform isn’t prioritizing deactivating bot accounts.1 This apathy sparks concerns about the company’s commitment to the security of its users. In the whistleblower’s same report, he stated that the social media site isn’t taking the necessary steps to protect itself from potential inside threats and it had fallen victim to at least 20 breaches in 2020 without reporting the incidents to the proper authorities.
Some bot accounts aren’t malicious (merely an annoying tactic by companies to spread the word about their business), but it’s best to give all of them a wide berth and never click on any links in their posts. Those links could direct to unsecured outside sites laden with malware or drop you in the middle of a phishing scheme.
You can often spot a malicious bot account by the tone of its messages. They’ll often try to inspire intense emotions, such as excitement, sadness, or rage, and attempt to get users to act or share the post. Do not engage with them, not even to argue their points. When you engage or share these posts with your network, it spreads false information and could dangerously manipulate public opinion.2
Here are a few ways you can take your cybersecurity into your own hands when you can’t be sure that social media sites are looking out for the safety of users’ information:
You can’t trust every company to look out for the safety of your personal information, but one organization you can trust is McAfee. McAfee Total Protection is a comprehensive identity and privacy protection solution for your digital life. Great social media habits go a long way toward keeping you safe online, and you can rest assured knowing that McAfee can fill in the gaps. McAfee Total Protection offers antivirus, identity monitoring, and security freeze in the case your information is leaked in a breach or a bot account gets ahold of key details.
Keep on sharing your life’s milestones with your closest friends and family online. The next time you update your status, flag any suspicious accounts you come across, so everyone can enjoy social media confidently!
1NBC News, “Twitter whistleblower alleges major security issues”
2Journal of Information Technology & Politics, “Harass, mislead & polarize: An analysis of Twitter political bots’ tactics in targeting the immigration debate before the 2018 U.S. midterm election”
The post Here’s How to Steer Clear of Bot Accounts on Social Media appeared first on McAfee Blog.
In a world of contact-free pickup and payments, an old hacker’s trick is getting a new look—phony QR code scams.
QR codes have been around for some time. Dating back to industrial use in the 1990s, QR codes pack high volumes of visual information in a relatively compact space. In that way, a QR code shares many similarities with a barcode, yet a QR code can hold more than 300 times the data of a barcode.
With the rise of the smartphone, QR codes have taken on more consumer applications. Especially in the latter days of the pandemic in the form of contact-free conveniences. Now, by pointing your smartphone’s camera at a QR code, you can order food at a restaurant, pay for parking, download coupons from the shelf at your drugstore or several other convenient things.
Yet as it is in places where people, devices, and money meet, hackers are there with a scam ready to go. Enter the QR code scam. By pointing your smartphone’s camera at a bogus QR code and giving it a scan, hackers can lead people to malicious websites and commit other attacks on their phones.
The good news is that there are several ways you can spot these scams, along with several other ways you can avoid them altogether, all so you can get the best out of QR code convenience without the hassle.
In several ways, the QR code scam works much like any other phishing attack. With a few added wrinkles, of course.
Classically, phishing attacks use doctored links that pose as a legitimate website in the hopes you’ll follow them to a hacker’s malicious website. Once there, that site is designed to trick you into providing your personal information, credit card numbers, and so forth, perhaps in the context of a special offer or a phony account alert. Likewise, it could send you to a site that simply infects your device with malware.
It’s much the same with a QR code, yet here’s are a couple of big differences:
Aside from appearing in emails, direct messages, in social media ads, and such, there are plenty of other places phony QR codes can show up. Here are a few that have been making the rounds in particular:
Scanning a QR code may open a notification on your smartphone screen to follow a link. Like other phishing-type scams, hackers will do their best to make that link look legitimate. They may alter a familiar company name so that it looks like it could have come from that company. Also, they may use link shorteners that take otherwise long web addresses and compress them into a short string of characters—the trick there being that you really have no way of knowing where it will send you simply by looking at it.
In this way, there’s more to using QR codes than simply “point and shoot.” A mix of caution and eagle-eyed consideration is called for to spot the legitimate uses from the malicious ones.
Luckily some very basic rules about avoiding QR code attacks. The U.S. Better Business Bureau (BBB) has put together a great list that can help. Their advice is right on the mark, which we’ve paraphrased and added to here:
1. Don’t open links or scan QR codes from strangers. Unsolicited messages with these links or codes could lead you to a scam site or access the functionality of your smartphone in unwanted ways.
