Tag Archives: Security and Risk Online

Online Security: Dumb WhatsApp Scam Spreads Malware – Beware

Dumb WhatsApp Scam Spreads Malware, Touting ‘Free Internet’ Without Wi-Fi: Beware

A pretty dumb WhatsApp scam is making rounds in chain mail form, promising “free internet” without Wi-Fi on an invite-only basis.

First of all, the scam is quite dumb to begin with because the only way to use WhatsApp without Wi-Fi is to have a cellular data connection and WhatsApp cannot offer data – it’s just an app, not a provider.

Secondly, the scam is spreading because it prompts victims to forward the message to 13 friends or five groups on WhatsApp to activate the “free internet.”

How It Works

“As usual, the message spreads via WhatsApp groups or comes from a friend who ‘recommends’ the service – often unaware of it. In this case, you receive a special invitation with a link,” explains the WeLiveSecurity blog of antivirus and security firm ESET.

“You can already get Internet Free Without WI-FI with Whatsapp, and it is by means of invitations, here I give you an invitation,” reads the poorly written message.

Upon clicking on the included link, users are taken to a website mimicking the WhatsApp domain. It detects the device’s language based on the browser settings and invites users to pass along the invitation to more people, ensuring that the scam keeps spreading.

The message also shows fake reviews from fake users, claiming to be incredibly satisfied with this amazing offer. Those users don’t even exist, much like this “free internet” invite-only deal. Don’t fall for it, or you’ll get more than you bargained for – and not in a good way.

Surprise! Malware

After sharing the message with at least 13 people or five groups, users who have fallen victim to this sham end up on various sites where a number of malicious actions can wreak havoc.

According to WeLiveSecurity, such actions range from subscriptions to premium and expensive SMS services to installing third-party apps on the device, of course aiming to generate some money for the scammer on the victims’ expense.

Victims will see various offers, but they obviously will not get any “free internet.” The only way to use WhatsApp to communicate with people is to have an active internet connection, be it cellular data or Wi-Fi, and the scam does absolutely nothing to change this reality.

At best, victims waste their time and end up disappointed that the magical chain message didn’t work. At worst, they end up with malicious software on their phones.

How To Avoid Such Scams

First of all, keep in mind that any message that shows up out of the blue, poorly written and making seemingly attractive promises are most likely fake, part of a scam. Raising awareness regarding these scams plays a crucial role in limiting their damage and slowing their spread rate.

If you’ve received this “free internet” offer or some other dubious message that looks like a scam, warn the sender and your friends so that they’re aware it’s a scam. Moreover, reporting the fraud is also important and it’s not that big of a hassle – just flag it in your browser as you’d normally report any phishing campaign.O

Security and Risk Online – Visa Payment Card Details Guessed in Seconds by Hackers

Card security research

Visa payment card details guessed in seconds by hackers, claims study

Cyber crooks can use computers to make multiple attempts to get confidential data without their illicit efforts being discovered

Fraudsters can take as little as six seconds to guess the details needed to hack a Visa debit or credit card, research has found.

Experts from Newcastle University said it was “frighteningly easy” to do with a laptop and an internet connection.

The hackers use a so-called Distributed Guessing Attack to get around the online security features.

It may have been the method used in the recent Tesco Bank hacking scam, which affected 9,000 customers and cost £2.5m.

The researchers found even if the cyber criminals made multiple – and unsuccessful – attempts to get payment card data, their efforts would not be detected.

It meant the scammers could systematically fire up different variations of security data at hundreds of websites simultaneously and, within seconds, the criminals could use a process of elimination to verify, via computer, the correct details of a card.

PhD student Mohammed Ali said: “This sort of attack exploits two weaknesses that, on their own are not too severe, but, when used together, present a serious risk to the whole payment system.

“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites.

“This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.

“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.

“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.

“So even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds.”

Responding to the study findings, Visa said: “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.

“Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.

“For consumers, the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability.”

The study was published in the academic journal IEEE Security & Privacy.