2. Some scams will appear to come from legitimate sources. Double-check and see if it indeed is. You can check the official website to confirm, such as by accessing your account or contacting a customer service rep to follow up on the communication sent to you.
3. Try alternative payment methods. If you receive a bill with a QR code for payment, see if there’s another way to pay it—such as on the company’s website or simply through online bill pay to their known, legitimate address. These are less susceptible to fraud. Likewise, check to see if the requested payment is legitimate in the first place.
4. Think twice about following shortened links. As mentioned above, shortened links can be a shortcut to a malicious website. This can particularly be the case with unsolicited communications. And it can still be the case with a friend or family member if their device or account has been hacked.
5. If someone you know sends you a QR code, also confirm before scanning it. Whether you receive a text message from a friend or a message on social media from your workmate, contact that person directly before you scan the QR code to make sure they haven’t been hacked.
6. Watch out for tampering. Hackers have been known to stick their own QR codes over legitimate ones. If you see any sign of altering or placement that looks slapdash, don’t give that code a scan.
7. Install mobile security. Comprehensive online protection software can protect your mobile devices as well as your computers and laptops. In this case, it can detect bad links associated with QR codes and steer you clear of accessing the malicious sites and downloads associated with them.
QR codes have made transactions smoother and accessing helpful content on our phones much quicker, especially in recent months as they’ve seen an uptick in use. And useful as they are like other means of paying or browsing online, keep an eye open when using them. With this advice as a guide, if something doesn’t feel right, keep your smartphone in your pocket and away from that QR code.
The post Be on the Lookout for a New Wave of QR Code Scams appeared first on McAfee Blog.
Have you ever come across a website that just didn’t look quite right? Perhaps the company logo looked slightly misshapen, or the font seemed off-brand. Odds are, you landed on a phony version of a legitimate corporation’s website—a tried and true tactic relied on by many cybercriminals.
A fake login page is essentially a knock-off of a real login page used to trick people into entering their login credentials, which hackers can later use to break into online accounts. These websites mirror legitimate pages by using company logos, fonts, formatting, and overall templates. Depending on the attention to detail put in by the hackers behind the imposter website, it can be nearly impossible to distinguish from the real thing. Consequentially, fake login pages can be highly effective in their end goal: credential theft.
How do these pages get in front of a consumer in the first place? Typically, scammers will target unsuspecting recipients with phishing emails spoofing a trusted brand. These emails may state that the user needs to reset their password or entice them with a deal that sounds too good to be true. If the consumer clicks on the link in the email, they will be directed to the fake login page and asked to enter their username and password. Once they submit their information, cybercriminals can use the consumer’s data to conduct credential stuffing attacks and hack their online profiles. This could lead to credit card fraud, data extraction, wire transfers, identity theft, and more.
Scammers have recently targeted Canadians with attacks leveraging fake login pages to harvest personal data. For example, criminals preyed on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds were sent via an electronic transfer from Interac, a legitimate Canadian interbank network. However, a phishing campaign spoofing Interac’s e-transfer service circulated emails claiming that the Canada Revenue Agency (CRA) made a CERB deposit of $1,957.50 CAD.
These emails directed recipients to a fake CRA login page, which then redirected to a phony Interac e-transfer site where users were asked to select their personal bank. From there, the recipient was asked to enter their username, card number, password, security questions and answers for their online banking profile, and other personally identifiable information—providing all the information a criminal would need to hack into the user’s bank account.
If you Google “fake login pages,” you will quickly find countless guides on how to create fake websites in seconds. Ethical concerns aside, this demonstrates just how common vector spoofed websites are for cyberattacks. While it has been easier to distinguish between real and fake login pages in the past, criminals are constantly updating their techniques to be more sophisticated, therefore making it more difficult for consumers to recognize their fraudulent schemes.
One reason why fake login pages are so effective is due to inattentional blindness, or failure to notice something that is completely visible because of a lack of attention. One of the most famous studies on inattentional blindness is the “invisible gorilla test.” In this study, participants watched a video of people dressed in black and white shirts passing basketballs. Participants were asked to count the number of times the team in white passed the ball:
Because participants were intently focused on counting the number of times the players in white passed the ball, more than 50% failed to notice the person in the gorilla costume walking through the game. If this is the first time you’ve seen this video, it’s likely that you didn’t notice the gorilla, the curtain changing color from red to gold, or the player in black leaving the game. Similarly, if you come across a well-forged login page and aren’t actively looking for signs of fraud, you could inherently miss a cybercriminal’s “invisible gorilla.” That’s why it’s crucial for even those with phishing training to practice caution when they come across a website asking them to take action or enter personal details.
The most important defense against steering clear of fake login pages is knowing how to recognize them. Follow these tips to help you decipher between a legitimate and a fake website:
Most fake login pages are circulated vis phishing messages. If you receive a suspicious message that asks for personal details, there are a few ways to determine if it was sent by a phisher aiming to steal your identity. Phishers often send messages with a tone of urgency, and they try to inspire extreme emotions such as excitement or fear. If an unsolicited email urges you to “act fast!” slow down and evaluate the situation.
Oftentimes, hackers will use a URL for their spoofed website that is just one character off from the legitimate site, such as using “www.rbcr0yalbank.com” versus “www.rbcroyalbank.com.” Before clicking on any website from an email asking you to act, hover over the link with your cursor. This will allow you to preview the URL and identify any suspicious misspellings or grammatical errors before navigating to a potentially dangerous website.
HTTPS, or Hypertext Transfer Protocol Secure, is a protocol that encrypts your interaction with a website. Typically, websites that begin with HTTPS and feature a padlock in the top left corner are considered safer. However, cybercriminals have more recently developed malware toolkits that leverage HTTPS to hide malware from detection by various security defenses. If the website is secured with HTTPS, ensure that this isn’t the only way you’re analyzing the page for online safety.
Multi-factor authentication requires that users confirm a collection of things to verify their identity—usually something they have, and a factor unique to their physical being—such as a retina or fingerprint scan. This can prevent a cybercriminal from using credential-stuffing tactics (where they will use email and password combinations to hack into online profiles) to access your network or account if your login details were ever exposed during a data breach.
An identity theft alert service warns you about suspicious activity surrounding your personal information, allowing you to jump to action before irreparable damage is done. McAfee Total Protection not only keeps your devices safe from viruses but gives you the added peace of mind that your identity is secure, as well.
The post How to Spot Fake Login Pages appeared first on McAfee Blog.
If you recently found yourself looking for a new job, you are far from alone. According to the Institute of Labor Economics, more Canadians were seeking new employment opportunities at the height of the pandemic than during the previous three recessions combined. Job hunters only used to have to worry about the clarity of their cover letters and impressing interviewers. Now, however, a new hurdle is in the mix in the race for a new job: online job scams.
Here are three online job scams that you may encounter, plus a few tips on how to avoid and report them.
Fake job ads trick employment seekers into giving up their financial information. Fake job ads are more likely to appear on free sites, such as Craigslist, but they could be listed anywhere. So, no matter where you are searching, be wary that not everyone is looking for a talented individual such as yourself. They are on the hunt for sensitive personal details.
When you are interviewing for jobs, legitimate employers are careful and intentioned about evaluating your fit for the job. For this reason, employers want to make sure they are not interviewing fake candidates, so they are likely going to want to meet you face-to-face or through a video chat. If an employer extends a job offer after a few email exchanges or an instant messenger job interview, request a more formal meeting. If they say that they would like to move fast and hire quickly, be concerned as no real employer would act that quickly.
Guard your personal and financial information until you are 100% sure of the legitimacy of a job offer. Be on high alert if the “human resources representative” asks for your credit card or banking information to pay for training. Fake employers may also ask for your Social Insurance Number before extending a job offer letter. A great rule of thumb is to never share your SIN with anyone over the phone or over email.
Between March and September 2020, 34% of Canadian respondents reported receiving a phishing message, according to a survey by Statistics Canada. Phishing emails often include malicious links that, when clicked, download malware to your device. Online job scams may not only attempt to steal your sensitive information, but they may also be phishing attempts to take over your personal devices.
Some scammers using job offers as a guise might email people who never applied for a new opportunity. Be careful around these types of messages, urges the University of Calgary. Recruiters will most likely reach out and offer unsolicited interviews through social networking channels rather than email. Also, when you receive emails from people looking to hire you, take note of their email domain name. Is the email domain customized to the company’s name or is it a generic @gmail or @yahoo? Check the spelling of the email domain carefully too. Phishers are notoriously bad spellers and sometimes they use incorrect spelling of domain names to trick people into thinking they are the real company.
Immigrating anywhere is a massive and stressful undertaking. Cybercriminals prey upon this stressful, major life event and target immigrants with enticing, but fake, job offers. The Government of Canada advises to never trust someone who says they can guarantee you a job in Canada. Also, keep an eye on the salary. Is it very high? Do your skills not completely align with the job description? Does the job seem very easy? Unfortunately, that may mean that the offer is too good to be true.
The best way to avoid falling for job scams is to know what you are looking for and to take your time when considering a new job. Check out these tips to outsmart scammers and keep your personal information and devices safe.
Most job applications are submitted online, but if an employer is impressed by your resume, they will likely offer a screening call. When a human resources representative calls, make sure to note their name and ask for the website address of the company. Afterwards, search for the company online and the human resources representative who called you. They should show up together on a professional-looking website or a professional networking site.
Inspect all correspondences you get from potential employers. Phishers often use language that inspires strong emotions and urges a speedy response. Strong emotions could include excitement or fear. If the email says you only have a few hours to respond or else the job will go to someone else, be skeptical. Accepting a job is a huge decision that you should be able to take at least a few days to think about. Read carefully, always hover over links to see where they redirect, and keep a level head when making decisions about your next career move.
When you come across fraudulent activity, it is important that you report it to the correct authorities to stop it from happening to someone else. For immigration and online job scams, contact the Canadian Anti-Fraud Centre.
Phishers and job scammers may have gotten in contact with you with the aim of downloading malicious software on your computer. A comprehensive suite of security tools will protect you from viruses and malware that may have slipped past your eagle eye. McAfee Total Protection offers premium antivirus software, safe web browsing, and PC optimization.
The post Watch Out for These 3 Online Job Scams appeared first on McAfee Blog.
If 2020 has taught us anything, it’s that our ability to think critically about the information we encounter online is now a fundamental life skill we need to learn, practice, and pass on to our offspring. But the actual task of teaching kids how to discern real and fabricated information online these days is easier said than done.
How did the truth get so hard to pin down? In the documentary The Social Dilemma, the answer to that question comes down to two things: Our growing reliance on social media for both human connection and information and the data-based algorithms social networks use to mine and sell data, nurture device dependence, and influence our behavior.
A 2019 Pew Study reveals that 55 percent of US adults get their news from social media either “often” or “sometimes.” A July 2020 Pew Study shows that people who rely on social media for news are less likely to get the facts right about the coronavirus and politics and more likely to hear some unproven claims.
The power of algorithms to deliver customized, manipulative content to a person’s screen is alarming, says Tristan Harris, a former design ethicist at Google, who is featured in The Social Dilemma, adding, “Never before in history have 50 designers made decisions that would have an impact on two billion people.”
On the heels of the recent election, Media Literacy skills will make a difference as false reports are likely to surface in our social feeds in the foreseeable future. For many, the willpower to shut down their social feeds altogether isn’t a viable option. So how do we wade through the veiled forms of manipulation and misinformation taking place all around us online?
One approach is to make a personal commitment to stay alert, slow down, and carefully vet the content you consume, create, or share.
One thing you might consider is making 2021 the year your family masters Media Literacy, a topic we’ve written extensively about on this blog. In short, Media Literacy is the ability to identify different types of content and understand the messages each is sending. Content includes texts, social media memes or posts, videos, television, movies, video games, music, and various other digital content. Reminder: Someone creates each piece of content and that person, group, or company has an agenda or message.
Do I understand all the points of view of this story?
What do I think about this topic or idea?
Am I overly emotional and eager to share this?
Am I being manipulated by this content?
What if I’m wrong?
Lastly, consume all media with thoughtful intention — avoid mindless scrolling and liking. A few other practical ways to fight back against the algorithms we drew from The Social Dilemma: Don’t click on video or content recommendations. Fight back against algorithms by choosing your content. Uninstall social media apps that are not useful and waste your time. Turn off notifications or any other alert that interferes with living life. If an issue has you angry or emotional, stop, breathe, and research the facts before sharing.
The post Helping Your Family Combat Digital Misinformation appeared first on McAfee Blogs.
As the news and conversations leading up to Election Day intensify, and with early voting already in full swing, the flood of misinformation and outright disinformation online continues—and will undoubtedly continue in the days after as the results are tabulated and announced.
Perhaps you’ve seen some instances of it yourself. For instance, one recent news story reported that numerous legitimate social media accounts have shared misinformation about the vote. An example: photos of old, empty election envelopes that were properly disposed of after the 2018 election, used to make the false claim that they were uncounted votes from the 2020 election. It’d be naïve for us to think that postings like this, and others, would suddenly come to a halt on Election Day.
I touched upon this topic in my earlier blog about how misinformation online can undermine our election, yet it’s worthy of underscoring once again. It’s easy for our attention to focus on the days leading up to the election, however, this election stands to be like few others as the high volume of mail-in ballots may keep us from knowing who the certified victor is for possibly weeks after Election Day.
How that timeline plays out in practice remains to be seen, yet we should all prepare ourselves for a glut of continued misinformation and disinformation that aims to cloud the process. Feeds will get filled with it, and it’ll be up to us to make sense of what’s true and what’s false out there.
Sadly, much of onus for fact-checking will fall on us, particularly when 55% of Americans say they “often” or “sometimes” get their news via social media. There are a few reasons why:
• First, social media platforms are new to fact-checking and their processes are still developing, particularly around the transparency of their fact-checking methodology;
• Secondly, corporate leadership of the two major social media platforms have stated differing views about fact checking on their platforms;
• And third, the sheer volume of posts that these platforms pump out in any given day (or minute!) make it difficult to fact-check posts at scale.
Where does that leave us? In unprecedented times.
Historically, we’ve always had to be savvy consumers of news, where a balanced diet of media consumption allowed us to develop a clearer picture of events. Yet now, in a time of unfiltered social media, news comes to us from a multitude of publishers, bloggers, and individuals. And within that mix, it’s difficult to immediately know who the editorial teams behind those stories are—what their intentions, credentials, and leanings are—and if they’re drawing their information from bona fide, verified sources. The result is that we must read and view everything today with an increased level of healthy skepticism.
That takes work, yet my recent blog on How to Spot Fake News and Misinformation in Your Social Media Feed offers you a leg up with several pointers to help you sniff out potential falsehoods.
In addition, here’s a short list of fact-checking resources that you can turn to when something questionable comes up in your feed. Likewise, they make for good browsing even if you don’t have a specific story that you want to check up on. You can keep these handy:
• PolitiFact from the Poynter Institute
• FactCheck.org from the Annenberg Public Policy Center
• AP News Fact Check from the Associated Press
• Reuters Fact Check from Reuters News
• Snopes.com from Snopes Media Group
With the election just days away and a result that may not be declared at the end of Election Day, we all need to scrutinize the news that presents itself to us, particularly on social media. Fact-checking what you see and read, along with cross-referencing it with multiple, reputable sources, will help you get the best information possible—which is absolutely vital when it comes time to cast your ballot.
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Election 2020: Lookout for Fake News Before and After the Election appeared first on McAfee Blogs.
Maybe you’ve seen videos where Robert Downey Jr. and other cast members of The Avengers follow the yellow brick road after they swap faces with the cast of 1939’s The Wizard of Oz. Or how about any of the umpteen videos where the face of actor Nicolas Cage is swapped with, well, everybody, from the cast of Friends to Forrest Gump. They’re funny, uncanny, and sometimes a little too real. Welcome to deepfakes, a technology that can be entertaining, yet one that has election year implications—now and for years to come.
Deepfakes are phoney video or audio recordings that look and sound real, so much so that the best of them can dupe people into thinking they’re the real thing. They’re not unlike those face-swapping apps your children or nieces and nephews may have on their phones, albeit more sophisticated. Less powerful versions of deepfaking software are used by the YouTube channels that create the videos I mentioned above. However, more sophisticated deepfake technologies have chilling repercussions when it comes to public figures, such as politicians.
Imagine creating a video of a public figure where you literally put words into their mouth. That’s what deepfakes effectively do. This can lead to threat tactics, intimidation, and personal image sabotage—and in an election year, the spread of disinformation.
Deepfakes can make you question if what you’re seeing, and hearing, is actually real. In terms of an election year, they can introduce yet another layer of doubt into our discourse—leading people to believe that a political figure has said something that they’ve never said. And, conversely, giving political figures an “out” where they might decry a genuine audio or video clip as a deepfake, when in fact it is not.
The technology and security industries have responded by rolling out their own efforts to detect and uncover deepfakes. Here at McAfee, we’ve launched McAfee Deepfakes Lab, which provides traditional news and social media organizations advanced Artificial Intelligence (AI) analysis of suspected deepfake videos intended to spread reputation-damaging lies about individuals and organizations during the 2020 U.S. election season and beyond.
However, what can you do when you encounter, or think you encounter, a deepfake on the internet? Just like in my recent blog on election misinformation, a few tips on media savvy point the way.
While the technology continually improves, there are still typical telltale signs that a video you’re watching is a deepfake. Creators of deepfakes count on you to overlook some fine details, as the technology today largely has difficulty capturing the subtle touches of their subjects. Take a look at:
This is important. Like I pointed out in my recent article on how to spot fake news and misinformation in your social media feed, deepfake content is meant to stir your emotions—whether that’s a sense of ridicule, derision, outrage, or flat-out anger. While an emotional response to some video you see isn’t a hard and fast indicator of a deepfake itself, it should give you a moment of pause. Listen to what’s being said. Consider its credibility. Question the motives of the producer or poster of the video. Look to additional credible sources to verify that the video is indeed real.
How the person speaks is important to consider as well. Another component of deepfake technology is audio deepfaking. As recently as 2019, fraudsters used audio deepfake technology to swindle nearly $250,000 dollars from a UK-based energy firm by mimicking the voice of its CEO over the phone. Like its video counterpart, audio deepfakes can sound uncannily real, or at least real enough to sow a seed of doubt. Characteristically, the technology has its shortcomings. Audio deepfakes can sound “off,” meaning that it can sound cold, like the normal and human emotional cues have been stripped away—or that the cadence is off, making it sound flat the way a robocall does.
As with all things this election season and beyond, watch carefully, listen critically. And always look for independent confirmation. For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Election 2020 – How to Spot Phony Deepfake Videos this Election appeared first on McAfee Blogs.
On September 22nd, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about the potential threat from foreign actors and cybercriminals attempting to spread false information. Their joint public service announcement makes a direct statement regarding how this could affect our election:
“Foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.”
Their call to action is clear—critically evaluate the content you consume and to seek out reliable and verified information from trusted sources, such as state and local election officials. Not just leading up to Election Day, but during and after as well.
Here’s why: it’s estimated that roughly 75% of American voters will be eligible to vote by mail, potentially leading to some 80 million mail-in ballots being cast. That’s twice the number from the 2016 presidential election, which could prolong the normal certification process. Election results will likely take days, even weeks, to ensure every legally cast ballot is counted accurately so that the election results can ultimately get certified.
That extended stretch of time is where the concerns come in. Per the FBI and CISA:
“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”
In short, bad actors may attempt to undermine people’s confidence in our election as the results come in.
Our moment to act as smart consumers, and sharers, of online news has never been more immediate.
Before we look at how we can combat the spread of false information this election, let’s see how it cascades across the internet.
It’s been found that false political news traveled deeper and more broadly, reached more people, and was more viral than any other category of false information, according to a Massachusetts Institute of Technology study on the spread of true and false news online, which was published by Science in 2018.
Why’s that so? In a word: people. According to the research findings,
“We found that false news was more novel than true news, which suggests that people were more likely to share novel information … Contrary to conventional wisdom, robots accelerated the spread of true and false news at the same rate, implying that false news spreads more than the truth because humans, not robots, are more likely to spread it.”
Thus, bad actors pick their topics, pumps false information about them into social media channels, and then lets people spread it by way of shares, retweets, and the like—thanks to “novel” and click-baity headlines for content people may not even read or watch, let alone fact check.
Done on a large scale, false information thus can hit millions of feeds, which is what the FBI and CISA is warning us about.
The FBI and CISA recommend the following:
If there’s a common theme across our election blogs so far, it’s trustworthiness.
Knowing which sources are deserving of our trust and being able to spot the ones that are not takes effort—such as fact-checking from reputable sources like FactCheck.org, the Associated Press, and Reuters or researching the publisher of the content in question to review their credentials. Yet that effort it worthwhile, even necessary today. The resources listed in my recent blogs can help:
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Election 2020 – Keep Misinformation from Undermining the Vote appeared first on McAfee Blogs.
Where do you get your news? There’s a good chance much of it comes from social media.
In 2019, Pew Research found that 55% of American adults said they get their news from social media either “often” or “sometimes,” which is an 8% rise over the previous year. We can visualize what that mix might look like. Some of their news on social media may come from information sources they’ve subscribed to and yet more news may appear via articles reposted or retweeted by friends.
So, as we scroll through our feeds and quickly find ourselves awash in a cascade of news and comments on the news, we also find ourselves wondering: what’s true and false here?
And that’s the right question to ask. With the advent of the internet, anyone can become a publisher. That’s one of the internet’s greatest strengths—we can all have a voice. Publishing is no longer limited to newspaper, TV, and radio ownership bodies. Yet it’s one of the internet’s greatest challenges as well—with millions of publishers out there, not everyone is posting the truth. And sometimes, people aren’t doing the posting at all.
For example, last May, researchers at Carnegie Melon University studied more than 200 million tweets about the current virus. Of the top 50 most influential retweeters, 82% of them were bots. Some 62% of the top 1,000 retweeters were bots as well. What were they retweeting? Researchers said the tweets revolved around more than 100 types of inaccurate stories that included unfounded conspiracy theories and phony cures. Researchers cited two reasons for this surge: “First, more individuals have time on their hands to create do-it-yourself bots. But the number of sophisticated groups that hire firms to run bot accounts also has increased.”
With the sheer volume of news and information we wade through each day, you can be assured that degrees of false and misleading information make their way into people’s social media mix. And that calls for all of us to build up our media literacy—which is our ability to critically analyze the media we consume for bias and accuracy.
What follows are a few basics of media literacy that can help you to discern what’s fact and what’s fiction as you scroll through your social media feed for news.
When talking about spotting truth from falsehood on social media, it helps to first define two types of falsehood: unintentional and the deliberate.
First off, there’s unintentional misinformation. We’re only human, and sometimes that means we get things wrong. We forget details, recall things incorrectly, or we pass along unverified accounts that we mistakenly take for fact. Thus, misinformation is wrong information that you don’t know is wrong. An innocent everyday example of this is when someone on your neighborhood Facebook group posts that the drug store closes at 8pm on weeknights when in fact it really closes at 7pm. They believe it closes at 8pm, but they’re simply mistaken.
That differs entirely from deliberate disinformation. This is intentionally misleading information or facts that have been manipulated to create a false narrative—typically with an ulterior motive in mind. The readiest example of this is propaganda, yet other examples also extend to deliberate untruths engineered to discredit a person, group, or institution. In other words, disinformation can take forms both large and small. It can apply to a person just as easily as it can to a major news story.
Now, let’s take a look at some habits and tactics designed to help you get a better grasp on the truth in your social media feed.
Some of the oldest advice is the best advice, and that holds true here: consider the source. Take time to examine the information you come across. Look at its source. Does that source have a track record of honesty and dealing plainly with the facts? Likewise, that source has sources too. Consider them in the same way as well.
Now, what’s the best way to go about that? For one, social media platforms are starting to embed information about publications into posts where their content is shared. For example, if a friend shares an article from The Economist, Facebook now includes a small link in the form of an “i” in a circle. Clicking on this presents information about the publication, which can give you a quick overview of its ownership, when it was founded, and so forth.
Another fact-finding trick comes by way of Michael Caufield, the Director of Blended and Networked Learning at Washington State University. He calls it: “Just Add Wikipedia.” It entails doing a search for a Wikipedia page by using the URL of an information source. For example, if you saw an article published on Vox.com, you’d simply search “Wikipedia www.vox.com.” The Wikipedia entry will give you an overview of the information source, its track record, its ownership, and if it has fired reporters or staff for false reporting. Of course, be aware that Wikipedia entries are written by public editors and contributors. These articles will only be as accurate as the source material that they are drawn from, so be sure to reference the footnotes that are cited in the entry. Reading those will let you know if the entry is informed by facts from reputable sources as well. They may open up other avenues of fact-finding as well!
A single information source or story won’t provide a complete picture. It may only cover a topic from a certain angle or narrow focus. Likewise, information sources are helmed by editors and stories are written by people—all of which have their biases, whether overt or subtle. It’s for this reason that expanding your media diet to include a broader range information sources is so important.
So, see what other information sources have to say on the same topic. Consuming news across a spectrum will expose you to thoughts and coverage you might not otherwise get if you keep your consumption to a handful of sources. The result is that you’re more broadly informed and have the ability to compare and contrast different sources and points of view. Using the tips above, you can find other reputable sources to round out your media diet.
Additionally, for a list of reputable information sources, along with the reasons why they’re reputable, check out “10 Journalism Brands Where You Find Real Facts Rather Than Alternative Facts” published by Forbes and authored by an associate professor at The King’s College in New York City. It certainly isn’t the end all, be all of lists, yet it should provide you with a good starting point.
Has a news story you’ve read or watched ever made you shake your fist at the screen or want to clap and cheer? How about something that made you fearful or simply laugh? Bits of content that evoke strong emotional responses tend to spread quickly, whether they’re articles, a post, or even a tweet. That’s a ready sign that a quick fact check could be in order.
There’s a good reason for that. Bad actors who wish to foment unrest, unease, or simply spread disinformation use emotionally driven content to plant a seed. Whether or not their original story gets picked up and viewed firsthand doesn’t matter to these bad actors. Their aim is to actually get some manner of disinformation out into the ecosystem. They rely on others who will re-post, re-tweet, or otherwise pass it along on their behalf—to the point where the original source of the information is completely lost. This is one instance where people readily begin to accept certain information as fact, even if it’s not factual at all.
Certainly, some legitimate articles will generate a response as well, yet it’s a good habit to do a quick fact check and confirm what you’ve read. This leads us right back to our earlier points about considering the source and cross-checking against other sources of information as well.
You’ve probably seen headlines similar to this before: THIS FAT-BURNING TRICK HAS DOCTORS BAFFLED! You’ll usually spot them in big blocks laden with catchy photos and illustrations, almost to the point that they look like they’re links to other news stories. They’re not. They’re ads, which often strike a sensationalistic tone.
The next time you spot one of these, look around the area of the web page where they’re placed. You should find a little graphic or snippet of text that says “Advertisement,” “Paid Sponsor,” or something similar. And there you go. You spotted some sponsored content. These so-called articles aren’t intentionally developed to misinform you. They are likely trying to bait you into buying something.
However, in some less reputable corners of the web ads like these can take you to malicious sites that install malware or expose you to other threats. Always surf with web browser protection. Good browser protection will either identify such links as malicious right away or prevent your browser from proceeding to the malicious site if you click on such a link.
So, let’s say you’ve been following these practices of media literacy for a while. What do you do when you see a friend posting what appears to be misinformation on their social media account? If you’re inclined to step in and comment, try to be helpful, not right.
We can only imagine how many spoiled relationships and “unfriendings” have occurred thanks to moments where one person comments on a post with the best intentions of “setting the record straight,” only to see tempers flare. We’ve all seen it happen. The original poster, instead of being open to the new information, digs in their heels and becomes that much more convinced of being right on the topic.
One way to keep your friendships and good feelings intact is this: instead of entering the conversation with the intention of being “right,” help people discover the facts for themselves. You can present your information as part of a discussion on the topic. So while you shouldn’t expect this to act like a magic wand that whisks away misinformation, what you can do is provide a path toward a reputable source of information that the original poster, and their friends, can follow if they wish.
Wherever your online travels take you as you read and research the news, be sure to go out there with a complete security suite. In addition to providing virus protection, it will also help protect your identity and privacy as you do anything online. Also look for an option that will protect your mobile devices too, as we spend plenty of time scrolling through our social media feeds on our smartphones.
If you’re interested in learning more about savvy media consumption, pop open a tab and give these articles a read—they’ll give you a great start:
Bots in the Twittersphere: Pew Research
How to Spot Fake News: FactCheck.org
Likewise, keep an eye on your own habits. We forward news in our social media feeds too—so follow these same good habits when you feel like it’s time to post. Make sure that what you share is truthful too.
Be safe, be well-read, and be helpful!
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Spot Fake News and Misinformation in Your Social Media Feed appeared first on McAfee Blogs.
FreshRSS 